Embed Size (px)
Citation preview
433
Brian McKenna andSarah Hilley
Won’t get fooled againNew Scientist
The 1960s, LSD and free love were supposed torevolutionise the world. In the 1990s it was theInternet. The cyber-hippy dream is over. People are beingasked to pay for Internet services that wereonce free and search engines have becomevehicles for gathering marketing information onusers. And, fuelled by fears of terrorists plottingArmageddon over the Net, the nation state isstriking back.Two years ago Britain extended policetelephone-tapping powers to include theInternet, and gave its law enforcers theauthority to demand passwords to encryptedmaterial. In the aftermath of 11 September, theUS followed suit. Against this backdrop of increased regulation,it is tempting to view the entrepreneursbehind HavenCo, an offshore data warehouseand Web server provider, as rebel heroeskeeping the flame of an independentcyberspace alive.But that would be naive. The principal goal isto make money by enabling people to store dataand set up Websites beyond the reach of anyform of law or accountability. In laying down the gauntlet over DVD software,HavenCo can expect a fierce legal battle withcorporate America over its self-proclaimedindependence.Misguided though cyber-anarchy is, the company’s actions throw a much-needed spotlight on something just as wrong – the draconian laws many governments are now introducing to regulate the Internet. New Scientist, 22 June, 2002
Don’t involve staff in anti-fraudschemesSteve Ranger
Internal IT staff should not be involved in thedevelopment of anti-fraud systems, saysconsultancy Detica.Companies should build data warehouses basedon the data usually discarded by ITdepartments, according to Martin Sutherland,head of security at Detica. This data can thenbe searched for possibly fraudulent activity.“From a fraud perspective, this data revealswhen people log in, and where, and what theylook at and print.” Detica has discovered onecase where IT equipment was being ‘sold’internally in a multinational company.Although the equipment was only being movedfrom one division to another, the move wasgenerating a commission for salespeople.The UK’s National Hi-Tech Crime Unit hassaid that IT staff may become involved inorganised crime, either through threats andkidnapping or by being paid to hack businesssystems.Computing, 4 July, 2002
Political Ideology goes head to headwith civil libertiesJason Beattie
For a UK Home Secretary seeking to prove hislaw and order credentials, there can be fewmore promising weapons in the armoury thanthe ID card. In a single swipe you can promise tough action against benefit cheats, illegalimmigrants, human traffickers, moneylaunderers, drug runners and electronicfraudsters, all for an additional cost of £10 per UK citizen.
Digest of recent ITsecurity press coverage
In brief24Customs winningpiracy war, says retiringofficerStella Lee
A retiring senior Hong KongCustoms officer believes softwarepiracy problems could be brought undercontrol in two or three years.The comment from assistantcommissioner of Customs and ExciseVincent Poon Yeung-kwong, comes after arecent survey found 53% ofsoftware used in Hong Kong last year was unlicensed,down from 57% in 2000.A new anti-software piracylaw was introduced in Aprillast year, making it an offencefor business owners oremployees to knowingly usepirated software at work. Themaximum penalty is fouryears in jail and a $50,000fine for each illegal softwarecopy found. South China Morning Post, June
24, 2002
China ahead in piracy,but India is catching upfastFinancial Express
According to the seventhannual global software piracystudy released by BusinessSoftware Alliance (BSA),India is ranked 23 in the list of25 countries with high levelsof software piracy but it isnumber two in terms of rise inpiracy among the top 25countries. Piracy in India,according to the shot up to70% in the year 2001 from 63per cent in 2000. Vietnam, meanwhile, led thefield with 94% piracy,followed by China at 92%.Indonesia was third with 88%while Ukraine and Russiashare the fourth spot with87% incidence of piracy. Financial Express, 3 July 2002
Companies breachpiracy legislationMaggie Holland
UK companies are still usingPC software illegally,according to a survey by anti-piracy group the FederationAgainst Software Theft (Fast).Nearly eight out of 10 userssay they spend less than 4% oftheir desktop budget onauditing the use of software toavoid deliberate orunintentional piracy.Computing, 27 June, 2002
