- Email: [email protected]
US focus
JULY -
AUGUST
THE C O M P U T E R LAW A N D S E C U R I T Y R E P O R t
in any particular environment will be stressed; highlighting the need to consider the total system, not just the computer aspects. The study also indicated the need for a trusted register of IT system security breach incidents. The practicality and mechanisms for establishing an Incident Database are being considered by the Department. A third, and a most important initiative, is the establishment of a Commercial Computer Security Cell at Malvern in a collaborative venture between the DTI and RSRE. This cell will act as a technical focus for Government assistance to industry and commerce with regard to commercial computer security; it will develop codes of practice and technical criteria and provide advice to both users and suppliers. It is also expected that the Cell will play a valuable role in the development and implementation of commercial evaluation and certification arrangements. It is not intended that this cell should compete with those providing a commercial service in the field and the Cell will be concerned to direct those requiring such a service to appropriate commercial organisations.
Future plans We shall continue to monitor progress with these initiatives in the coming months. But these are not the only items receiving our attention. For instance the Group has from the beginning expressed concern about the integrity of software (by this I mean vulnerability to fraudulent alteration, and failure due to errors in design and implementation rather than copying) and is taking an interest in work being carried out at the NCC on this subject under the auspices of the European Commission. This concern has been borne out by the Threat Assessment Study. We are also taking a close interest in work being carried out at the NCC in association with the Data Protection Registrar to produce guidelines for users to comply with the requirements of the Data Protection Act 1984. These and other matters will come more to the fore in the coming months, when I anticipate that the membership of the Group may be widened. I would not wish to conclude this article without paying tribute to the expertise and work of the staff of the IT Division who have, in my view, achieved much with their limited resources. R A J Middleton Report Correspondent Chairman DTI Computer Security Advisory Group
US FOCUS FLOPPY DISK SECURITY FOR THE OFFICE I ~ Drive-Loc Detector Antenna
Today more and more employees are becoming computer literate. As they become more literate -- many even have their own PC's --- so rises the risks of data and software theft. Just how do you protect company assets, such as sales forecast data, customer lists, in-house programs contained on PC's? Or even "purchased" software for that matter? Unfortunately, there is no one simple answer. Recently, I had the opportunity to examine two security systems from Media Security Incorporated: "Secur-Disk" and "Drive-Loc." "Secure-Disk" consists of a special electronic sensor that is built into the diskettes, tape or 3480 tape cartridges and an electronic sensor unit (see diagram). When one of these "tagged" disks passes through the sensors, an alarm sounds. The alarm system can also be set to lock doors and start video tape recorders in addition to sounding an alarm. But what precludes someone from bringing in their own disks and making copies? --- Absolutely nothing! To prevent this, Media Security developed the "Drive-Loc" system. "DriveLoc" is a special device that, once installed into a PC, will prevent the PC's floppy drive from writing to an unauthorised disk - a non4agged disk. Combined, "Secur-Disk" and "Drive-Loc" makes it virtually impossible to remove sensitive information; assuming of course your PC does not have a modem on it! This level of security does not come cheap. "Drive-Loc" sells for about $350 per drive and a single custom door sensor runs for about $7,000! Brown Disc/Rhone Poulenc, a Colorado Springs based subsidiary of Rhone Poulenc Systems, recently entered into an agreement of manufacture the "tagged" discs for Media Security. Media Security also sells the electronic tags separately, so it is possible to tag equipment, file folders, and the like. I was able to tag one of my 31/2 inch disks and still use it in my HP150. "Tagged" media is available in the following formats: 31/2 inch, 51/4 inch and 8 inch diskettes; 1/2 inch reel tape and 1/2 inch 3480 tape catridges.
Secur-Disk ~--= CL Circuit Implant - -
~
.
