computer security: what's new?
TRANSCRIPT
vol. 11, No. 5, Page 10
be benign if the epidemic alerts computer owners to the need to prepare against future
assaults. Others argue that the tightening of computer security might harm the country’s economy or that the invader actually represents a new type of helpful software designed for computer networks. The same class of software could be used to harness computers around the world and put them to work simultaneously. It could also diagnose malfunctions in a network, execute large computations on many machines at once and act as a speedy messenger.
Mr. Morris, whose tampering is reported to have brought down the Arpanet network, is perhaps the ultimate ‘hacker’. The term is
used with respect in the computer subculture but frequently viewed by the computing professional as a synonym for an electronic delinquent. A computer science professor at Cornell University said Mr. Morris had been admitted to the graduate program there because “he had a reputation for being a hacker at Harvard”. On balance, the computer
hacker appears to be both a national treasure and a national headache.
Dr Harold Joseph Highland, FIGS
COMPUTER SECURITY: WHAT’S NEW?
The last two years have witnessed a dramatic upsurge in international awareness of computer abuse. Business executives and the general public have seen a spate of press
reports on computer viruses, hacking and computer fraud on electronic funds transfer systems. Criminals and subversives are recognizing the merits of using computer facilities and electronic bulletin boards to further their clandestine interests and to expedite communications in the underworld.
At the same time the business community has benefited from better exploitation of computer and networking facilities to harness
business growth and operations. Many corporations are totally dependent on the
continual support of business systems to provide them with accurate and up-to-date management information to run their business. Any serious security breach which results in a corruption of the corporate database, unauthorized disclosure of company secrets, or the protracted denial of access to important business information, is likely to send a chill
down the spine of the corporate executive as the adverse business impact gathers pace in the aftermath and cascades through the various parts of the corporate machinery in the
course of time.
The security products and service ‘industry’ has not stood still in the mean time - bringing innovations to the market place to provide countermeasures with varying degrees of success. Law makers in various European and American countries are also working hard to incorporate major amendments and new statutes in their antiquated, and at times ineffectual legal machinery in an effort to arrest
the accelerated growth of computer abuse. This involves the clarification of the definition of crime in information technology areas, as well as the extension of crime investigation powers to expedite the search for, and collection of, essential evidence to bring successful prosecutions of high-tech criminals
in the law courts.
Computer Viruses
The most publicized virus story so far
which hit the press headlines was that of the 23 year old graduate student at Cornell University who introduced a computer virus program in November 1988 into the Internet
network linking some 6000 computers at universities, defence and government research centres, and some corporate research laboratories across America. All the computers affected were DEC VAX computers and Sun workstations using the Berkeley and AT&T System V version 3 of the Unix operating system. The virus used the Sendmail facility in the electronic messaging
COMPUTER FRAUD & SECURITY BULLETIN
01989 Elsevier Science Puhlkhers Ltd., England./89/$0.00 + 2.20 No part of this publication may be re reduced, stored in a retrieval sy~~n, or trmsrnitted by any form or h all pu TV
n~eans, electrm$ mechanical, p wtwopying, recording or otherwise, without the prior permission oft E r r bshers. (Readers tn the U.S.A.- please see special regulations listed on back cover.)
Vol. 11, No. 5, Page 11
system to send itself from one computer to the next, and then repeatedly generated more
copies of itself on the host computers.
Eventually most of the 6000 computers were saturated with many copies of the same virus
program and normal service was brought to a
halt within 24 hours. Substantial programmer
effort had to be expended to clean up the
infected computers and disk files.
Another equally devastating virus took IBM
by storm in December 1987 and brought its
private international network to a complete
standstill. The virus was initially introduced by
a German university student into the European
academic network (Earn) and then spread to
the international Bitnet network, eventually
passing through to IBM’s VNet and jammed
the 350 000 terminals tied to the company’s
worldwide electronic mail network.
The virus program copied itself at least half a million times within just two hours.
