- Email: [email protected]
Halifax computer security criticized
Computer Audit Update
when the infected documents are forwarded by the Firewall to the LAN-based mail system - - via the SMTP gateway - - that they become dangerous. The gateway converts the encoded ASCII stream into a binary file, which could then become contagious if the recipients are unaware that the document is infected." Network Connection claims that its software removes this problem by supporting checking procedures on the MBLink family of gateways, which connect to cc:Mail, MS Mail, Lotus Notes, MHS/Global MHS, SMTP and ALL-IN-1/VMSmail. Checking is carried out on both mail messages and attached documents using the McAfee Virus Checker. Other DOS-based anti-virus checkers are supported.
For more information contact: Network Connection, River Court, Albert Drive, Woking, Surrey GU21 5RP, UK; tel: +44 (0) 483 776000; fax: +44 (0) 766683.
Seimens launches disaster recovery service for Unix Seimens Nixdorf has announced the availability of a new disaster recovery service for its RISC-based RM range of Unix servers. The company says that the facility, part of its portfolio of Business Protection Services, will allow customers to be able to continue working at its disaster recovery centres within 24 hours of failure, until their IT function is restored by Seimens Nixdorf. Seimens has three disaster recovery facilities in the Uk at Bracknell, Hounslow and Birmingham. In addition to office suites, off-site tape storage and a monthly exchange of archive tapes, the company will provide customers with c o n t i n g e n c y planning software to cover emergency situations, fall back procedures and resumption requirements. RM6000 customers will also have access to Seimens Nixdorf's contingency planning and disaster recovery consultancy. A number of
18
March 1994
seminars and workshops are to be held by the company to promote awareness of the need to devise and implement a disaster recovery strategy.
For more information contact: Seimens Nixdorf, Seimens House, Oldbury, Bracknell, Berkshire RG12 8FZ, UK; tel: +44 (0) 344 862222; fax: +44 (0) 344 850912.
Halifax computer security criticized The Halifax Building Society has been taken to task over lax computer security procedures, which were highlighted in a recent court case, according to Computing. The court case, which focused attention on the Halifax's computer security practices, concerned a policemen accused of attempting to defraud the building society by falsely claiming that he had been the victim of phantom withdrawals. PC John Munden was prosecuted for fraud when an internal systems audit reported that there had been no systems failure. The criticisms of the Halifax's computer security procedures came from Ross Anderson, a Cambridge University lecturer in computer security, who was an expert witness in the trial. Anderson is also one of three national scientific inspectors for the UK insurance industry responsible for auditing companies to see if their security controls are effective and in place. Commenting on the state of the Halifax's IT security practice Anderson said: "From what I have seen, the Halifax system would not be insurable." He drew attention to a number of features which negatively affected the building society's IT security, such as "a noticeable lack" of reports from inspectors and auditors to back up claims that the Halifax's ATM security was secure. The trial also revealed that the last major overhaul of ATM security was in 1981.
©1994 Elsevier Science Ltd
March 1994
However, a Halifax spokesperson said: "The verdict vindicated the society's stance that its ATM system is secure."
Computer Audit Update
sector, according to their different needs. The schedule is as follows:
Public sector • Manchester - - March 8, 1994.
Data Protection Registrar targets unregistered businesses The UK Data Protection Registrar's Office is to start a telephone campaign aimed at businesses in various parts of the UK to check whether or not they are, or need to be registered under the 1984 Data Protection Act.
• Edinburgh - - March 10, 1994. • London - - March 16, 1994. • Thursday - - March 17,1994.
Private sector Companies which are found to not have been registered will be sent a registration pack and given a short period before further action is taken.
• Newcastle-upon-Tyne - - March 3, 1994.
The purpose of the campaign is to increase awareness of the provisions of the Act and increase registrations. Areas to be tested include: Newcastle-upon-Tyne; North Wales; Birmingham; Hampshire and Dorset; and the Highland and Grampian regions of Scotland.
• London - - March 9, 1994.
The value of the campaign was highlighted by a National Audit Office report in August 1993 (see Computer Audit Update, September 1993) which estimated that over 100 000 organizations were unregistered. Failure to register is a criminal charge with a maximum penalty of £5000. Registration currently costs £75 for a three year period. The Office of the Data Protection Registrar is to hold a number of free seminars throughout March for organizations which hold information about individuals on computer. The aim of the seminars, 'Understanding Data Protection', is to provide businesses with a greater insight into the requirements of the 1984 Data Protection Act. The seminars have been divided into separate programmes for the public and private
@1994 Elsevier Science Ltd
• London - - March 8, 1994.
• Cheltenham - - March 10, 1994.
For further information contact: The Marketing Department, The Data Protection Registrar, Wycliffe House, Water Lane, Cheshire SK9 5AF, UK, tel: +44 (0) 625 535711, fax: +44 (0) 625 524510.
Italy m New computer crime law Italy is no longer a computer crime paradise. A new law, in force since 14 January 1994, lays down strict regulations to combat these crimes. The crimes range from damage to public information systems, to abusive entrance into protected systems, to the possession and spread of illegally obtained passwords, even to minor crimes, albeit of important social interest, such as the spread of viruses. Criminals can expect sentences of up to eight years' imprisonment and very heavy fines. The judicial authorities have also p r o v i d e d for the p o s s i b i l i t y of intercepting/wire-tapping data on the networks.