,
~
w
Drive-Loc Drive MOD
Write Protect Circuit
Audio Visual Camera
I
j Kathleen A. Cara, Vice-President of Sales and Marketing for Systems Management Corporation, Media Security's representative, pointed out that Media Security's system is impervious to magnetic fields, so when you degauss your disks or tapes, you won't loose your investment. The sensing equipment, in addition to monitoring for power loss, detects RF flooding (radio jamming) of the sensors. George F. Denehy, President of Media Security, Inc., noted that recent demonstrations in Washington D.C., have generated great interest from both government and private sectors. According to Cara, both the "Secur-Disk" and "Drive-
24
T H E C O M P U T E R LAW A N D S E C U R I T Y R E P O R T
2 CLSR
Loc" systems are exportable from the United States. Additional information on "Secur-Disk" and "Drive-Loc" can be obtained from: Ms. Kathleen A. Cara, Vice President - Sales/Marketing, Systems Management Corporation, 3135 Windjammer Drive, Colorado Springs, Colorado, 80918, Phone: (303) 594-6314 or from: Media Security Incorporated, 7222 Commerce Center Drive Suite 240, Colorado Springs, Colorado, 80919, Phone: (303) 531-9411. But what about printouts? Screen Displays? Or even employees divulging information verbally? All the electronics in the world are not going to stop the latter! One solution is to execute confidentiality agreements with your employees, which, in addition to binding them contractually to protect your data, "sensitizes" them to the fact that the subject matter IS confidential information. In addition, it gives the company some legal alternatives should problems develop.
Because of the growing problem of computer viruses you should be extremely cautious in putting unchecked downloaded software on company PC's. Computer viruses are programs that "infect" other programs with a series of commands that can crash systems or install back doors so unauthorised users can get in at a later date. These programs sit dormant for sometime, infecting other programs and operating systems: after sometime, all the backup discs contain the virus. If these discs are used on another system - that system too is infected. In light of these problems, maybe the old warning "Caveat Emptor" should be updated to "Caveat Downloader" for the 80's.
Game playing in the office Epyx Inc., a computer game manufacturer, recently polled 750 executives and found that 66 percent admitted that they use their office computer for something other than work; any where from 15 minutes to two hours a day. This could be playing games, writing letters, or writing resum6s --- which some 20 percent admitted doing.
LAW REPORTS UPDATE RECENT LEGISLATIVE AND DEVELOPMENTS IN THE US
Bernard P. Zajac Jr, Editorial Panelist Opinions expressed herein are those of the author and do not necessarily reflect those of ABEX Corporation.
JUDICIAL
"Look and feel" of Lotus 1-2-3 While Lotus continue their legal actions against Paperback and Mosaic Software, alleging copying of the "user interface" in 1-2-3, Lotus itself is now being sued by SAPC, who allege that 1-2-3's look and feel infringes the copyrights in "Visicalc." SAPC were the original developers of the Visicalc spreadsheet, the rights to which were sold to Lotus in June 1985. The present action relates to alleged infringements prior to the Lotus acquisition. The complaint also alleges that Lotus's founder, Mitchell D. Kapor, misappropriated "copyrighted and confidential" aspects of the Visicalc program, when he was an employee of a corporation which had exclusive marketing rights of Visicalc. SAPC are claiming a modest $100 million. Watch this space?
Ex-ATM repairman beats bank ATM machines The Wall Street Journal recently reported that an ex-ATM repairman using a $1~00 machine recently was able to create his own ATM cards and beat several bank machines. The repairman, who is currently being sought by the U.S. Marshals for jumping bail, would watch a customer use an ATM machine to see if he could see the user enter his or her PIN (Personal Identification Number) code. Then if the customer threw out the transaction receipt (which generally contains the user's account number), he would retrieve it. Now he now had an account number and a valid PIN. Using his knowledge gained as a repairman and the machine he would encode a blank bank card with the account number and PIN. In essence, duplicating the card. Everything was fine except the " n e w " cards all seemed to have a flaw: while good enough to have the machines dispense money, they also caused the machines to alert the bank that something wasn't quite right with the cards. Alerted to a potential problem, the bank promptly changed the programming to have the ATM's retrieve the flawed cards. Once a flawed card was in hand, the bank had concrete evidence that a fraud was underway. The bank then changed the programming again. This time, instead of keeping the card, the machine would immediately notify them where the card was in use and monitor the ATM machine in real-time. The next time a flawed card was used, the bank dispatched its security personnel to that location and the ex-repairman was arrested.