Users got a message asking them to type
Christmas’. When they did, they sent the virus to every person on their electronic mailing lists. Each recipient of the message
would again repeat the same broadcasting
process. When users triggered it by reading their mail, the virus simply drew a Christmas
tree on the screen.
Elsewhere a number of viruses were
reported to have infected many personal computers used for office systems in the
United States, United Kingdom, Israel and Germany. For example the Pakistani Brain
virus was originated in Lahore and sometimes puts a label ‘Brain’ on the screen of the IBM
PC or compatible. It found its way from the US to a university and a software house in the
Midlands, UK, from the Philippines to an insurance company in Southern England, and
from Indonesia to a large company in London. The virus conceals itself in the bootstrap sector of a disk drive which contains only machine code. The instant a user boots from
an infected disk, Brain would change the boot sector, writing an approximate 1000 lines of
code and camouflaging it in an unused area of
the disk. The infected boot sector would then
spread the virus to every disk inserted in the
drive, and eventually to the entire PC network
connected to the infected PC.
By itself, Brain is relatively harmless as it
does not corrupt data. It simply replicates
itself across systems, writing directly to the hard disk. The Lehigh virus, on the other
hand, would corrupt the DOS operating system and wipe out the first 50 sectors of a disk. It
caused havoc in the Lehigh University in
Bethlehem, Pasadena, USA.
The Jerusalem virus which infected more
than a thousand personal computers in Israel
in late 1987 found its way to the office system of a PC network in one of the UK high street
banks. The virus code contained a time bomb
intended to destroy all files in storage on 13
May 1988 - the 46th anniversary of the last
day of Palestine’s existence and the eve of 14 May 1948, the day when Israel declared her
independence. All the systems infected found
that program executions would slow down on the 13th of every month, causing consternation to users. A coding error had led the virus to
reinfect the same programs over and over
again, gradually increasing the size of the
infected area on hard disks and diskettes. Surprisingly, victims found the time bomb
failed to detonate on the due date.
Nevertheless substantial effort was required to clean up the disks and to recover the original
systems from previous uncontaminated backup copies.
Hacking
Both the Scottish and English Law
Commissions are in the process of
recommending changes to the statute books to outlaw hacking for criminal or malicious intent. This has been a direct result of the decision of
the Law Lords to uphold the Court of Appeal’s decision in 1988 to quash the sentence of Stephen Gold and Robert Schifreen as imposed by Southwark Crown Court. The two
were charged with forgery of passwords which led to the pair successfully hacking into the
COMPUTER FRAUD 8, SECURITY BULLETIN
01989 Ekevier Science Publkbers Ltd., England./89/!$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form orb an
i. means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission oft ie
pu hshers. (Readers in the U.S.A.- plea.se see special regulations listed on back cover.)
Vol. 11, No. 5, Page 12
Duke of Edinburgh’s Prestel mailbox, among
other exploits.
Meanwhile hacking activities have
continued unabated, sometimes with vicious
intents and damaging results. For example, a nineteen year old computer operator working for a chemical research company abused his
position of trust by exploiting privileged
knowledge obtained in his employ, to hack into a number of ICL installations and to destroy the system’s accounting records to cover his tracks. In one instance he was alleged to have
damaged both the live files and all their
backup copies on an ICL 2988 computer running under the VME operating system and
in consequence sabotaged and invalidated the
findings of a breast cancer experimental
research project. He was also charged with breaking into JANET, the Joint Academic Network which links computers at British
universities, and erased records of his hacking activities from the system log.
Indeed, the user-friendly JANET network
has fallen prey on many occasions to both German and British hackers. A schoolboy in
Glastonbury, England, accessed JANET to
pass through to another system to send a bomb hoax message via its telex service to his school which resulted in the total evacuation of
pupils from the school’s premises. Recently
an engineering student exploited the fink between JANET and a car manufacturer’s
engineering systems to gain access to the
latter and erased a number of design and
manufacturing files. Fortunately the company
was able to recreate the lost data from its
backup copies.
