3-Nov-86 17:52:52-PST,11613;000000000000 Mail-From: NEUMANN created at 3-Nov-86 17:50:07 Date: Mon 3 Nov 86 17:50:07-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.3 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Monday, 3 November 1986 Volume 4 : Issue 3 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The Big Bang at the London Stock Exchange (Jonathan Bowen) UK computer security audit (Robert Stroud) Austin's computer-controlled traffic lights (Alan Wexelblat) Computers and Medical Charts (Elliott S. Frank) NOTE: Sorry about RISKS-3.92 breaking your undigestifiers. FTP NEW REVISED VERSION OR REQUEST REDISTRIBUTION IF YOU WISH TO AVOID THE PROBLEM. (BY THE WAY, TRY TO AVOID LONG STRINGS OF "----" IN YOUR MAILINGS TO RISKS. THEY BREAK UNDIGESTIFIERS.) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Tue, 28 Oct 86 17:24:41 GMT From: Jonathan Bowen To: RISKS@csl.sri.com Subject: The Big Bang at the London Stock Exchange Organization: PRG, Oxford University, UK Headlines in `The Independent' (new British `serious' newspaper) on Tuesday 28 October 1986: Stock Exchange computers fail under strain Shambles as the Big Bang hits the floor THE CITY'S "Big Bang" exploded after just 29 minutes' trading yesterday morning when the computers buckled under the strain. The Stock Exchange system which speads information to dealers and investors went off the air at 8.29 am, to be followed 18 minutes later by the central dealing computer, the Stock Exchange Automated Quotations system known as SEAQ. By that time, market makers were already experiencing problems in putting their prices into the system, and some of them had ceased to trade at all. The failures were blamed by the Stock Exchange on brokers overloading the system, both to look at their competitors prices and out of pure curiosity. Jonathan Bowen, Programming Research Group, Oxford University ------------------------------ From: Robert Stroud Date: Thu, 30 Oct 86 12:27:45 gmt To: risks@csl.sri.com Subject: UK computer security audit There was an item in today's Independent (a new UK paper) about the results of a security audit of 50 UK companies. Sadly, the results will be all too familiar to RISKS readers. When will practice catch up with theory? Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne. UUCP ...!ukc!cheviot!robert [Sorry for the absence of a specific reference to the original report. PGN] ["It is probably one of those expensive management consultancy things costing ten pounds a page!" - Robert] ============================================================ Reproduced without permission from The Independent 30th October 1986 p.16 "How Fred lets the fraudsters in" (c) Newspaper Publishing PLC by Michael Cross Frauds involving computers will cost British companies 40m pounds next year, the insurance broker Hogg Robinson said yesterday. The culprits are not usually teenage computer wizards but disgruntled employees and previous employees. Hogg Robinson's report, an audit of 50 firms, suggests that British companies are extraordinarily careless about looking after their computers. Apart from fraud, the dangers are sabotage, damage caused by carelessness, and run of the mill disasters such as fire or flood. The chink in most computers' armour is the password. All but three sites the auditors examined used passwords to control access to computers. Most were useless. When people choose their passwords, they often pick names of spouses or pets. These are easy for colleagues to guess. America's favourite password is "love", closely followed by "sex". Top of the list in Britain is "Fred". Other favourites, said David Davis, director of research at Hogg Robinson, are "pass", "God", "genius" and "hacker". "If a hacker tries these he will get through 20 per cent of the time", Mr Davis said. Passwords are particularly vulnerable when they remain unchanged for a long time. The chairman of one major company the auditors investigated had kept the same password for five years. It was "chairman". Another danger point is in computers that allow unlimited guesses at passwords. One in 10 of the sites surveyed allowed any number of attempts to "log in". The really secure passwords are the dual-key encrypted type. These are codes distributed in two parts, which link up inside a computer. But only two or three computers, all government installations, carry such protection in Britain. Despite the vulnerability of passwords, the report suggests that few computers fall victim to outside "hackers". Three of the sites inspected showed signs that hackers had gained access to the computers through external telephone lines. Dr Frank Taylor, chairman of the British Computer Society's security committee, said there is no real evidence that hackers are causing large financial losses. Dr Taylor's horror stories have a more humdrum flavour. One concerns a building supplies company which had no security on its counter terminals. Crooked employees were able to give huge discounts to friends, and the company went broke. Another company lost its data - and nearly everything else - when lightning struck a power cable. Computers face a host of dangers from