Shrink-wrap licences Following the ruling in Vault Corp. v Quaid Software (see (1987-88) 1 CLSR 35), in which the Louisiana shrink-wrap licence law was held to be pre-empted by the Federal Copyright Act, 1976, the only other State to have enacted similar legislation is now expected to fall in line. A Bill is to be introduced shortly in Illinois to repeal that State's 1985 shrink-wrap licence law. Warranties Readers of The Report may recall the Molina Bill introduced in California in 1985 which proposed to give users the right to reject software if it failed to meet advertised claims within the warranty period ((1985-86) 6 CLSR 6). This Bill was eventually withdrawn, but now a very similar Bill has been introduced in Massachussets. This would allow dissatisfied users to obtain a refund of the purchase price and to recover damages incurred during the period of use. The Molina Bill was dropped partly as a result of an undertaking given by the ADAPSO (Association of Data Processing Service Organisations) to encourage industry to adopt a 90 day warranty giving users the right to return or exchange software products which failed to perform according to advertised claims. The Microsoftware Customer Advisory Board of ADAPSO recently issued guidelines designed to encourage software developers to offer more realistic warranties. Four reasons were given for the proposals: - "As is" warranties might be found by a court to provide no meaningful remedies, and a customer might therefore
More Trojan Horse programs Finally, there has been a Trojan Horse program floating around US bulletin boards that will alter the partition record of a hard disk preventing rebooting until you physically reformat your hard disk (FDISK not FORMAT)! The program ARC 513 COM is supposed to be a new release of an archive program. This again points out that you have to be very careful with "free" software. You should DEBUG any new program downloaded from a bulletin board, decompile it, and look for any disk write interrupts, especially if the program isn't suppose to write to diskf 25
AUGUST
THE C O M P U T E R LAW A N D S E C U R I T Y R E P O R t
in any particular environment will be stressed; highlighting the need to consider the total system, not just the computer aspects. The study also indicated the need for a trusted register of IT system security breach incidents. The practicality and mechanisms for establishing an Incident Database are being considered by the Department. A third, and a most important initiative, is the establishment of a Commercial Computer Security Cell at Malvern in a collaborative venture between the DTI and RSRE. This cell will act as a technical focus for Government assistance to industry and commerce with regard to commercial computer security; it will develop codes of practice and technical criteria and provide advice to both users and suppliers. It is also expected that the Cell will play a valuable role in the development and implementation of commercial evaluation and certification arrangements. It is not intended that this cell should compete with those providing a commercial service in the field and the Cell will be concerned to direct those requiring such a service to appropriate commercial organisations.