Elsewhere a food company was providing
dial up access on its Microdata computers
supplied by McDonnell Douglas, at various
factory premises for remote diagnosis by computer engineers and read access to
factories data by system users. On one occasion the company discovered that
someone had obtained system manager status to block all user access to the computer at one factory location. In another instance operators
found the computers were being accessed to
retrieve the test results on raw material
batches. The computers also contained files
of product recipes and product specifications, as well as ingredient prices and prime costs. The information was held to be of special
interest to competitors.
This was not the only reported case of
industrial espionage by hackers. Professional hackers were rumoured to have been employed to hack into a corporate network to discover the profitability of operating divisions
during a major brewery takeover battle in
1987. In the same year, members of the Chaos Computer Club in Hamburg, West
Germany, were accused of stealing
ultra-sensitive programs from SGS-Thomson, the French subsidiary of Philips, worth several billion pounds. They also hacked into the
French space studies institute and the atomic
energy commission. As the crimes took place in France, the hackers appeared not to have
broken any German laws and were immune
from prosecution or extradition. Nevertheless
when a member of the Chaos Computer Club travelled to Paris to speak at a security
conference in March 1988, he was promptly arrested on arrival at Orly Airport and detained
for 30 days for judicial inquiry by the French police.
Sometimes trapdoors have been left by computer manufacturers in their operating
systems which were then exploited by hackers
to target their attacks on certain models of
computers. These include default accounts to
expedite engineer access and backdoor
entries left over from software development,
an example being high privilege user ID’s
requiring no passwords to access sensitive system files. Knowledge of the system’s flaws
may be obtained from hackers’ own electronic bulletin boards by offering an exchange of
sensitive system information in return, e.g. user accounts and passwords in use at an installation. Technical staff who work closely
with computer vendors often learn of such
system flaws from supplier staff, and would sometimes communicate the sensitive
COMPUTER FRAUD & SECURITY BULLETIN
01989 Elsevier Science Publishers I Ad., England./R9/$tMtl+ 2.20 No part of this publication may be re roducedY stored in a ret&val system, or transmitted by any,fovn orb an “leans, electronic, mechanical, p
r,. I: otoccopylng, recording or otherwise, without the prior penmss~n oft L
pu Itshers. (Readers in the U.S.A.- please see special regulations listed on back cover.)
vol. 11, No. 5, Page 13
information to their friends and associates, this
eventually finding its way to a hacker’s
electronic bulletin board. There are also publications which provide useful system
details and sources for further information to
hackers, including the 2600 Magazine in the
United States, named after a frequency used
to steal long-distance telephone services, the
Hacker’s Handbook published in the UK and the Hacker’s Bible available from the Chaos
Computer Club in Germany.
During the period 1986-7 a group of
German hackers calling themselves Data Travellers found a flaw in version 4.4 of the
DEC VAX computer’s VMS operating system
which enabled them to amend the system’s
password tables and user privileges. In
collusion with an authorized user, the hackers
were able to penetrate some 135 computer installations in NASA’s worldwide SPAN
computer network (Space Physics Analysis
Network). The network connects the North
American Space Agency’s scientific research centres with its counterparts in Britain, France,
Germany, Switzerland and Japan. Although
the password lists were held in encrypted form, the hackers were able to introduce a Trojan horse to the operating system to trap
and copy the passwords entered by users on log-in before they are encrypted and compared
with the list of one-way encrypted passwords stored in the system file to authenticate the
users.
Once the system manager’s password
was found from the log-in passwords collected,
they were able to create new bogus user
accounts on the system and protect them with illegal passwords. Eventually the hackers
introduced a skeleton master password which
completely bypassed the system’s password checking procedure so as to simplify future hacking and to elude detection.
