- Email: [email protected]
Securicom 92 in Paris, France
May 1992
Computer Fraud & Security Bulletin
a letter sized, self addressed, stamped envelope to the Computer Security Institute, 600 Harrison Street, San Francisco, CA 94107, USA; tel: +1 4159052310. Sun Microsystems has signed a deal with Emanation Control Ltd (Emcon) of Ottowa to produce Tempest workstations. "Over the next three to four years we're looking at about $50 million worth of business," said Michael Douglas, director of marketing for Sun Canada. The Emcon equipment is the first Canadian product to be recognized on the USA's endorsed Tempest products list. Digital has launched the Digital Cryptographic Security Agent (DCSA) set of software modules, to meet the increasing demand from financial institutions. DCSA can be used as a packaged product, giving security to existing financial applications via application programming interfaces (ASPls). It conforms to relevant ANSI and ISO standards for MACs, encryption and key management. For more details phone Alan Smith on +44 (0)895230011. Demax Software, better known for its VMS security products, has joined the Security Alliance for Enterprise (SAFE) Computing Group. SAFE is a consortium of vendors fostering computer security awareness in the Unix business community and demonstrating that Unix system V products and services address marketplace needs. The company is also actively working to collate, develop and disseminate information supporting the group's mandate. For more details contact Jacques Guerette on +1 415 34190170rfax+1 415341 5809. Risk Management International is forming the European Risk Management Software Association (ERMSA) to bring together suppliers and customers of risk management software and associated services. The association will produce a monthly newsletter on risk management software developments and hold quarterly seminars, exhibitions and training courses. Eight suppliers have already joined as founder members to promote their products and
6
services. RMI will initially provide the secretariat for the organization. Membership costs £195 for individuals and £495 for corporate membership per annum. For more information contact Jamie Khosla on +44 (0)580 712234 or fax +44 (0)580 7152120. VeriFone Ltd has announced an enhanced version of its VISA approved member data capture software, MCD. MCD 1/ provides a "semi online" link with the bank's MCD system and has improved security features. It now has service code checking which can limit the card's use to its country of origin and check card start and expiry dates. For more details contact Terri Duhamel on +44 (0)895 824031.
CONFERENCE REPORT Securicom 92 in Paris, France Held at the end of March, this was the 10th congress of the Securicom conference. Once again it opened with a panel of speakers, which this year celebrated the anniversary by looking back on the last decade. For the most part the review covered familiar ground and only Alan Stanley, of the European Users Forum, took the opportunity to peer into the mists of the next ten years. The Forum holds regular surveys of its members, and their replies gave the current state of computer security as follows: Most have a policy Responsibilities are being clarified User awareness is growing Authoritative baselines are emerging Risk analysis is gaining ground Recognition exists of commercial needs but many requirements remain unsatisfied.
©1992 Elsevier Science Publishers Ltd
May 1992
Extrapolating these trends, Stanley suggested that the year 2002 might find: Policies in place everywhere Responsibilities in place High user awareness Authoritative baselines Wide use of risk analysis Recognized standards of performance Security demanded in products and services Later in the day, the conference compared computer security evaluation practices in Germany, France and the UK. Naturally this focussed to a large extent on the recent ITSEC initiatives, although the talks highlighted diferences in the implementation of evaluations. Hopefully many of these will be resloved by the publication later this year of ITSEM, the evaluators manual. Thursday saw the presentation of several technical papers, of which particular mention should go to Dr Ulrike Korte's talk on the implementation of an EFTPoS system for the German savings banks, and Peter Thazard's session of logic code analysis to detect fraud, sabotage and plain human error. Later the conference looked at aspects of EDI, with particular emphasis on insurance and legal implications of this paperless trading. In this area, Thierry Piette Caudal gave a virtuoso performance, which survived even the vagaries of translation, to educate the audience on the ommissions, assumptions and outright contradictions of French commercial law if applied to ED!.
