- Email: [email protected]
Microfiche espionage
excess of £250,000. Moving down the self-insurance scale, for a cover of £2,000,000 with an excess of £100,000, the premium could increase to £5,000. For a lower limit of indemnity of El,OOO with an excess of E100,000 the premium might be E3,5OO. P A Bawcutt, Managing Director Risk Research Group (London) Ltd
~lISUSE
INSURANCE
The Trident General Insurance Company Limited of 37/39 Lime Street, London EC 3M 7AY has just announced what, at first glance, appears to be a very brave piece of insurance. Its computer misuse insurance covers companies against:
*
erasure, destruction or distortion of data or data-carrying materials used in connection with computer equipment * intentional, unjustifiable fraudulent and dishonest - program manipulation - suppression, alteration, or insertion of data or data carrying materials used in connection with computer equipment.
However, on deeper analysis, the policy may be of less value.
* The protection against dishonesty etc applies only if the name of the employee responsible has been established.
* The protection ceases immediately the loss has been uncovered
* * *
*
*
*
and reported. The protection extends from 2 years after the date on which the loss was first caused (i.e. on a fraud lasting, say, four years, only the first two are covered) • The policy only covers employees, pot contract staff. Loss of profits and consequential losses are not covered. A limit of payout will be set for each policy (thought to be up to a maximum of E700,000) • Any other policies covering a loss (for example, fidelity insurance or cheque-writing policy) take priority and are to be settled before any benefit under the computer mususe policy can be claimed. As far as the erasure etc provisions are concerned, there is an excess of £2,500 on any claim.
Application for a policy has to be made through a broker and will be available to computer users who already hold a Trident Computer Policy. Premiums will be calculated on an individual basis, according to the risks. Any and all changes affecting the computer and related systems have to be communicated to the insurer but strict compliance with this condition may be difficult to maintain.
MICROFICHE ESPIONAGE
John Agius, 43 a self employed dealer in parts for BMW motor cars was convicted last month at Kingston Crown Court and fined £2250 plus £500 costs for "receiVing" microfiche stolen from BMW. The charges were brought under the Theft Act 1968 but the case was described by the Prosecutor as one of "industrial espionage". The microfiche, subject of the criminal complaint, were compiled and issued to authorized BMW dealers; they contained the recom-
COMPUTERWffi£l9J1ID1c SECURITY BULLETIII Vol1 No10
9
mended resale prices of BMW parts and components. Authorized dealers who were entitled to receive the microfiche were also issued with special readers (presumably as a security control). As a result of his inside information on BMW prices, Agius was able to undercut authorized dealers by up to 30%. Ramesh Shah, employed by a BMW authorized dealer, M.L.G. Motors of Chiswick, was fined £200 for theft. The court heard that Shah stole the microfiche to help his friend. Suspicions of BMW management were first aroused last summer when they could not trace one of the special microfiche readers. The police were informed and a trap was set. The firm that produced the microfiche was asked to make a unique set, containing a number of mistakes, and the police hoped to trace them through the system to see how and to whom they were disposed. Some were supplied to MLG Motors and, at what appeared to be an appropriate time, the Police pounced on Agius and searched his premises. A number of microfiche were found, but none from the unique set. Shah was interviewed and the marked set was found in his possession.
CASH DISPENSERS
Anne Dooley, writing in Compute~orZd, reported a recent case at Citibank of New York. Two men raided the bank's Brooklyn Regional Office and stole the keys and combinations to the Automatic Teller Machines (ATM) for 40 branches in the New York area. To add insult to injury, the robbers broke into the ATM in the Regional Office and made off with $45 000 in cash. Three employees, working in the building at the time of the raid, were tied up, but eventually struggled free and alerted the Police. Within a short time, the Bank's security officers has visited the branches concerned with changed the combinations. They found that two of the ATMs had already been emptied of a further $54 000. Not bad for a night's work. There may have been a breakdown in security in this case
* *
why were the combinations and the keys kept together in one location? with a direct communications line between the ATMs and the bank's central computer (as we understand there was), why couldn't there be a central override to check and authorise requests to open remote ATMs?
The case illustrates the simplicity - based on good criminal planning - of many crimes. It also indicates that physical security is an important control in even the most advanced systems.
THE FRAUD MACHINE?