Besides contending with the increasing population of hackers in the United States
some American installations found they also became targets of hackers from abroad. This is attributed to the extreme user-friendliness
and interconnectivity of many public networks,
and the poor security awareness of network
users with their choice of simple,
easy-to-guess passwords. Many network service companies and computer centres have
fallen victims to unwanted intruders who have
the ability to ransack system and data files,
deny user access, corrupt user information, or
download and steal corporate secrets. For
instance, AT&T’s computer system had over
one million dollar’s worth of computer software
stolen and copied by an 1 S-year-old hacker on the Bell Laboratories national network. The
software package was not yet on the market
and was to be given a price tag of US$5000.
During this same period a group of
computer specialists at Lawrence Berkeley
Laboratory took ten months to trace and finally
locate the exact identity and address of a German hacker who successfully broke into
some 30 computers out of a total of 450 being
attacked in the United States. The intruder was using the Lawrence Berkeley computer as a hub to reach other computers connected on
Tymnet, Internet, Milnet and others. His main interest was in military computers and those of
defence contractors. His activities were to attempt espionage by entering sensitive
computers and stealing data. When the evidence was collected and passed over to the German Federal authorities, the hacker was
arrested and his computer equipment and
modem removed. However the prosecution
was finally dropped with the hacker set free
and all the equipment plus stolen data returned to the culprit, on the grounds that he
had committed no crime under German law!
Electronic funds transfer fraud
In July 1988, two men were arrested in Switzerland along with an employee of the Union Bank of Switzerland following detection
of an illegal funds transfer via the SWIFT
inter-bank network on instructions from the Bank’s London branch to transfer 81.9 million Swiss Francs to a branch of Credit Suisse in the small town of Nyon near Lausanne.
Apparently the fraud was discovered when
COMPUTER FRAUD & SECURITY BULLETIN
01989 Ekevier Science Puhlkhers Ltd.. Rngland./89/!$0.00 + 2.20 No part of thin publication may be re reduced, stored in a retrieval system. or transmitted by any form or b an
6, means, electronic, mechanical, p t: otocopying, recording or otherwise, without the prior permission oft L
pu Itshers. (Readers in the U.S.A.- please see special regulations listed on back cover.)
Vol. 11, No.5 Page 14
bank staff carried out manual checks of some in these fraud cases. On timely discovery, two of the payment instructions. The Swiss police people were arrested in Switzerland and the were alerted and were waiting when one of the funds returned to the Japanese investment culprits arrived to collect the cash. bank.
According to the police, the fraudulent instruction was entered on normal bank instruction paper and entered into the bank’s network at Zurich and then via the SWIFT
network to Nyon. On a normal day, one can expect hundreds of similar funds transfer instructions to go through a major bank branch. Even with the enforcement of proper
segregation of duties requiring two bank staff to enter their own passwords separately to effect the funds transfer, the task of checking each EFT instruction becomes so onerous that in time the thorough checking procedure could (and does) give way to trusting the integrity of the fellow colleague instead. If approached by organized criminals who undertake to look
after the collection of cash and its subsequent laundering and distribution, the allure of attempting a one-off high value EFT fraud by a trusted insider who is either disgruntled or
fallen on hard times, must remain a high risk at all times.
Another popular target of the criminal world is the Automatic Teller Machine (ATM) network operated by high street banks and building societies. A criminal gang from the
Midlands, UK, purchased card copying computer equipment worth f 3500 to forge 6000 Midland Bank Vector cards each worth f500. The equipment used included an NBS
Magcoder 9401 from Canada, an Ampex VDU and keyboard and some Magcoder software. Cash dispensers throughout London were robbed of f 18 000 during one weekend alone before the culprits were caught by police. The court was told that a total of f 100 000 had been taken from two high street banks.
