Computers & Security, Vol. I I, No. 8

of the mayor of the City of Colorado who was dis- covered to have read regularly the messages of fellow council members on the e-mail system he had installed. The role of the White House PROFS e-mail system in the Iran-Contra scandal has been well documented. Generally there is a greater security risk with LAN e-mail, because the messaging database is distributed through several LANs. Each LAN has several powerful e-mail administrators which create or delete users, change passwords and do other routine tasks. Just by spreading this responsibility around, the organization greatly increases the potential of unauthorized access into the corporate e-mail system. So do gateways be- tween sites, sophisticated work-flow processing based on e-mail etc. now being implemented. A skilled pro- grammer would take only minutes to create an application that would automatically track the subject of each e-mail message going fi-om one location to another via a gateway. Users tend to store their e-mail messages for later retrieval. If a laptop is stolen the whole database of private correspondence is available. Com- panies have to devise a privacy policy featuring e-mail. They may want each sign-on to the corporate e-mail system to display the policy. Further steps must include: the usual routine of examining access controls over the storage of message databases; control over individual PCs and controls over passwords, including administra- tive accounts. Cutting down on system administrators should also be examined. The Bottom Line, September 1992, pp. 2 1 G 22.

Evidence of market failure of UK’s Computer Misuse Act? A government report carried out by Coopers and Lybrand Deloitte says that business in the UK has poor awareness of the business risks and costs associated with computer misuse; is largely unaware of the offences by the CMA; finds difficulty in identifying potential sources of ‘reliable’ expert advice; on balance, perceives net disincentives to pursue cases of misuse under the Act; and generally prefers to find internal solutions in cases of computer misuse. Few companies were identified which were willing to pursue cases under the CMA and, therefore, in a position to require expert advice to help them pursue cases under the Act. Dealing with computer misuse - published by the Depart- ment oJi%de and Industry p. 24.

Novell users face threat to security, Curyn Gi- looly/Bob Brown. A university student in the Netherlands has reportedly written a program which gives any user

on a NetWare network the access rights of a LAN supervisor. This allows the user to tap into any node in the net and browse applications and confidential data on the server. The user could change the access rights of other users, keeping them out of the network, or could shut down the whole LAN. The same program could be used for Microsoft’s LAN Manager, it is said. Novell has released patches for Netware 2.2,3.11 and NetWare for Unix to address the problem. But a further program has appeared to bypass the fixes. The limitations of the Netherlands program are as follows: the user has to have an account on the network; the program can only transfer rights from users presently logged-on to the network; the program cannot provide access right- s across a LAN internet - it only operates within a single network segment. The chairman of Novell, Ray Noorda, says the company has given the matter “top priority”, and will produce enhancements to minimize risk. The basic flaw exploited by the program from Leiden University in the Netherlands is the lack of authentication at the packet level in current versions of NetWare. A user can send a packet with a fake source address on the network to a file server. The program uses a session with low privileges to send a packet that appears to come fi-om a user with higher privileges. Network World, 5 October 1992, pp. 1 G 66, 12 October 1992,~~. 13 G 14.

Virus threat toned downJames Daly. IBM computer scientist Jeffrey 0. Kephart says that the world’s virus problem has been exaggerated. “Since most projections about viral spread are based upon the assumption of a fully connected world, the growth and dissemination of most viruses is comparatively slow,” he says. Kephart has spent years studying virus outbreaks within IBM and at customer sites. However, he says that in a fully connected homogeneous environment a virus could spread explo- sively. Edward Wilding, editor of Virus Bulletin adds “What many anti-virus sof&.vare developers are loath to admit is that most (of these) virus specimens are research laboratory examples and have never been seen in the wild. Worldwide only 70 or 80 viruses have ever dis- rupted real computers in real organizations.” Computemvrld September 14 1992, p. 16.

DOS to add antivirus features,]ames Daly.Microsofi Corp is to provide users with rudimentary virus protec- tion features in the forthcoming DOS Version 6.O.DOS 6.0 is expected to incorporate anti-virus software from Central Point Software, Inc with a check-summing

723

Abstracts of Recent Articles and Literature

routine to warn of things such as code replication or substitution. Computenuorld, 7 September 1992, p. 4.