19
when the infected documents are forwarded by the Firewall to the LAN-based mail system - - via the SMTP gateway - - that they become dangerous. The gateway converts the encoded ASCII stream into a binary file, which could then become contagious if the recipients are unaware that the document is infected." Network Connection claims that its software removes this problem by supporting checking procedures on the MBLink family of gateways, which connect to cc:Mail, MS Mail, Lotus Notes, MHS/Global MHS, SMTP and ALL-IN-1/VMSmail. Checking is carried out on both mail messages and attached documents using the McAfee Virus Checker. Other DOS-based anti-virus checkers are supported.
For more information contact: Network Connection, River Court, Albert Drive, Woking, Surrey GU21 5RP, UK; tel: +44 (0) 483 776000; fax: +44 (0) 766683.
Seimens launches disaster recovery service for Unix Seimens Nixdorf has announced the availability of a new disaster recovery service for its RISC-based RM range of Unix servers. The company says that the facility, part of its portfolio of Business Protection Services, will allow customers to be able to continue working at its disaster recovery centres within 24 hours of failure, until their IT function is restored by Seimens Nixdorf. Seimens has three disaster recovery facilities in the Uk at Bracknell, Hounslow and Birmingham. In addition to office suites, off-site tape storage and a monthly exchange of archive tapes, the company will provide customers with c o n t i n g e n c y planning software to cover emergency situations, fall back procedures and resumption requirements. RM6000 customers will also have access to Seimens Nixdorf's contingency planning and disaster recovery consultancy. A number of
18
March 1994
seminars and workshops are to be held by the company to promote awareness of the need to devise and implement a disaster recovery strategy.
For more information contact: Seimens Nixdorf, Seimens House, Oldbury, Bracknell, Berkshire RG12 8FZ, UK; tel: +44 (0) 344 862222; fax: +44 (0) 344 850912.
Halifax computer security criticized The Halifax Building Society has been taken to task over lax computer security procedures, which were highlighted in a recent court case, according to Computing. The court case, which focused attention on the Halifax's computer security practices, concerned a policemen accused of attempting to defraud the building society by falsely claiming that he had been the victim of phantom withdrawals. PC John Munden was prosecuted for fraud when an internal systems audit reported that there had been no systems failure. The criticisms of the Halifax's computer security procedures came from Ross Anderson, a Cambridge University lecturer in computer security, who was an expert witness in the trial. Anderson is also one of three national scientific inspectors for the UK insurance industry responsible for auditing companies to see if their security controls are effective and in place. Commenting on the state of the Halifax's IT security practice Anderson said: "From what I have seen, the Halifax system would not be insurable." He drew attention to a number of features which negatively affected the building society's IT security, such as "a noticeable lack" of reports from inspectors and auditors to back up claims that the Halifax's ATM security was secure. The trial also revealed that the last major overhaul of ATM security was in 1981.
©1994 Elsevier Science Ltd
March 1994
However, a Halifax spokesperson said: "The verdict vindicated the society's stance that its ATM system is secure."
Computer Audit Update
sector, according to their different needs. The schedule is as follows:
Public sector • Manchester - - March 8, 1994.
Data Protection Registrar targets unregistered businesses The UK Data Protection Registrar's Office is to start a telephone campaign aimed at businesses in various parts of the UK to check whether or not they are, or need to be registered under the 1984 Data Protection Act.
• Edinburgh - - March 10, 1994. • London - - March 16, 1994. • Thursday - - March 17,1994.
Private sector Companies which are found to not have been registered will be sent a registration pack and given a short period before further action is taken.
• Newcastle-upon-Tyne - - March 3, 1994.
The purpose of the campaign is to increase awareness of the provisions of the Act and increase registrations. Areas to be tested include: Newcastle-upon-Tyne; North Wales; Birmingham; Hampshire and Dorset; and the Highland and Grampian regions of Scotland.
• London - - March 9, 1994.
The value of the campaign was highlighted by a National Audit Office report in August 1993 (see Computer Audit Update, September 1993) which estimated that over 100 000 organizations were unregistered. Failure to register is a criminal charge with a maximum penalty of £5000. Registration currently costs £75 for a three year period. The Office of the Data Protection Registrar is to hold a number of free seminars throughout March for organizations which hold information about individuals on computer. The aim of the seminars, 'Understanding Data Protection', is to provide businesses with a greater insight into the requirements of the 1984 Data Protection Act. The seminars have been divided into separate programmes for the public and private
@1994 Elsevier Science Ltd
• London - - March 8, 1994.
• Cheltenham - - March 10, 1994.
For further information contact: The Marketing Department, The Data Protection Registrar, Wycliffe House, Water Lane, Cheshire SK9 5AF, UK, tel: +44 (0) 625 535711, fax: +44 (0) 625 524510.
Italy m New computer crime law Italy is no longer a computer crime paradise. A new law, in force since 14 January 1994, lays down strict regulations to combat these crimes. The crimes range from damage to public information systems, to abusive entrance into protected systems, to the possession and spread of illegally obtained passwords, even to minor crimes, albeit of important social interest, such as the spread of viruses. Criminals can expect sentences of up to eight years' imprisonment and very heavy fines. The judicial authorities have also p r o v i d e d for the p o s s i b i l i t y of intercepting/wire-tapping data on the networks.
19