Another example was a near loss of f 15 million at Mitsubishi Finance International in London over the 1988 August bank holiday when an unauthorized transfer of Eurobonds
was made from its accounts to the London office of Shearson Lehman Hutton. The securities were transferred over Euroclear’s
Euclid, the Eurobond clearing system, probably by using a PC and a modem to dial
into the computer system and the bonds could then be sold with the proceeds to be drawn in Switzerland.
The gang also raided many building society accounts. By taping over a dispenser’s
receipt issuing slot, they would wait and watch over the shoulders of victims tapping in their
PIN number and then collect their receipts to obtain their account numbers. By matching information from the receipts with the PIN’s the gang was able to reproduce the ATM cards which they then used to access the accounts. This probably accounts for a large number of
phantom withdrawal complaints from customers who found money disappearing from their accounts.
Safeguards and countermeasures
Brokers normally deliver stock on receipt of payment. But for known and trusted clients
that have given prior instructions, they sometimes allow free delivery by shipping stock out in anticipation of receiving payment. Again as with the widely repot-led Prudential-Bathe case in 1987 which nearly lost f5 million in a similar incident, organized crime was suspected to have an involvement
The spate of virus attacks from various countries is a serious concern to the network
manager or the PC user. The case of the
Christmas tree virus highlights the sensitivity of the contents of the electronic mail directory
which was exploited to propagate the illegal code. It would seem prudent for the vendor to
provide some access control feature to secure the directory from prying eyes. In the case of the Robert Tappan Morris virus the Sendmail program facility which all the infected systems shared, had been released by the vendor with a ‘hole’ in the software i.e. the debugging code
COMPUTER FRAUD & SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., England./89/$0.00 + 2.20 No part of this publication may be m an
i. means, electronic! mechanical, p Ii
roducedr stored in a retrieval system, or tnnsmitted by any form orb otocopymg, recording or otherwise, without the prior permission oft L
pu hshers. (Readers m the U.S.A.- please see special regulations listed on back cover.)
Vol. 11, No. 5, Page 15
of the original programmer had not been removed. This allowed commands to be
issued and executed on remote computers
which used to propagate the virus to infect the
many systems on Internet. This would appear to be the fault of the vendor in failing to give
adequate checking or quality assurance to
eradicate such sensitive facilities from the
software before its general release.
The traditional view of buyers seeking
system capability at minimal cost, with little
regard for the protection features provided is
beginning to change. Computer vendors are
beginning to pay more attention to system
security, especially now that formal security
requirements are being stipulated by
government agencies in the United States and United Kingdom to build secure operating software. To obtain the necessary accreditation to bid for defence contracts,
stringent validation checks are being applied to ensure the security and resilience of the
software or system will meet the various stipulated criteria on access control, data
privacy, audit and recovery.
A number of software products are
currently available from both sides of the
Atlantic to handle virus problems on personal
computers. One catagory involves using programs to detect if a system has been infected. This assumes that an uninfected
copy of the system has been retained, say from the long term back up files, to provide the necessary metrics for the detection software to
diagnose any system changes resulting from a possible virus infection. These could include
the use of file size, compilation date, program checksum etc. which the detection software
will check and recheck periodically to monitor
changes. Unfortunately most PC users are notoriously sloppy in keeping regular backup copies of all disk files and system or
application software. A virus which has a long incubation period prior to its activation could
potentially corrupt all the back-ups and live copies of a system. It makes sense to
maintain long-term archives of system disks and data files to be able to recover from
various viral attacks. Also users should be warned of the risks of incorporating shareware
of dubious origin into their system disks.
Another category of virus protection
products is designed to help prevent initial virus infection. These tend to be system
resident programs to monitor system activity in real time to watch out for potential viral
symptoms. These include, for example, the
checking of all disk l/O activities by
intercepting l/O requests from applications to
the operating system.
To deter outside hackers, a number of call-back devices are available to secure
dial-in access. Dynamic password systems which issue challenges to dial-in users are
also available to check the authenticity of users. To gain the system’s recognition, a
dial-in user has to use a PIN to access a
hand-held token device to obtain the correct response to the system’s challenge before
sending it to the host system for verification.
