- Email: [email protected]
Singapore proposes computer crime laws
Computer
December
Fraud & Security Bulletin
company at the time. It is reported that they may have got into the BAe’s treasury management system via a link to the firm’s headquarters in London. Although there is no direct link between the treasury management system and SWIFT, the international banking network, treasury staff with the correct passwords can gain access via the system of an intermediary bank. Ironically, at the time of the arrests, British Aerospace was assessing a CKS product which double-checks
1990
documents, was fired in March. Staff tracked the activity to Land after a tip-off. An audit trail revealed that he was able to access all the files in question. The incident has been resurrected because Land has recently returned to the jurisdiction and is now willing to testify in return for immunity from prosecution. In addition, one of the state’s top Republican’s resigned in September after admitting that he lied to investigators about the incident.
the identity of the password user by dynamic signature verification.
Singapore proposes computer crime laws Political hacking scandal lingers on Staff at the New Jersey State Legislature’s IS department are still trying to reassure users that the system is secure, according to a recent report in Computerworld. It is several months since some Democrats’ computer files had allegedly been breached by one or more members of the Republican staff. Investigations into the incidents are being conducted by the Attorney General’s office and by a joint ethics committee. The incident centres on the legislature’s Wang VS computer systems, which connect 120 field offices to the Tenton state house. There were three at the time of the break-ins, but they have since upgraded to two more powerful models. These are used for research, to track legislation and to provide public access to information. According to one staff member, “The software we were using had a trap-door. By the time we found out about it, it was too late.” The application involved in the hacking incident was a database system that some Democrats were said to be using for political work. Because a state law forbids the use of state equipment for political work, some of the Democrats involved may be facing legal action. The scandal originally came to light in February, when Democrats began complaining that some of their files had been tampered with. Jeffrey Land, a GOP staff member who has been accused of illegally accessing those
2
Draft legislation to outlaw computer crime in Singapore has been released for comment and debate. The proposed laws will legislate against unauthorized access, theft or interruption of computer services, misuse of system information and destruction of computer equipment. They are to be added to Singapore’s existing penal which already provides for code, computer-assisted offences such as fraud or criminal breach of trust. However, changes will be made to certain legal concepts such as ‘property’ and ‘theft’ to keep up with new technologies. In traditional criminal law, property is defined in tangible terms. But ‘property’ under the broadened penal code is likely to include non-tangibles such as electronic letters, PIN numbers and data. When these laws are in place, Singapore will join Japan and Hongkong as one of the few countries in the Asia-Pacific region to have computer crime legislation. The reported incidence of computer crime in Singapore has not reached anywhere near the levels of developed regions such as America and Europe. There have been two attempts by students to hack into the mainframes at the National University of Singapore, and another seven attempts to misuse ATMs. Despite this low rate, Professor Chin Tet Yung, chair of the technology and law sub-committee which drew up the draft laws commented, “We need to look ahead.. the
01990
Elsevier Science Publishers Ltd
December 1990
Computer Fraud & Security Bulletin
growth in the number of computers owned and networks implemented, has been exponential. It
one up in the Liverpool/Cheshire area. The company investigating the breaches, Network
is only a question of time before we face these problems and we don’t want to be unprepared.”
Security Management, has recently increased its staff from eight to 28. Scotland Yard say that they are unaware of the blackmail investigation.
The technology and law sub-committee was formed following a report earlier this year by an inter-ministerial committee recommending computer legislation. Besides computer crime legislation, the sub-committee is also looking at laws on personal data protection, (a report on this has just been released) and on the admissibility of computer evidence.
Hackers threaten UK banks
AT&T to enhance
Unix security
AT&T’s Unix System Laboratories have announced that they will incease security features and include new file management and systems’ administration facilities to the Unix System V Release 4. Unix security will be improved to adhere to the US NCSC’s 82 level. The improvements are thought to be consistent with Roadmap, a document issued by the non
Hackers who want to be employed as security consultants may be responsible for breaking into the systems of some UK banks,
profit-making Unix International body in January, which covers future implementations of Unix.
according to a recent report in The Guardian. A computer security consultant said that he had been approached by a group of hackers earlier in the year and asked to act as a middleman between them and the banks.
The first phase, conformance to the 83 level, is due to be delivered in the first half of 1991. In the second half of 1991, Unix Software Labs will make a rating kit available so that users can test their applications to ensure they also conform to 83 security. By mid-1992, an extended version is scheduled to meet 82 specifications for a secure environment.
They planned to hack into banking systems and then, having proved their skills, to offer themselves as consultants. There have since been breaches of bank security, and use has been made of the password of a Latin American bank in order to enter financial networks. Several messages have been left, and on at least one occasion the bank was told that it would suffer the consequences if it did not cooperate. In the UK there has always been a wariness of legitimizing hackers in this way. Robert Shifreen, the hacker who broke his way into the Duke of Edinburgh’s E-mail system in 1985, said that he was never approached by Prestel for information on how he had done it. “In America I would have been offered a job. Here they don’t want to know”, said Schifreen, who now works in computer publishing. There are thought to be only five hackers involved in the current breaches, mostly around the southeast part of the UK Guildford, Kingston and central London - together with
01990
Elsevier Science Publishers Ltd
1989 Earthquake
leaves no scars
A year ago a major earthquake jolted the San Francisco Bay area causing damage that claimed lives, destroyed buildings and cut electricity, leaving some businesses and homes powerless for days. After coping with the shock of damage to homes, many Silicon Valley employees made their way back to work only to find the computer systems unusable. This lesson in hard knocks should have been all that was needed to spur management into setting up adequate contingency plans for the next such disaster, but no such luck. Security consulting and service firms saw some corporate executives signing up for disaster recovery programmes after the quake, but experts agree there was no wave of conversion by the majority of companies.
