- Email: [email protected]
US immigration system under fire
NEWS
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Web: www.computerfraudandsecurity.com Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial The report from the UK Science and Technology Committee can only be applauded as it seems to have the public’s Internet safety at heart. It realises that it is not up to users at home to know the ins and outs of security maintenance, but it is up to other powers like ISPs and software giants to keep them safe. Although some of the Personal Internet Security suggestions may seem far-fetched and unlikely ever to materialise, the authors have to be praised for their inclusive tackling of problems and brave attempts to solve them. It is rational indeed to demand a u-turn on the legislation that says members of the public can’t turn to the police after suffering bank fraud. And it makes sense that banks, companies, the government and the police should make more effort to shield people from online risks. Transparent security notification is already tried and tested in the US and will undoubtedly cast a light on a realm of shadowy breaches if it comes to the UK. Making IT vendors liable for vulnerable systems may be democratic justice, but is unlikely ever to become reality, however.
Sarah Hilley
Terrorist mobile phone records lost
T
errorist and mobile phone records collected by the police have been stolen from a forensic company in the UK.
Police have launched an investigation to catch thieves who stole a database containing secret records from a company in Kent. Forensic Telecommunications Services, which services The Police Service of Northern Ireland, HM Revenue and Customs, the Crown Prosecution Court and Scotland Yard, was broken into in early August.
The stolen data contain details of who made a call, the time of the call and location of the suspect. According to the UK’s Independent newspaper, Scotland Yard is concerned that the data may have landed in the wrong hands or could be lost forever.
US immigration system under fire
A
US Homeland Security Government agency, which monitors visitors and immigrants entering the country, has come under fire from the Government Accountability Office (GAO).
The GAO has found significant weaknesses in the US-VISIT programme that put sensitive data at risk. Deficiencies were exposed in access and system controls for mainframes, networks and workstations. The US-VISIT program deals with a wide range of sensitive information including social security numbers, passport numbers, terrorist watch list, date of birth and flight information. Some of the glaring errors include failure to: • Adequately identify and authenticate users in systems supporting USVISIT information and information systems. • Sufficiently limit access to US-VISIT information and information systems. • Ensure that controls adequately protected external and internal network boundaries. • Effectively implement physical security at several locations. • Consistently encrypt sensitive data traversing the communication network. • Provide adequate logging or appropriate controls to protect the user accountability for the mainframe, workstations, or servers. The report said: “These weaknesses collectively increase the risk that unauthorized individuals could read, copy,
September 2007
NEWS
IN BRIEF Microsoft to use HSMs Microsoft software will use nCipher hardware security modules (HSMs) and timestamping technology for authentication. It enables developers to prove the software has not been tampered with.
Systems supporting US-VISIT. Source: GAO.
delete, add, and modify sensitive information, including personally identifiable information, and disrupt the operations of the US-VISIT program. “As the federal government strives to integrate information on the entry and exit from the United States of foreign nationals, it is critical that the computer systems that support US-VISIT are properly protected through strong information security controls since a security breach could have a direct impact on our homeland and the security of US citizens.” For more information visit: http://www.gao.gov
Report demands UK security overhaul
securing personal information “disturbing.” The report said: “We recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of E-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically.” Banks should also be held liable for losses incurred through electronic fraud according to the research.
The Personal Internet Security report, published on 10 August, demands a radical overhaul of how the UK reacts to IT security. Many of the suggestions are modeled on the US model of transparent reporting of incidents and on its public fraud hotline run by IC3.
Incident notification The report also called for a security incident notification law in line with US legislation. A data security breach should be adequately defined and take into account the sensitivity of lost data advises the report. And a mandatory central reporting system should be established. The authors say that a data security breach notification law would be “among the most important advances that the United Kingdom could make in promoting personal Internet security”.
Counting on banks The report branded the refusal of banks, in particular, to accept responsibility for
Make vendors pay More blue-sky suggestions include making IT vendors liable for insecure
T
he UK Science and Technology Committee has called for the government to reverse its law requiring online fraud to be reported to banks in the first instance.
September 2007
Torrentspy to block US IP addresses Digital content site TorrentSpy says it will block US originating IP addresses rather than surrender server logs to US authorities. The Motion Picture Association of America (MPAA) alleges TorrentSpy broke copyright laws in allowing users to download digital content. TorrentSpy said that retrieving the data demanded by authorities would breach its users’ privacy policy. Scams trick one fifth of Internet users One fifth of online Web surfers in the US have suffered at least one Internet scam according to Microsoft commissioned research. About 81% of adults admitted they compromised their personal Internet security by opening a suspect-looking email. And the survey also revealed different levels of knowledge regarding online fraud between the sexes. More men (47%) claim to know about online fraud than woman (36%). However more woman (69%) claim they have never been a victim of an Internet scam compared with 63% of men. Westpac bank customers not liable for online fraud Customers of Westpac Bank in New Zealand will not be liable for money lost due to online fraud, the firm has announced. The practice is contrary to the New Zealand Bankers’ Association’s normal procedure. Virtual security officers patrol chinese websites Virtual figures will appear on users’ screens in China to remind them of Internet security every 30 minutes. They will appear on news portals and Beijing sites and forums. The officers will appear on foot, on motorbikes or in a car. According to the China Daily newspaper they will be “on watch for websites that incite secession, promote superstition, gambling and fraud.”
