- Email: [email protected]
Law commission's report debated
Computer Fraud & Security Bulletin
December 1989
when unqualified staff run computer installations. But the real extent of the risks of disaster may still be underestimated, according to Phil Makinson, managing director of lstel Failsafe, UK. Makinson calls for extra vigilance when companies are purchasing software since there have been some cases of program bugs, undetected, actually contributing to the liquidation of a company. Since mistakes in the computer room can have such serious consequences, the problem highlighted by BCS, of allowing unqualified staff access to increasingly sophisticated equipment can only add to the risk of disaster. The UK’s Institute of Manpower Studies recently published a report, The Changing IT
Skills Scene: IT Manpower Monitor 1989. which indicated that there is still a tight labour market for skilled IT staff, and that demand is expected to increase, particularly for computing and software staff with business expertise. Helen Connor, one of the authors of the report, warned that more companies should make greater use of in-company retraining, rather than relying on traditional recruitment sources to fill the gap.
VIRUS BIBLIOGRAPHY
COMPILED
A bibliography of books, magazine and newspaper articles, research papers and other references has been compiled by the Institute for the Study and Teaching of Responsible Uses of Information Technologies at Siena Heights College in Adrian, Michigan, US. The bibliography will be available at no cost to interested college and public libraries, government and law enforcement agencies, and computer security administrators in industry. Associate Professor Jack Bologna, the institute’s executive director, compiled the references in the bibliography. “The
01989
Elsevier Science Publishers Ltd
bibliography is not an exhaustive listing of references”, he said, “but it is a first and will hopefully accommodate the current information needs on the very important subject of computer viruses.”
LAW COMMISSION’S DEBATED
REPORT
The recent report by the English Law Commission, proposing that three new offences of computer misuse be created, is causing considerable debate. The recommendations, if passed by Parliament, mean that unauthorized access to computers will become an offence punishable by a three month prison sentence, while unauthorized access with intent to commit a crime will carry a maximum sentence of five years. So too will the unauthorized alteration of ‘computer material’. The proposals have been welcomed by the Confederation of British Industry (the CBI) and by Barclays Bank. Barclays IT director, Trevor Nicholas, commented, “Legislation would not completely solve the threat that hacking and viruses pose to computer systems, but it would form one more weapon in the armoury that companies could use to combat the problem. Barclays currently spends an estimated f 15 to f20 million each year on computer security measures, and undoubtedly the envisaged legislation would act as a strong deterrent to would-be hackers.” In the last 18 months Barclays has experienced three known hacking offences and one computer virus. Among those critical of the new Law Commission’s Report is the international consultancy firm Deloitte Haskins & Sells. “The main failing of the Law Commission’s report is that it focuses on the symptom of the problem, not the problem itself,” comments Eddy Peers, computer security partner at Deloitte Haskins 8 Sells. “Computer hacking has become such a serious problem because both computer
3
Computer Fraud & Security Bulletin
users and manufacturers are not facing up to their responsibilities and taking adequate steps to secure the data stored on their machines. “We believe that the Law Commission’s vision has been limited and only represents a small step towards solving the problem,” he continues. “It should become a legal responsibility for computer users to take adequate steps to secure the data held on
December 1989
MARKETPLACE SWIFT has recently released SURE (SWIFT User Risk Evaluation), an auditing software package for SWIFT systems. The package is based on RiskPAC and runs as an automated questionnaire on MS-DOS or PC-DOS version 2.0 or higher. For further information contact the Chief Inspector’s Office in Belgium on +32 2 655 31 11.
their systems. The Data Protection Act was one step in this direction. We should go further.” The UK’s Data Protection Registrar, Eric Howe, has already said that he would oppose moves to declare illegal hacking that does not involve theft or deception. “An offence should
Data Innovation - part of the Zergo Group - launched a new addition to the CG500 host security modules at Compsec 89. The CG510-VSM is a revised VISA security module aimed at ATM and EFTPoS networks, using smartcard technology for high level key management. For more information contact Robert Peters on +44 734 441349.