Future plans We shall continue to monitor progress with these initiatives in the coming months. But these are not the only items receiving our attention. For instance the Group has from the beginning expressed concern about the integrity of software (by this I mean vulnerability to fraudulent alteration, and failure due to errors in design and implementation rather than copying) and is taking an interest in work being carried out at the NCC on this subject under the auspices of the European Commission. This concern has been borne out by the Threat Assessment Study. We are also taking a close interest in work being carried out at the NCC in association with the Data Protection Registrar to produce guidelines for users to comply with the requirements of the Data Protection Act 1984. These and other matters will come more to the fore in the coming months, when I anticipate that the membership of the Group may be widened. I would not wish to conclude this article without paying tribute to the expertise and work of the staff of the IT Division who have, in my view, achieved much with their limited resources. R A J Middleton Report Correspondent Chairman DTI Computer Security Advisory Group
US FOCUS FLOPPY DISK SECURITY FOR THE OFFICE I ~ Drive-Loc Detector Antenna
Today more and more employees are becoming computer literate. As they become more literate -- many even have their own PC's --- so rises the risks of data and software theft. Just how do you protect company assets, such as sales forecast data, customer lists, in-house programs contained on PC's? Or even "purchased" software for that matter? Unfortunately, there is no one simple answer. Recently, I had the opportunity to examine two security systems from Media Security Incorporated: "Secur-Disk" and "Drive-Loc." "Secure-Disk" consists of a special electronic sensor that is built into the diskettes, tape or 3480 tape cartridges and an electronic sensor unit (see diagram). When one of these "tagged" disks passes through the sensors, an alarm sounds. The alarm system can also be set to lock doors and start video tape recorders in addition to sounding an alarm. But what precludes someone from bringing in their own disks and making copies? --- Absolutely nothing! To prevent this, Media Security developed the "Drive-Loc" system. "DriveLoc" is a special device that, once installed into a PC, will prevent the PC's floppy drive from writing to an unauthorised disk - a non4agged disk. Combined, "Secur-Disk" and "Drive-Loc" makes it virtually impossible to remove sensitive information; assuming of course your PC does not have a modem on it! This level of security does not come cheap. "Drive-Loc" sells for about $350 per drive and a single custom door sensor runs for about $7,000! Brown Disc/Rhone Poulenc, a Colorado Springs based subsidiary of Rhone Poulenc Systems, recently entered into an agreement of manufacture the "tagged" discs for Media Security. Media Security also sells the electronic tags separately, so it is possible to tag equipment, file folders, and the like. I was able to tag one of my 31/2 inch disks and still use it in my HP150. "Tagged" media is available in the following formats: 31/2 inch, 51/4 inch and 8 inch diskettes; 1/2 inch reel tape and 1/2 inch 3480 tape catridges.
Secur-Disk ~--= CL Circuit Implant - -
~
.
,
~
w
Drive-Loc Drive MOD
Write Protect Circuit
Audio Visual Camera
I
j Kathleen A. Cara, Vice-President of Sales and Marketing for Systems Management Corporation, Media Security's representative, pointed out that Media Security's system is impervious to magnetic fields, so when you degauss your disks or tapes, you won't loose your investment. The sensing equipment, in addition to monitoring for power loss, detects RF flooding (radio jamming) of the sensors. George F. Denehy, President of Media Security, Inc., noted that recent demonstrations in Washington D.C., have generated great interest from both government and private sectors. According to Cara, both the "Secur-Disk" and "Drive-
24
T H E C O M P U T E R LAW A N D S E C U R I T Y R E P O R T
2 CLSR
Loc" systems are exportable from the United States. Additional information on "Secur-Disk" and "Drive-Loc" can be obtained from: Ms. Kathleen A. Cara, Vice President - Sales/Marketing, Systems Management Corporation, 3135 Windjammer Drive, Colorado Springs, Colorado, 80918, Phone: (303) 594-6314 or from: Media Security Incorporated, 7222 Commerce Center Drive Suite 240, Colorado Springs, Colorado, 80919, Phone: (303) 531-9411. But what about printouts? Screen Displays? Or even employees divulging information verbally? All the electronics in the world are not going to stop the latter! One solution is to execute confidentiality agreements with your employees, which, in addition to binding them contractually to protect your data, "sensitizes" them to the fact that the subject matter IS confidential information. In addition, it gives the company some legal alternatives should problems develop.
Because of the growing problem of computer viruses you should be extremely cautious in putting unchecked downloaded software on company PC's. Computer viruses are programs that "infect" other programs with a series of commands that can crash systems or install back doors so unauthorised users can get in at a later date. These programs sit dormant for sometime, infecting other programs and operating systems: after sometime, all the backup discs contain the virus. If these discs are used on another system - that system too is infected. In light of these problems, maybe the old warning "Caveat Emptor" should be updated to "Caveat Downloader" for the 80's.
Game playing in the office Epyx Inc., a computer game manufacturer, recently polled 750 executives and found that 66 percent admitted that they use their office computer for something other than work; any where from 15 minutes to two hours a day. This could be playing games, writing letters, or writing resum6s --- which some 20 percent admitted doing.