10
the Equity Funding $2 billion collapse, it is rumoured that the supplier of the company's computer hardware was threatened with legal action by aggrieved creditors, for negligence in supplying an insecure machine. The manufacturer is alleged to have brought sense to the issue by arguing that it would be unrealistic and unfair to sue the manufacturers of a ballpoint pen, misused for manual embezzlement. The Equity Funding case
~fter
COllPUTIB)J'1M\WlID& SICUIUTY B1JLLITIlI Vol1 No10
~lISUSE
INSURANCE
The Trident General Insurance Company Limited of 37/39 Lime Street, London EC 3M 7AY has just announced what, at first glance, appears to be a very brave piece of insurance. Its computer misuse insurance covers companies against:
*
erasure, destruction or distortion of data or data-carrying materials used in connection with computer equipment * intentional, unjustifiable fraudulent and dishonest - program manipulation - suppression, alteration, or insertion of data or data carrying materials used in connection with computer equipment.
However, on deeper analysis, the policy may be of less value.
* The protection against dishonesty etc applies only if the name of the employee responsible has been established.
* The protection ceases immediately the loss has been uncovered
* * *
*
*
*
and reported. The protection extends from 2 years after the date on which the loss was first caused (i.e. on a fraud lasting, say, four years, only the first two are covered) • The policy only covers employees, pot contract staff. Loss of profits and consequential losses are not covered. A limit of payout will be set for each policy (thought to be up to a maximum of E700,000) • Any other policies covering a loss (for example, fidelity insurance or cheque-writing policy) take priority and are to be settled before any benefit under the computer mususe policy can be claimed. As far as the erasure etc provisions are concerned, there is an excess of £2,500 on any claim.
Application for a policy has to be made through a broker and will be available to computer users who already hold a Trident Computer Policy. Premiums will be calculated on an individual basis, according to the risks. Any and all changes affecting the computer and related systems have to be communicated to the insurer but strict compliance with this condition may be difficult to maintain.
MICROFICHE ESPIONAGE
John Agius, 43 a self employed dealer in parts for BMW motor cars was convicted last month at Kingston Crown Court and fined £2250 plus £500 costs for "receiVing" microfiche stolen from BMW. The charges were brought under the Theft Act 1968 but the case was described by the Prosecutor as one of "industrial espionage". The microfiche, subject of the criminal complaint, were compiled and issued to authorized BMW dealers; they contained the recom-
COMPUTERWffi£l9J1ID1c SECURITY BULLETIII Vol1 No10
9
mended resale prices of BMW parts and components. Authorized dealers who were entitled to receive the microfiche were also issued with special readers (presumably as a security control). As a result of his inside information on BMW prices, Agius was able to undercut authorized dealers by up to 30%. Ramesh Shah, employed by a BMW authorized dealer, M.L.G. Motors of Chiswick, was fined £200 for theft. The court heard that Shah stole the microfiche to help his friend. Suspicions of BMW management were first aroused last summer when they could not trace one of the special microfiche readers. The police were informed and a trap was set. The firm that produced the microfiche was asked to make a unique set, containing a number of mistakes, and the police hoped to trace them through the system to see how and to whom they were disposed. Some were supplied to MLG Motors and, at what appeared to be an appropriate time, the Police pounced on Agius and searched his premises. A number of microfiche were found, but none from the unique set. Shah was interviewed and the marked set was found in his possession.
CASH DISPENSERS
Anne Dooley, writing in Compute~orZd, reported a recent case at Citibank of New York. Two men raided the bank's Brooklyn Regional Office and stole the keys and combinations to the Automatic Teller Machines (ATM) for 40 branches in the New York area. To add insult to injury, the robbers broke into the ATM in the Regional Office and made off with $45 000 in cash. Three employees, working in the building at the time of the raid, were tied up, but eventually struggled free and alerted the Police. Within a short time, the Bank's security officers has visited the branches concerned with changed the combinations. They found that two of the ATMs had already been emptied of a further $54 000. Not bad for a night's work. There may have been a breakdown in security in this case
* *
why were the combinations and the keys kept together in one location? with a direct communications line between the ATMs and the bank's central computer (as we understand there was), why couldn't there be a central override to check and authorise requests to open remote ATMs?
The case illustrates the simplicity - based on good criminal planning - of many crimes. It also indicates that physical security is an important control in even the most advanced systems.
THE FRAUD MACHINE?
10
the Equity Funding $2 billion collapse, it is rumoured that the supplier of the company's computer hardware was threatened with legal action by aggrieved creditors, for negligence in supplying an insecure machine. The manufacturer is alleged to have brought sense to the issue by arguing that it would be unrealistic and unfair to sue the manufacturers of a ballpoint pen, misused for manual embezzlement. The Equity Funding case
~fter
COllPUTIB)J'1M\WlID& SICUIUTY B1JLLITIlI Vol1 No10