Subject: RISKS DIGEST 12.71 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 24 December 1991 Volume 12 : Issue 71 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [and best wishes for the holidays...] Illegal sales of confidential data (Fernando Pereira) The London Stock Exchange "Taurus" System (Brian Randell) Computer Database of Former E. German State Police (Stasi) (Sanford Sherizen) Remember, computer data is far from sacred. (Dean Pentcheff) Outgoing fax numbers and Mercury PIN security (Nick Rothwell via Werner Uhrig) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. For vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 12, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Thu, 19 Dec 91 13:54:02 EST From: pereira@mbeya.research.att.com (Fernando Pereira) Subject: illegal sales of confidential data Associated Press writer Joseph Neff reports from Newark, NJ on 18 Dec 91 that eighteen private investigators and Social Security Administration employees in nine states were charged Wednesday with buying and selling confidential data from SSA and FBI computers. The information included earnings histories and criminal records. The private investigators, many advertising in legal journals, sold the information to companies. If convicted on all counts, the defendants face maximum sentences of 20 to 150 years and multimillion dollar fines. Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636 Murray Hill, NJ 07974-0636 pereira@research.att.com [Also noted by Mark Seecof and Rodney Hoffman . PGN] ------------------------------ Date: Sat, 21 Dec 91 12:44:17 GMT From: Brian.Randell@newcastle.ac.uk Subject: The London Stock Exchange "Taurus" System The following text constitutes most of the text of an article in yesterday's Financial Times, and is reprinted without permission. (The remaining text is not relevant to RISKs.) Taurus poised to clear final hurdles By Richard Walters in London The UK government appeared yesterday to have overcome legal obstacles to the introduction of Taurus, the London Stock exchange's much delayed computer settlement system. After more of a year of effort by the Department of Trade and Industry lawyers, formal regulations were laid before parliament which would create the legal framework necessary for Taurus. At the same time a safeguard for personal shareholders, which had been built into the Taurus system at the request of ministers has been dropped. Investors would have had to quote confidential 13-digit personal authorisation codes before being able to deal in their shares. This requirement has now been judged too cumbersome for the small amount of extra security it would have bought. Instead shareholders will be able to tell the registrars who maintain their shareholders only to transfer their shares after they receive written instructions. This extra level of security will be available only to investors who specifically request it. The legal changes tabled yesterday are needed because share certificates and transfer forms, currently required by law to give evidence of title and enable a change of title to take place, will cease to be produced under the new, paperless system of share ownership and dealing. ... Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK PHONE = +44 91 222 7923 FAX = +44 91 222 8232 ------------------------------ Date: Mon, 23 Dec 91 16:18 GMT From: Sanford Sherizen <0003965782@mcimail.com> Subject: Computer Database of Former E. German State Police (Stasi) An unverified report indicates that a German private detective agency that was thought to be operated by former Stasi members bought a computer database containing the names and salaries of 97,058 members of the Stasi in 1989. The detective agency then pressed charges against the computer specialist who sold them the information. The charges are not indicated, although they may be under the strict (West) German privacy laws. If so, Stasi support for privacy is new. In addition to their prying into the lives of (East) German citizens, the Stasi had agents actively hacking into West German systems, including Berlin's drivers license agency. Sanford Sherizen, Data Security Systems, Inc., Natick, MASS ------------------------------ Date: Sat, 21 Dec 91 02:07:18 -0800 From: dean2@garnet.berkeley.edu (Dean Pentcheff) Subject: Remember, computer data is far from sacred. The following "news" message greeted us today (Dec. 21, 1991) here at UC Berkeley. It is curious that the message is dated two days into the future... U N I X N E W S Items ordered most current first. 23 Dec 91 >> Important Information about Computer Systems Court Order << We were recently required by order of the Alameda County Superior Court to search files on Garnet and Violet that may contain a particular individual's name within the file. We are complying with that court order. We think it is important to alert you that files on the shared systems, or even on personal workstations or microcomputers, are subject to search, and even seizure, by court order. Curtis Hardyck, Vice Provost [Dean Pentcheff, Department of Integrative Biology, University of California, Berkeley CA 94720 Work Phone: (415) 643-9048] ------------------------------ Date: Tue, 17 Dec 1991 10:11:08 +0000 From: Nick Rothwell Subject: Outgoing fax numbers and Mercury PIN security Contributed-by: Werner Uhrig Perhaps I should explain the subject line... Mercury offer an alternative long-distance telephone network which is available to ordinary users who have the standard British Telecom connections, and which offers improved itemized billing, lower costs, etc. etc. This is implemented by issuing Mercury users with a long personal identification number which represents their account, and which is known only by the user (very much like bank card PIN's, only much longer). Mercury calls are made from standard British Telecom phones by dialing a special prefix followed by the secret Mercury PIN and then the "real" phone number. See the problem yet? I can't send TelePort faxes this way because the *destination* fax number is printed on the cover page. This includes my Mercury PIN which would be compromised by any fax I sent using it. This is a serious drawback. Possible solutions: (i) suppression of printout of destination fax number on cover sheet (yes, I could use an empty cover sheet, but I want to send faxes from applications like text editors which don't let me paste graphics). Better option: (ii) provision in the TelePort/Fax software for a "secret prefix" which is dialed for all numbers but not reported on the cover sheet, or a pair of numbers ("reported" and "dialed") for each fax address. (It's possible I'm missing something here in the way long distance codes are specified in the address book - in this case each long distance code would be around 20 digits - might this do what I want?) Is there no system in the US that works in a similar way to Mercury? Just curious whether anyone in the US is going to come across the same problem. Nick. ------------------------------ End of RISKS-FORUM Digest 12.71 ************************