LAW REPORTS UPDATE RECENT LEGISLATIVE AND DEVELOPMENTS IN THE US
Bernard P. Zajac Jr, Editorial Panelist Opinions expressed herein are those of the author and do not necessarily reflect those of ABEX Corporation.
JUDICIAL
"Look and feel" of Lotus 1-2-3 While Lotus continue their legal actions against Paperback and Mosaic Software, alleging copying of the "user interface" in 1-2-3, Lotus itself is now being sued by SAPC, who allege that 1-2-3's look and feel infringes the copyrights in "Visicalc." SAPC were the original developers of the Visicalc spreadsheet, the rights to which were sold to Lotus in June 1985. The present action relates to alleged infringements prior to the Lotus acquisition. The complaint also alleges that Lotus's founder, Mitchell D. Kapor, misappropriated "copyrighted and confidential" aspects of the Visicalc program, when he was an employee of a corporation which had exclusive marketing rights of Visicalc. SAPC are claiming a modest $100 million. Watch this space?
Ex-ATM repairman beats bank ATM machines The Wall Street Journal recently reported that an ex-ATM repairman using a $1~00 machine recently was able to create his own ATM cards and beat several bank machines. The repairman, who is currently being sought by the U.S. Marshals for jumping bail, would watch a customer use an ATM machine to see if he could see the user enter his or her PIN (Personal Identification Number) code. Then if the customer threw out the transaction receipt (which generally contains the user's account number), he would retrieve it. Now he now had an account number and a valid PIN. Using his knowledge gained as a repairman and the machine he would encode a blank bank card with the account number and PIN. In essence, duplicating the card. Everything was fine except the " n e w " cards all seemed to have a flaw: while good enough to have the machines dispense money, they also caused the machines to alert the bank that something wasn't quite right with the cards. Alerted to a potential problem, the bank promptly changed the programming to have the ATM's retrieve the flawed cards. Once a flawed card was in hand, the bank had concrete evidence that a fraud was underway. The bank then changed the programming again. This time, instead of keeping the card, the machine would immediately notify them where the card was in use and monitor the ATM machine in real-time. The next time a flawed card was used, the bank dispatched its security personnel to that location and the ex-repairman was arrested.
Shrink-wrap licences Following the ruling in Vault Corp. v Quaid Software (see (1987-88) 1 CLSR 35), in which the Louisiana shrink-wrap licence law was held to be pre-empted by the Federal Copyright Act, 1976, the only other State to have enacted similar legislation is now expected to fall in line. A Bill is to be introduced shortly in Illinois to repeal that State's 1985 shrink-wrap licence law. Warranties Readers of The Report may recall the Molina Bill introduced in California in 1985 which proposed to give users the right to reject software if it failed to meet advertised claims within the warranty period ((1985-86) 6 CLSR 6). This Bill was eventually withdrawn, but now a very similar Bill has been introduced in Massachussets. This would allow dissatisfied users to obtain a refund of the purchase price and to recover damages incurred during the period of use. The Molina Bill was dropped partly as a result of an undertaking given by the ADAPSO (Association of Data Processing Service Organisations) to encourage industry to adopt a 90 day warranty giving users the right to return or exchange software products which failed to perform according to advertised claims. The Microsoftware Customer Advisory Board of ADAPSO recently issued guidelines designed to encourage software developers to offer more realistic warranties. Four reasons were given for the proposals: - "As is" warranties might be found by a court to provide no meaningful remedies, and a customer might therefore
More Trojan Horse programs Finally, there has been a Trojan Horse program floating around US bulletin boards that will alter the partition record of a hard disk preventing rebooting until you physically reformat your hard disk (FDISK not FORMAT)! The program ARC 513 COM is supposed to be a new release of an archive program. This again points out that you have to be very careful with "free" software. You should DEBUG any new program downloaded from a bulletin board, decompile it, and look for any disk write interrupts, especially if the program isn't suppose to write to diskf 25