be related to an intent by the hacker to gain some advantage for himself or another, or to damage another person’s interests,” Howe says. “I believe it would be wrong to criminalize those who have no criminal intent and create no hazard.” Importantly, the Commission rejected submissions that the rules governing the admissibility of computer print-outs as evidence were too strict. The Commission replied “We see no reason for exempting the prosecution from the requirement imposed by section 69 of showing that the computer was, apart from the alleged interference of which evidence will be given, otherwise operating properly.” However, legal precedents were set last December when two convictions, based on the evidence of computer print-outs, came to the Court of Appeal. In t? vs Minors, the print-out was a building society account. In R vs Harper, a list of lost travel cards. Neither print-out was held to be admissible by the Court of Appeal, because the prosecutions had not shown that the conditions of section 69 had been met. By contrast, if a litigant alleges that an ordinary paper document is inaccurate, it is left up to the court to decide its admissibility.
Westinghouse Management Systems in the UK has announced a highly advanced security system for IBM mainframes called NC-PASS. The company claims that the product is the first IBM mainframe security software designed to support physical identification devices, or ‘tokens’ from a variety of vendors. The product is designed to fully integrate with other VTAM products in the Westinghouse range and to interface with products such as RACF and ACF2. NC-PASS is available from Westinghouse for both MVS and VM operating systems and prices start at f 10 000. For more information contact David Hart on +44 1 951 1615. Computer Security Ltd of Brighton, UK launched three new security products at this year’s Compsec exhibition: PC-GUARD version 2.0; the S4000 - an access control system for dial-up networks; and the S25 smartcard - for use with CSL’s S7000 crypto-controller. For more information contact Mark Hope on +44 273 672191. Delphius Network Management in the UK has introduced a new network controller, Tumstyle, which acts as an electronic library from which programs may be checked out for use. When all copies are in use Turnstyle will
01989
Elsevier Science Publishers Ltd
December 1989
when unqualified staff run computer installations. But the real extent of the risks of disaster may still be underestimated, according to Phil Makinson, managing director of lstel Failsafe, UK. Makinson calls for extra vigilance when companies are purchasing software since there have been some cases of program bugs, undetected, actually contributing to the liquidation of a company. Since mistakes in the computer room can have such serious consequences, the problem highlighted by BCS, of allowing unqualified staff access to increasingly sophisticated equipment can only add to the risk of disaster. The UK’s Institute of Manpower Studies recently published a report, The Changing IT
Skills Scene: IT Manpower Monitor 1989. which indicated that there is still a tight labour market for skilled IT staff, and that demand is expected to increase, particularly for computing and software staff with business expertise. Helen Connor, one of the authors of the report, warned that more companies should make greater use of in-company retraining, rather than relying on traditional recruitment sources to fill the gap.
VIRUS BIBLIOGRAPHY
COMPILED
A bibliography of books, magazine and newspaper articles, research papers and other references has been compiled by the Institute for the Study and Teaching of Responsible Uses of Information Technologies at Siena Heights College in Adrian, Michigan, US. The bibliography will be available at no cost to interested college and public libraries, government and law enforcement agencies, and computer security administrators in industry. Associate Professor Jack Bologna, the institute’s executive director, compiled the references in the bibliography. “The
01989
Elsevier Science Publishers Ltd
bibliography is not an exhaustive listing of references”, he said, “but it is a first and will hopefully accommodate the current information needs on the very important subject of computer viruses.”