Much can also be gained by introducing password aging, disallowing the use of passwords containing simple words or letters which can be easily guessed, periodically
purging dormant or obsolete user accounts, as well as installing access control software to
provide multiple levels of password protection
to control access to sensitive data.
To counter funds transfer fraud effective monitoring facilities would need to be in place
to target specifically on certain accounts, types
of transactions, amounts, time of day etc. Regular job rotation of staff on sensitive duties
and surprise audits would render collusion and
concealment more difficult to achieve. PIN
encryption on the customer’s cash card magnetic stripe would render some of the ATM frauds impossible without first obtaining the
original cash card to allow the copying of
details on blank cards. Smart cards are being introduced in experimental trials to defeat
‘white plastic’ fraud. New security products
based on smart card technology are becoming available to provide off-line authentication of users by storing physical attributes such as
COMPUTER FRAUD & SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., England./89/$0.00 + 2.20 No part of thin publication may be re an
g, means, electronic, mechanical. p R
mduced, stored in a retrieval system, or transmitted by any foml orb otocopying, recording or otherwise, without the prior permission oft +z i+
pu hshetx (Readers in the U.S.A.- please see special regulations listed on back cover.)
Vol. 11, No. 5, Page 16
fingerprints. Message authentication techniques, although used widely in banking circles, have yet to gain wide acceptance in other business sectors. And yet these must be in place to maintain data integrity when contemplating introducing funds transfer onto network facilities.
Future challenges
With increasing awareness of the value of information technology to support their clandestine business operations, or to aid and abet serious crime, the criminal world is now moving away from the traditional bankraid or bullion robbery involving physical violence and injury, and switching to the more clinical nature of white collar crime where much bigger sums of money can be gained. This probably explains the increase in takings in individual funds transfer fraud cases and the recruitment of trusted, knowledgeable insiders in organized crime for the know-how to effect the illegal electronic funds transfer.
The case of the Cloud Nine Escorts vice ring in California graphically illustrates the simplicity and efficiency of applying new technology to run illegal operations. The ring
had some 45 000 customers on its books and the customer database captured details of the personal history of individual associations with
the 100 or so prostitutes employed, their credit
worthiness, sexual preference, methods of payment etc. to facilitate customer service in repeat business. The f 1.5 million a year business was supported by a full-time computer programmer with ten networked IBM XTs and ATs run by six hookers who took turns to man the office. Most of the PCs had dual floppies and one had a 40 Mbyte hard
disk. The working women were in constant contact with the central operation through telephone pagers.
In another case, a teenage student in Coventry, UK, is currently providing a free service to anyone dialling in with a home
computer and a modem. His electronic
bulletin board provides such details as ‘10
ways to kill a cop’, how to make an oxyacetylene balloon bomb, and how to make tear gas.
Another section of the bulletin provides a guide to shoplifting, and a detailed guide on how to take part in a riot, including a warning not to carry address books or other identifying material and advice to carry a small tool to
help dig up paving slabs for ammunition and to ‘smash in’ traffic lights to cause hold ups. The service was advertised through magazines which appealed to ‘those interested in the
survivalist movement’.
The ease of obtaining electronic bugging equipment in certain high street shops, by mail order, or from some airport duty-free shops, at affordable prices is providing good ammunition to the industrial spy intent on obtaining corporate secrets or incriminating evidence on both voice and data lines. Within the network support operation, data analysers or datascopes are readily available to record or intercept data traffic on the corporate network. Unless the data is encrypted, which is extremely unlikely, especially on Local Area Networks and personal computers, sensitive information obtained on the electronic office or R&D systems could be worth a fortune to close competitors. This could be the product specification of a new wonder drug, the next
new car model, a prime recipe for processed
food or consumer product, or the corporate market plan. TEMPEST-based products are now available to the private sector to minimize
information leakage from clandestine monitoring of electromagnetic radiation emanating from VDU screens, computer keyboards, printers and associated cabling.