According to the consultation documentpublished by the Home Office [on 3 July],‘identity fraud’ costs the country £1.3 billion ayear but introducing an ID card system wouldamount to no more than £3.1 billion over 13 years.Two options are on the table: a voluntaryscheme and a universal scheme that wouldrequire everyone over 16 to register for a card,even if it were not compulsory to carry it.Home Office officials insist that the reason whyprevious attempts to introduce ID cards wereabandoned was because they were too easy todefraud. Only now, with the advances inbiometric technology, which allow the cards tocontain iris scans and other forms of electronicfingerprinting, is it feasible to introduce a fail-safe system.There are political reasons behind DavidBlunkett’s enthusiasm for ID cards. First, he hasto appease the French, who have allegedly madeBritain toughen up its immigration rules in aquid pro quo for the closure of the Sangatterefugee camp near Calais. Second, Labourrecognises it must counter the widespreaddisquiet on the issues of asylum and law andorder.However, outflanking the Tories may come at aprice: a back-bench rebellion.The Scotsman, 4 July, 2002,
Man bites dogEmir Halilovic
In 1996, when Otto Zemek, manager of smallhardware retailer DGSS 2001 in CeskeBudejovice, in the Czech Republic, wouldn’trefund a customer the price of a computer sothat the man could buy his wife a fur coat, littledid he know what he had started.Zemek says the man sought revenge both on
him personally and his company. Thedisgruntled customer reported him to the localbranch of Microsoft-sponsored BusinessSoftware Alliance (BSA), a global anti-piracyassociation of big software companies.
BSA reported Zemek to the police onsuspicion of distributing unlicensed software.Although the police case against Zemek wasinconclusive, BSA used his company as anexample on its Web pages. Zemek sued forlibel and won a $10,000 judgment against thelocal branch of BSA in 1999. But theassociation, instead of paying, tried to go intoliquidation.In the Czech Republic, BSA co-operates withpolice by reporting suspected pirates, sendingagents provocateurs to investigate hardwaredistributors, and organizing advertising anddirect-mail campaigns that appeal to users tolegalize their software.BSA came under fire for its activities in theCzech Republic last year when hardwaremanufacturer Mironet filed a lawsuit againstMicrosoft’s Czech branch; the action included asection about BSA. Mironet aimed to provethat BSA in the Czech Republic doesn’t exist asa legal entity and that some of its methodsviolate privacy.Meanwhile, Zemek still sells Microsoft andother licensed software in the Budejovice shophe manages, although, he says, he does so with“personal distaste”.But the memory of the day he arrived at workand found police waiting outside is still keen.“It was like a witchhunt ,” he said. “The linkbetween the private organization BSA and thepolice really scares me.”Prague Business Journal, 24 June, 2002
Ulster puts the finger on financialfraudstersPaul Dykes
Fingerprint recognition technology applicationsdeveloped in Ulster are pointing the way toimproved security in the financial serviceindustry.University of Ulster spin-off company GazerTechnologies has been recruited by the IrishGovernment to develop security technologies tocombat fraud.
434
Recent press articles
Revenue bug couldstrike againAndy McCue
The security flaw that led theUK’s Inland Revenue towithdraw its online tax filingsite in June could affect otherareas of the government’s webpresence.The bug that led to taxpayers’details being revealed on theRevenue site has been fixed,but a spokesman has said thatother departments using theGovernment Gatewayauthentication portal may alsobe exposed.The Revenue blamed thesecurity hitch on aconfiguration problem with anunnamed ISP.“The way in which the‘session cookie’ identifying theuser was managed meant thatit could, in certain rarecircumstances, be presented toanother user,” the departmentsaid.Computing, 4 July, 2002
Gazer specialises in biometric security and fraudprevention technology, and has just completeda pilot project with Ulster Bank.Archie McIntosh, chief executive at Gazer, saidthat while science covers retina scanning, palmprint recognition and voice recognition, Gazeris focusing on fingerprint recognitionapplications.The project with the Irish Government was inits initial phases and wouldconcentrate on the immigration sector. “But we
have ongoing pilot projects in place at UlsterBank and at the University if Ulster”, saidMcIntosh.Ulster Bank sees biometric technology as analternative means of providing access control torestricted areas and systems, without theassociated overhead of password maintenance.“With biometric security technology, computerpasswords become a thing of the past”, saidMcIntosh.Noel Fitzpatrick, head of IT at Ulster Bank, isenthusiastic about using thenew technology. “We are piloting a scheme
with Gazer that focuses on using biometrics tocontrol access to restricted areas, and also as ameans of replacing traditional computerpasswords for network access,” he said.Belfast Telegraph, 25 June, 2002.