3
December
Fraud & Security Bulletin
company at the time. It is reported that they may have got into the BAe’s treasury management system via a link to the firm’s headquarters in London. Although there is no direct link between the treasury management system and SWIFT, the international banking network, treasury staff with the correct passwords can gain access via the system of an intermediary bank. Ironically, at the time of the arrests, British Aerospace was assessing a CKS product which double-checks
1990
documents, was fired in March. Staff tracked the activity to Land after a tip-off. An audit trail revealed that he was able to access all the files in question. The incident has been resurrected because Land has recently returned to the jurisdiction and is now willing to testify in return for immunity from prosecution. In addition, one of the state’s top Republican’s resigned in September after admitting that he lied to investigators about the incident.
the identity of the password user by dynamic signature verification.
Singapore proposes computer crime laws Political hacking scandal lingers on Staff at the New Jersey State Legislature’s IS department are still trying to reassure users that the system is secure, according to a recent report in Computerworld. It is several months since some Democrats’ computer files had allegedly been breached by one or more members of the Republican staff. Investigations into the incidents are being conducted by the Attorney General’s office and by a joint ethics committee. The incident centres on the legislature’s Wang VS computer systems, which connect 120 field offices to the Tenton state house. There were three at the time of the break-ins, but they have since upgraded to two more powerful models. These are used for research, to track legislation and to provide public access to information. According to one staff member, “The software we were using had a trap-door. By the time we found out about it, it was too late.” The application involved in the hacking incident was a database system that some Democrats were said to be using for political work. Because a state law forbids the use of state equipment for political work, some of the Democrats involved may be facing legal action. The scandal originally came to light in February, when Democrats began complaining that some of their files had been tampered with. Jeffrey Land, a GOP staff member who has been accused of illegally accessing those
2
Draft legislation to outlaw computer crime in Singapore has been released for comment and debate. The proposed laws will legislate against unauthorized access, theft or interruption of computer services, misuse of system information and destruction of computer equipment. They are to be added to Singapore’s existing penal which already provides for code, computer-assisted offences such as fraud or criminal breach of trust. However, changes will be made to certain legal concepts such as ‘property’ and ‘theft’ to keep up with new technologies. In traditional criminal law, property is defined in tangible terms. But ‘property’ under the broadened penal code is likely to include non-tangibles such as electronic letters, PIN numbers and data. When these laws are in place, Singapore will join Japan and Hongkong as one of the few countries in the Asia-Pacific region to have computer crime legislation. The reported incidence of computer crime in Singapore has not reached anywhere near the levels of developed regions such as America and Europe. There have been two attempts by students to hack into the mainframes at the National University of Singapore, and another seven attempts to misuse ATMs. Despite this low rate, Professor Chin Tet Yung, chair of the technology and law sub-committee which drew up the draft laws commented, “We need to look ahead.. the
01990
Elsevier Science Publishers Ltd
December 1990
Computer Fraud & Security Bulletin
growth in the number of computers owned and networks implemented, has been exponential. It
one up in the Liverpool/Cheshire area. The company investigating the breaches, Network
is only a question of time before we face these problems and we don’t want to be unprepared.”
Security Management, has recently increased its staff from eight to 28. Scotland Yard say that they are unaware of the blackmail investigation.
The technology and law sub-committee was formed following a report earlier this year by an inter-ministerial committee recommending computer legislation. Besides computer crime legislation, the sub-committee is also looking at laws on personal data protection, (a report on this has just been released) and on the admissibility of computer evidence.
Hackers threaten UK banks
AT&T to enhance
Unix security
AT&T’s Unix System Laboratories have announced that they will incease security features and include new file management and systems’ administration facilities to the Unix System V Release 4. Unix security will be improved to adhere to the US NCSC’s 82 level. The improvements are thought to be consistent with Roadmap, a document issued by the non
Hackers who want to be employed as security consultants may be responsible for breaking into the systems of some UK banks,
profit-making Unix International body in January, which covers future implementations of Unix.
according to a recent report in The Guardian. A computer security consultant said that he had been approached by a group of hackers earlier in the year and asked to act as a middleman between them and the banks.
The first phase, conformance to the 83 level, is due to be delivered in the first half of 1991. In the second half of 1991, Unix Software Labs will make a rating kit available so that users can test their applications to ensure they also conform to 83 security. By mid-1992, an extended version is scheduled to meet 82 specifications for a secure environment.
They planned to hack into banking systems and then, having proved their skills, to offer themselves as consultants. There have since been breaches of bank security, and use has been made of the password of a Latin American bank in order to enter financial networks. Several messages have been left, and on at least one occasion the bank was told that it would suffer the consequences if it did not cooperate. In the UK there has always been a wariness of legitimizing hackers in this way. Robert Shifreen, the hacker who broke his way into the Duke of Edinburgh’s E-mail system in 1985, said that he was never approached by Prestel for information on how he had done it. “In America I would have been offered a job. Here they don’t want to know”, said Schifreen, who now works in computer publishing. There are thought to be only five hackers involved in the current breaches, mostly around the southeast part of the UK Guildford, Kingston and central London - together with
01990
Elsevier Science Publishers Ltd
1989 Earthquake
leaves no scars
A year ago a major earthquake jolted the San Francisco Bay area causing damage that claimed lives, destroyed buildings and cut electricity, leaving some businesses and homes powerless for days. After coping with the shock of damage to homes, many Silicon Valley employees made their way back to work only to find the computer systems unusable. This lesson in hard knocks should have been all that was needed to spur management into setting up adequate contingency plans for the next such disaster, but no such luck. Security consulting and service firms saw some corporate executives signing up for disaster recovery programmes after the quake, but experts agree there was no wave of conversion by the majority of companies.
3