LAW COMMISSION’S DEBATED
REPORT
The recent report by the English Law Commission, proposing that three new offences of computer misuse be created, is causing considerable debate. The recommendations, if passed by Parliament, mean that unauthorized access to computers will become an offence punishable by a three month prison sentence, while unauthorized access with intent to commit a crime will carry a maximum sentence of five years. So too will the unauthorized alteration of ‘computer material’. The proposals have been welcomed by the Confederation of British Industry (the CBI) and by Barclays Bank. Barclays IT director, Trevor Nicholas, commented, “Legislation would not completely solve the threat that hacking and viruses pose to computer systems, but it would form one more weapon in the armoury that companies could use to combat the problem. Barclays currently spends an estimated f 15 to f20 million each year on computer security measures, and undoubtedly the envisaged legislation would act as a strong deterrent to would-be hackers.” In the last 18 months Barclays has experienced three known hacking offences and one computer virus. Among those critical of the new Law Commission’s Report is the international consultancy firm Deloitte Haskins & Sells. “The main failing of the Law Commission’s report is that it focuses on the symptom of the problem, not the problem itself,” comments Eddy Peers, computer security partner at Deloitte Haskins 8 Sells. “Computer hacking has become such a serious problem because both computer
3
Computer Fraud & Security Bulletin
users and manufacturers are not facing up to their responsibilities and taking adequate steps to secure the data stored on their machines. “We believe that the Law Commission’s vision has been limited and only represents a small step towards solving the problem,” he continues. “It should become a legal responsibility for computer users to take adequate steps to secure the data held on
December 1989
MARKETPLACE SWIFT has recently released SURE (SWIFT User Risk Evaluation), an auditing software package for SWIFT systems. The package is based on RiskPAC and runs as an automated questionnaire on MS-DOS or PC-DOS version 2.0 or higher. For further information contact the Chief Inspector’s Office in Belgium on +32 2 655 31 11.
their systems. The Data Protection Act was one step in this direction. We should go further.” The UK’s Data Protection Registrar, Eric Howe, has already said that he would oppose moves to declare illegal hacking that does not involve theft or deception. “An offence should
Data Innovation - part of the Zergo Group - launched a new addition to the CG500 host security modules at Compsec 89. The CG510-VSM is a revised VISA security module aimed at ATM and EFTPoS networks, using smartcard technology for high level key management. For more information contact Robert Peters on +44 734 441349.
be related to an intent by the hacker to gain some advantage for himself or another, or to damage another person’s interests,” Howe says. “I believe it would be wrong to criminalize those who have no criminal intent and create no hazard.” Importantly, the Commission rejected submissions that the rules governing the admissibility of computer print-outs as evidence were too strict. The Commission replied “We see no reason for exempting the prosecution from the requirement imposed by section 69 of showing that the computer was, apart from the alleged interference of which evidence will be given, otherwise operating properly.” However, legal precedents were set last December when two convictions, based on the evidence of computer print-outs, came to the Court of Appeal. In t? vs Minors, the print-out was a building society account. In R vs Harper, a list of lost travel cards. Neither print-out was held to be admissible by the Court of Appeal, because the prosecutions had not shown that the conditions of section 69 had been met. By contrast, if a litigant alleges that an ordinary paper document is inaccurate, it is left up to the court to decide its admissibility.
Westinghouse Management Systems in the UK has announced a highly advanced security system for IBM mainframes called NC-PASS. The company claims that the product is the first IBM mainframe security software designed to support physical identification devices, or ‘tokens’ from a variety of vendors. The product is designed to fully integrate with other VTAM products in the Westinghouse range and to interface with products such as RACF and ACF2. NC-PASS is available from Westinghouse for both MVS and VM operating systems and prices start at f 10 000. For more information contact David Hart on +44 1 951 1615. Computer Security Ltd of Brighton, UK launched three new security products at this year’s Compsec exhibition: PC-GUARD version 2.0; the S4000 - an access control system for dial-up networks; and the S25 smartcard - for use with CSL’s S7000 crypto-controller. For more information contact Mark Hope on +44 273 672191. Delphius Network Management in the UK has introduced a new network controller, Tumstyle, which acts as an electronic library from which programs may be checked out for use. When all copies are in use Turnstyle will
01989
Elsevier Science Publishers Ltd