Planned privacy law weakened, David Evans. Afier criticisms that they are “unworkable”, proposed data privacy laws for the European Community have been watered-down. A major block is the right of organiza- tions to transfer data to others not governed by privacy laws. Now the legislation has had an overhaul. Key changes are: a) the right to transfer data to countries without privacy laws, provided ‘certain conditions’ are complied with (this applies mainly to the financial and travel companies involved in electronic fY_mds transfer); b) simplif+ng procedures organizations use to notie authorities before processing personal data; c) allowing direct mail companies to process personal data ‘legitim- ate interests’, provided that individuals have the chance to remove their names from lists sent to third parties. Computer Weekly, 25 October 2992,p. 1.

Project ideas fail to catch $18 million fundingAn IT security advisor to the European Commission, Clive Blatchford, said he had to turn down half the budget he had been allocated for IT projects, because suppliers’ project ideas had not come up to scratch. The EC spending is 5 billion ecu ($6.1 billion) over the next four years on IT security projects. Blat&ford, speaking at a conference in Berlin, organized by KPMG Manage- ment Consulting and Datapro, said “We had a very poor response in the area of system administration, which is where the industry should be concentrating its efforts.” Computing, 15 October 1992, p. 8.

Recession puts firms on disaster tightrope,jason Hobby. The recession has caused companies to reduce their IT security and recovery budgets, so leaving their businesses unprotected in the event of disaster, says a report from Coopers and Lybrand. Last year the disaster recovery market in the UK showed a 40% decline from E54 million in 1990 to E31.9 million. IBM which runs its own Business Recovery Service says the move to client-server environments has led to a growing gap between the use of modern technology and the under- standing of security and recovery. Computer Weekly, 22 October 1992, p. 1.

French losses rise sharply, Paul Gannon. According to the French IT security society Clusif - Club de la securite informatique fi-ancais - there was a 15.5% jump in losses caused by security breeches last year. The

cost was 10.4 billion f+ancs ($2.2 billion), with ‘male- volence’ accounting for 57% of the cost - including diversion of funds, sabotage, economic espionage and data misuse. However, losses due to error have remained level, probably due to the increased experience and knowledge of computer users and developers. Viruses only account for 1% of the cost of the losses. Computer Fraud and Security Bulletin, October 1992,p.3.

Lax security at Drug Enforcement Administra- tion, Gary H. A&es. Computer systems are inadequate to safeguard information vital to national security and privacy of people involved in anti-drug abuse, warned the US General Accounting Office. The following claims were made by the Office at a congressional hearing: “extremely lax” controls on access to data and to computers processing sensitive data; sloppy control of passwords, including the use of ‘DEA’ as a default password; cleaning and maintenance personnel without proper security clearances being allowed to work unat- tended in areas where national security information is processed; no accurate inventory of computers used to process sensitive data. The DEA said it was establishing a security programm e throughout the agency. Computer- world, 5 October 1992,~. 24.

Case study: Boston TV station, Tracy Mitchell. WHDH-TV has now been running its LAN for seven years. The LAN now taps into 120 applications, and has everything from personnel information to advertising spots and robotic cameras running on it. Relaxed security could mean the difference between being on the air or off. In the station’s environment employees come and go, applications, hardware and machine con- trol are added regularly and the users themselves are getting more sophisticated. The Novell network has grown from three or four accounting XTs and ATs to more than 150 nodes. The LAN staff decided from the start to keep users away from a DOS prompt, and selected the Saber menuing system for the job. “Hiding a blinking cursor at D: login alleviated user confusion and protected data fi-om prying eyes.” Saber provides ‘gates’ for the NetWare 3.11 operating system to all the information stored on the network. WHDH-TV first defined access rights by departmental timctions and then more extensively to subgroups, user, and network node address levels wherever possible. This multitiered ap- proach sets up additional safety checks into the more critical applications. LAN Times, 14 September 1992, p. 16.

724