everyday activities, the report says. Mr Davis said that computers are designed to be operated by, "a race of supermen who do not eat, drink or smoke". He has a useful tip for computer people who cannot give up human habits; drink black coffee rather than white. It causes less damage if spilt. ------------------------------ Date: Mon, 3 Nov 86 13:07:27 CST From: Alan Wexelblat To: risks@csl.sri.com Subject: Austin's computer-controlled traffic lights A while back I reported that a lighning strike had taken out the computer that controlled the synchronization of Austin's downtown traffic lights. (Local control units took over - only two lights went "on the blink".) I recently learned that there was more to the story. It seems that Austin has a "traffic flow program" embedded in that system that changes the durations of red/yellow/green lights for given intersections based on the time of day. The goal is to give more time for people to get intown in the mornings and out of town in the evening. The local control units fall back to an "equal time for all" scheme, regardless of time of day. Since the power loss occurred late in the afternoon, evening rush hour traffic was snarled more than usual. In addition, there were several near- accidents caused by people who "knew" that the yellow light would be long enough (based on months of commuting experience). Alan Wexelblat UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex ------------------------------ Date: Mon, 3 Nov 86 12:44:14 PST From: amdahl!esf00@decwrl.DEC.COM (Elliott S. Frank) To: risks@sri-csl.ARPA Subject: Computers and Medical Charts The following items were posted to the delphi digest on mod.mac. The issues have been covered before in mod.risks, but the example is worth noting. Elliott S Frank ...!{ihnp4,hplabs,amd,nsc}!amdahl!esf00 (408) 746-6384 ============================== Delphi Mac Digest Thursday, 30 October 1986 Volume 2 : Issue 55 From: PIZZAMAN (14213) Subject: Computers and Medical Charts Date: 26-OCT 16:26 Business Mac The most amazing thing happened at the hospital yesterday. I was accused of unethical behavior because I used my computer to prepare a conference for the Department of Surgery! Let me explain.... I am the Clinical Coordinator of the Department of Surgery at a rural community hospital. This is a voluntary job, in addition to my regular practice of surgery. My responsibilities include the preparing of the mortality and morbidity conferences each month, as well as trying to put together educational topics of interest for the other surgeons. Having trained at a University Hospital in Philadelphia, I enjoy doing this teaching. In order to prepare for one of these conferences, I took my Tandy 100 to the record room, and took my notes on it. When I got to the office, I plugged the Imagewriter cable into the RS-232 connector on the back of the Tandy, and using Smartcom II, loaded the information into the Mac for work processing, spread sheeting, and graph creation. Now, I am being accused of taking confidential information out of the hospital in the form of patient records and doctors names! All I had on the computer were my notes. The paranoid medical staff is afraid that having this information in my "COMPUTER" is dangerous, in some way. Since I consider my two computers just extensions of other work tools that I use, I can't understand this. Would they be just as paranoid if I used a legal pad to make notes instead of the computer? By the way, the bylaws of the hospital allow for the use of records for research, and I had permission from the President of the Medical Staff to do the study in question. Pretty amazing paranoia, huh? Do people really still fear computers this way? Any physicians out there have similar experiences? Any legal advice? ============================== From: PEABO (14226) Subject: RE: Computers and Medical Charts (Re: Msg 14213) Date: 26-OCT 19:45 Business Mac It might have something to do with Legislators, who tend to know even less about computers than hospital staff. I've read some stories about how some corporations are getting concerned about what J. Q. Middlemanager is taking home to work on using his own computer after downloading from the company mainframe. peter ============================== From: LAMG (14239) Subject: RE: Computers and Medical Charts (Re: Msg 14213) Date: 27-OCT 01:20 Business Mac Yes, it's paranoid behavior, but no, it's not amazing, I'm afraid. In my institution (UCLA Dept. of Radiological Sciences) most of the data used for teaching and research is in "machine readable" form at one time or another. Clearly there is a valid issue related to the removal of confidential patient records from the hospital (I don't know what the regulations are there) but these would apply equally to data whether in handwritten, printed or machine readable form. You didn't say exactly who is objecting to your work and on what grounds, but it sounds like they don't have a very good idea of what you're using the computers for. I can't give you legal advice though. Franklin Tessler, M.D. ------------------------------ End of RISKS-FORUM Digest ************************ -------