Computer Fraud & Security
3
Editorial office: Elsevier Ltd PO Box 150 Kidlington, Oxford OX5 1AS, United Kingdom Tel:+44 (0)1865 843695 Fax: +44 (0)1865 843971 E-mail: [email protected] Web: www.computerfraudandsecurity.com Editor: Sarah Hilley Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Alan Stubley Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@elsevier. com. You may also contact Global Rights directly through Elsevier’s home page (http:// www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (+1) (978) 7508400, fax: (+1) (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) (0) 20 7631 5555; fax: (+44) (0) 20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by: Mayfield Press (Oxford) Limited
2
Computer Fraud & Security
Editorial The report from the UK Science and Technology Committee can only be applauded as it seems to have the public’s Internet safety at heart. It realises that it is not up to users at home to know the ins and outs of security maintenance, but it is up to other powers like ISPs and software giants to keep them safe. Although some of the Personal Internet Security suggestions may seem far-fetched and unlikely ever to materialise, the authors have to be praised for their inclusive tackling of problems and brave attempts to solve them. It is rational indeed to demand a u-turn on the legislation that says members of the public can’t turn to the police after suffering bank fraud. And it makes sense that banks, companies, the government and the police should make more effort to shield people from online risks. Transparent security notification is already tried and tested in the US and will undoubtedly cast a light on a realm of shadowy breaches if it comes to the UK. Making IT vendors liable for vulnerable systems may be democratic justice, but is unlikely ever to become reality, however.
Sarah Hilley
Terrorist mobile phone records lost
T
errorist and mobile phone records collected by the police have been stolen from a forensic company in the UK.
Police have launched an investigation to catch thieves who stole a database containing secret records from a company in Kent. Forensic Telecommunications Services, which services The Police Service of Northern Ireland, HM Revenue and Customs, the Crown Prosecution Court and Scotland Yard, was broken into in early August.
The stolen data contain details of who made a call, the time of the call and location of the suspect. According to the UK’s Independent newspaper, Scotland Yard is concerned that the data may have landed in the wrong hands or could be lost forever.
US immigration system under fire
A
US Homeland Security Government agency, which monitors visitors and immigrants entering the country, has come under fire from the Government Accountability Office (GAO).
The GAO has found significant weaknesses in the US-VISIT programme that put sensitive data at risk. Deficiencies were exposed in access and system controls for mainframes, networks and workstations. The US-VISIT program deals with a wide range of sensitive information including social security numbers, passport numbers, terrorist watch list, date of birth and flight information. Some of the glaring errors include failure to: • Adequately identify and authenticate users in systems supporting USVISIT information and information systems. • Sufficiently limit access to US-VISIT information and information systems. • Ensure that controls adequately protected external and internal network boundaries. • Effectively implement physical security at several locations. • Consistently encrypt sensitive data traversing the communication network. • Provide adequate logging or appropriate controls to protect the user accountability for the mainframe, workstations, or servers. The report said: “These weaknesses collectively increase the risk that unauthorized individuals could read, copy,
September 2007
NEWS
IN BRIEF Microsoft to use HSMs Microsoft software will use nCipher hardware security modules (HSMs) and timestamping technology for authentication. It enables developers to prove the software has not been tampered with.
Systems supporting US-VISIT. Source: GAO.
delete, add, and modify sensitive information, including personally identifiable information, and disrupt the operations of the US-VISIT program. “As the federal government strives to integrate information on the entry and exit from the United States of foreign nationals, it is critical that the computer systems that support US-VISIT are properly protected through strong information security controls since a security breach could have a direct impact on our homeland and the security of US citizens.” For more information visit: http://www.gao.gov
Report demands UK security overhaul
securing personal information “disturbing.” The report said: “We recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of E-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically.” Banks should also be held liable for losses incurred through electronic fraud according to the research.
The Personal Internet Security report, published on 10 August, demands a radical overhaul of how the UK reacts to IT security. Many of the suggestions are modeled on the US model of transparent reporting of incidents and on its public fraud hotline run by IC3.
Incident notification The report also called for a security incident notification law in line with US legislation. A data security breach should be adequately defined and take into account the sensitivity of lost data advises the report. And a mandatory central reporting system should be established. The authors say that a data security breach notification law would be “among the most important advances that the United Kingdom could make in promoting personal Internet security”.
Counting on banks The report branded the refusal of banks, in particular, to accept responsibility for
Make vendors pay More blue-sky suggestions include making IT vendors liable for insecure
T
he UK Science and Technology Committee has called for the government to reverse its law requiring online fraud to be reported to banks in the first instance.
September 2007
Torrentspy to block US IP addresses Digital content site TorrentSpy says it will block US originating IP addresses rather than surrender server logs to US authorities. The Motion Picture Association of America (MPAA) alleges TorrentSpy broke copyright laws in allowing users to download digital content. TorrentSpy said that retrieving the data demanded by authorities would breach its users’ privacy policy. Scams trick one fifth of Internet users One fifth of online Web surfers in the US have suffered at least one Internet scam according to Microsoft commissioned research. About 81% of adults admitted they compromised their personal Internet security by opening a suspect-looking email. And the survey also revealed different levels of knowledge regarding online fraud between the sexes. More men (47%) claim to know about online fraud than woman (36%). However more woman (69%) claim they have never been a victim of an Internet scam compared with 63% of men. Westpac bank customers not liable for online fraud Customers of Westpac Bank in New Zealand will not be liable for money lost due to online fraud, the firm has announced. The practice is contrary to the New Zealand Bankers’ Association’s normal procedure. Virtual security officers patrol chinese websites Virtual figures will appear on users’ screens in China to remind them of Internet security every 30 minutes. They will appear on news portals and Beijing sites and forums. The officers will appear on foot, on motorbikes or in a car. According to the China Daily newspaper they will be “on watch for websites that incite secession, promote superstition, gambling and fraud.”
Computer Fraud & Security
3