Fibre optics technology has also served to frustrate line tapping by traditional means due to total absence of electromagnetic radiation from optical signals. More and more data encryption products are being brought out and made available to PC, mainframe and network users.
Combatting future computer crime will require the close cooperation of various key
COMPUTER FRAUD & SECURITY BULLETIN
01989 Elsevier Science Puhkhers Ltd., England./89/$0.00 + 2.20 No part of thin publication may be re an
u means, electronic! mechanical, p r
roducedT stored in a retrieval system, ?r trammitt+ by a”yfoml orb otocopytng, recording or otherwise, w&out the prmr pernuss~on oft L
pu hshers. (Readens m the U.S.A.-please see special regulations listed on back cover.)
Vol. 11, No. 5, Page 17
players in information technology, in business,
the security industry, and from statutory bodies
and law enforcement agencies. Consultancy
companies, for instance, have taken a lead to develop and promote the use of risk analysis
to sharpen the focus on crime prevention and
safe computing.
Computer and software vendors also have
an important role to play, in offering secure
systems and operating software to the
business community. Corporate executives need to raise the general level of security
awareness of technical staff and business
users on computer abuse and safeguards. Security products must be in line with business
needs and should not be developed with such
esoteric premises as to render them awkward
and clumsy to apply in a business environment where worker productivity and business efficiency still reign supreme.
Without effective legislation to counter
computer abuse, computer hobbyists are likely
to carry on regardless with such anti-social
activities as hacking and viral infection to the detriment and total frustration of network service providers and users. And yet the
police would be powerless to intervene if the hackers or virus infectors have broken no law or if serious computer crime is being hushed
up by corporate executives for fear of bad
publicity.
The threat of bringing down several
thousand computers at a stroke by someone
introducing some simple virus code is frightening. The problem becomes even more serious if this was a disgruntled employee.
Unless properly contained and dealt with,
entire corporations or even a government
could be held to ransom by threatening a large scale disruption to the entire business
operation or to a public service.
The close interplay and liaison of the
various key players concerned are vital in
bringing the potential growth of computer abuse to controllable levels. Computer crime knows no national boundaries. It is an
international problem requiring international
cooperation to look for and agree viable
solutions, especially in the harmonization of
computer crime legislation and the mutual
collaboration of law enforcement agencies worldwide.
Dr Ken Wong
Security and Privacy Division
B/S Applied Systems Ltd
ELECTRONIC DATA INTER CHANGE, OPEN NETWORKS AND BUSINESS SECURITY PART II
In the February issue of CFSB John
Draper examined the basic security issues relating to Electronic Data Interchange transactions. In Part II he explains international tradiqg, multi-network EDI
transfers and the law.
Last month we addressed a simple
scenario, of an EDI message crossing one
network between A, the sender, and organization B, A’s trading partner, with both
parties resident in one country.
Now consider the implications of this more international model, a picture of how retailing
might develop as the European Community’s
Free Internal Market becomes a reality over the next few years.
Frau Flindt, a German housewife, uses her
smart card to authenticate an order for a new hi-fi which she enters through the terminal in
her local shopping mall. The order is
transmitted via a German catalogue agency to its UK headquarters which places a further Just-In-Time order with a Spanish electronics
factory. Delivery is ordered from, and effected by, a French transport and warehousing organization direct to Frau Flindt’s house in Karlsruhe, within days of her placing the
original order. The French firm then notifies
the catalogue agency of successful delivery. All these information transfers are carried out
COMPUTER FRAUD 8, SECURITY BULLETIN
01989 Elsevier Science Publishers Ltd., England./89/!$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any fomt or b an
1;. means, electronic, mechanical, photocopying. recording or otherwise, without the prior permission oft 1
pu hshers. (Readers in the U.S.A.- please see special regulatiow listed on back cover.)