Hackers Target Energy IndustryCharles Piller
The number of attacks on power and energycompanies has accelerated. Hackers havepenetrated energy control networks andadministrative systems, according togovernment officials and security experts. Various reasons have been suggested to explainthe increase in attacks, such as industrialespionage or mischief. But the director of theFBI’s cybercrime division fears that the nation’spower grid may be under the threat of terrorists.Dick is mostly worried about a physical attackcombined with a cyber attack on a criticalservice such as electricity or emergency services.
Private industry has also backed-up theseclaims, Riptech said that 14 out of its 20energy-industry clients have been exposed tocyber attacks, resulting in a 77% rise in attackssince last year. The focus of attacks on powerand energy corporations has greatly exceededthat of other companies. The energy industry has had its fair share ofscandal, power crisis in California and thebankruptcy of Pacific Gas & Electric Co, whichhas led experts to believe that this unfavourablepublicity may have caught the attention ofterrorists. “Little or no attention to security” has beenimplemented in a set of remote control devicesknown as Supervisory Control and DataAcquisition systems within Energy powersystems reports the National Research Council. Many systems are connected to the Internet,which makes them susceptible to hacking.Some experts comment that the attacks are justa training exercise for terrorists. Al Qaedaexecuted three years of planning before the 11Sept attacks in New York.The Los Angeles Times 8 July 2002
Intruder Alert – Authentication andvulnerability assessment technologieshelp banks spot fraud and securitythreatsIvan Schneider
Banks are securing systems using the mostcapable information security techniques toensure the safety of their financial systems. The most common improvement measuresinclude employment and training of Websecurity specialists, improving internal Internetguidelines and installing intrusion detectionand customer authentication technologies.Banks can not always rely on law enforcementto offer immediate assistance since they arelacking many resources to investigatecybercrime. In some cases the financial industry has offeredits expertise to the law. The Securities Industry
Recent press articles
435
Scuttling the softwarepirates Fiona Harvey
Technology from the US couldhelp to stem the spread ofsoftware piracy. Scientists atPurdue University havedeveloped a way to protectsoftware by stationing tinydetectors at various points inthe software code.Conventional approaches topiracy prevention rely onasking users for passwords onstarting up the program, butonce this obstacle has beenovercome, pirates have freerein. Embedding measureswithin the software code willpresent them with moredifficulty.The detectors are little piecesof code that monitor theactivity of the software. Theycan tell if it is being copied,and can shut down thesoftware if they find traces ofhacking. Financial Times, 4 July 2002
Automation Corp., which processes data for theNYSE and AMEX, is a member of the N.Y.Electronic Crimes Task Force, which wasestablished by the Secret Service to gain expertadvice. By discussing issues through the taskforce, its members can request advice‘hypothetically’ and do not have to worry aboutinitiating a criminal investigation. Financial corporations sometimes turn to external auditors to evaluate theirinformation security programs but this raisesthe danger of possibly exposing an organizationto more risks through revealing thisinformation outside the corporation than theactual review. Banks are also faced with the challenge ofcustomer identification. Biometrics is notbeing implemented extensively but sometechnologies such as the RSA SecureID token is used in 88 top banks worldwide as
the SecureID authentication technique issuitable for individual-to-bank transactions. Banks are also faced with ensuring the securityof online transactions. Only 3% of cardtransactions are processed online but thisamounts to almost half the total amount offraud cases. MasterCard and Visa have created a programthat provides extra authentication for E-commerce verified by Visa and MasterCardSecure Payment Application (SPA). The user application requires an extra step, as areceipt appears near the end of the transactionand the user is asked to enter a password. Thepassword is only known to the issuing bank andconsumer, and not the merchant. Also toprevent a fake website copying the receipt, thebank sends a custom message to the cardholder. CMP Media Bank Systems & Technology 1 July
2002
436
Recent press articles