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
GOVERNMENT EAVESDROPPING Should consumers pay? Wayne Madsen
For at least the past two years an alliance of the Federal Bureau of Investigation, the National Security Agency, the Department of Justice and other components of the US National Security structure, have sought to pass in the US Congress legislation giving them wide powers to eavesdrop on telecommunications. In 1991 they attached 'Sense of Congress' riders to two Senate Bills empowering US law enforcement agencies to demand the cooperation of telecommunications carriers in providing the government with the "plain text contents of voice, data and other communications". Senator Patrick Leahy of Vermont ensured that this rider was deleted from the two bills which were Senate Bill 266 (Comprehensive Counter-terrorism Act of 1991) and Senate Bill 618 (Violent Crime Control Act of 1991). However, the US national security structure has, for some time, been secretly planning to broaden its powers to conduct domestic eavesdropping on telecommunications. This structure, with enormous financial assets and allies in Congress at its disposal, finally played its hand in early March 1992. It came in the form of a different rider that was attached to the Federal Communications Commission (FCC) Authorization Act, essentially a budgetary bill authorizing Federal funding for that agency. Since the oversight committee for the FCC is the House Commerce Committee and the committee that normally oversees judicial affairs is the House Judiciary Committee, those normally involved with oversight of potential civil liberties and privacy issues were blinded by Justice's end-run through the Commerce Committee. The Justice Department's plan, enthusiastically backed by the Bush White House. the Director of
7
Computer Fraud & Security Bulletin
a letter sized, self addressed, stamped envelope to the Computer Security Institute, 600 Harrison Street, San Francisco, CA 94107, USA; tel: +1 4159052310. Sun Microsystems has signed a deal with Emanation Control Ltd (Emcon) of Ottowa to produce Tempest workstations. "Over the next three to four years we're looking at about $50 million worth of business," said Michael Douglas, director of marketing for Sun Canada. The Emcon equipment is the first Canadian product to be recognized on the USA's endorsed Tempest products list. Digital has launched the Digital Cryptographic Security Agent (DCSA) set of software modules, to meet the increasing demand from financial institutions. DCSA can be used as a packaged product, giving security to existing financial applications via application programming interfaces (ASPls). It conforms to relevant ANSI and ISO standards for MACs, encryption and key management. For more details phone Alan Smith on +44 (0)895230011. Demax Software, better known for its VMS security products, has joined the Security Alliance for Enterprise (SAFE) Computing Group. SAFE is a consortium of vendors fostering computer security awareness in the Unix business community and demonstrating that Unix system V products and services address marketplace needs. The company is also actively working to collate, develop and disseminate information supporting the group's mandate. For more details contact Jacques Guerette on +1 415 34190170rfax+1 415341 5809. Risk Management International is forming the European Risk Management Software Association (ERMSA) to bring together suppliers and customers of risk management software and associated services. The association will produce a monthly newsletter on risk management software developments and hold quarterly seminars, exhibitions and training courses. Eight suppliers have already joined as founder members to promote their products and
6
services. RMI will initially provide the secretariat for the organization. Membership costs £195 for individuals and £495 for corporate membership per annum. For more information contact Jamie Khosla on +44 (0)580 712234 or fax +44 (0)580 7152120. VeriFone Ltd has announced an enhanced version of its VISA approved member data capture software, MCD. MCD 1/ provides a "semi online" link with the bank's MCD system and has improved security features. It now has service code checking which can limit the card's use to its country of origin and check card start and expiry dates. For more details contact Terri Duhamel on +44 (0)895 824031.
CONFERENCE REPORT Securicom 92 in Paris, France Held at the end of March, this was the 10th congress of the Securicom conference. Once again it opened with a panel of speakers, which this year celebrated the anniversary by looking back on the last decade. For the most part the review covered familiar ground and only Alan Stanley, of the European Users Forum, took the opportunity to peer into the mists of the next ten years. The Forum holds regular surveys of its members, and their replies gave the current state of computer security as follows: Most have a policy Responsibilities are being clarified User awareness is growing Authoritative baselines are emerging Risk analysis is gaining ground Recognition exists of commercial needs but many requirements remain unsatisfied.
©1992 Elsevier Science Publishers Ltd
May 1992
Extrapolating these trends, Stanley suggested that the year 2002 might find: Policies in place everywhere Responsibilities in place High user awareness Authoritative baselines Wide use of risk analysis Recognized standards of performance Security demanded in products and services Later in the day, the conference compared computer security evaluation practices in Germany, France and the UK. Naturally this focussed to a large extent on the recent ITSEC initiatives, although the talks highlighted diferences in the implementation of evaluations. Hopefully many of these will be resloved by the publication later this year of ITSEM, the evaluators manual. Thursday saw the presentation of several technical papers, of which particular mention should go to Dr Ulrike Korte's talk on the implementation of an EFTPoS system for the German savings banks, and Peter Thazard's session of logic code analysis to detect fraud, sabotage and plain human error. Later the conference looked at aspects of EDI, with particular emphasis on insurance and legal implications of this paperless trading. In this area, Thierry Piette Caudal gave a virtuoso performance, which survived even the vagaries of translation, to educate the audience on the ommissions, assumptions and outright contradictions of French commercial law if applied to ED!.
©1992 Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
GOVERNMENT EAVESDROPPING Should consumers pay? Wayne Madsen
For at least the past two years an alliance of the Federal Bureau of Investigation, the National Security Agency, the Department of Justice and other components of the US National Security structure, have sought to pass in the US Congress legislation giving them wide powers to eavesdrop on telecommunications. In 1991 they attached 'Sense of Congress' riders to two Senate Bills empowering US law enforcement agencies to demand the cooperation of telecommunications carriers in providing the government with the "plain text contents of voice, data and other communications". Senator Patrick Leahy of Vermont ensured that this rider was deleted from the two bills which were Senate Bill 266 (Comprehensive Counter-terrorism Act of 1991) and Senate Bill 618 (Violent Crime Control Act of 1991). However, the US national security structure has, for some time, been secretly planning to broaden its powers to conduct domestic eavesdropping on telecommunications. This structure, with enormous financial assets and allies in Congress at its disposal, finally played its hand in early March 1992. It came in the form of a different rider that was attached to the Federal Communications Commission (FCC) Authorization Act, essentially a budgetary bill authorizing Federal funding for that agency. Since the oversight committee for the FCC is the House Commerce Committee and the committee that normally oversees judicial affairs is the House Judiciary Committee, those normally involved with oversight of potential civil liberties and privacy issues were blinded by Justice's end-run through the Commerce Committee. The Justice Department's plan, enthusiastically backed by the Bush White House. the Director of
7