SEPTEMBER 1992 ISSN: 0142-0496

Edito r:TINA MONK

American Edito r:CHAR LES CRESSON WOODInformation Integrity InvestmentsCalifornia, USA

Australasian Editor:BILL J. CAELLIQueensland University of TechnologyAustralia

European Edito r:KEN WONGPA Consulting GroupLondon. UK

Editorial Advisors: Professor Henry J. Beker, UK; William A.J. Bound, UK: Dr Jerry Fitzgerald, California. USA; Dr Allan Fox,UK; Hans Gliss, Germany; Fred M. Greguras, California, USA;Alistair Kelman, UK; Dr Les Lawrence, New South Wales. Australia;Gordon Lennox, Belgium; David T. Lindsay, UK; Wayne Madsen, New Jersey. USA; Belden Menkus. Tennessee, USA;Donn B. Parker, California. USA: Michael I. Sobol, Massachusetts , USA: Peter Sommer, UK; Mark Tantam, UK.

Correspondents: Frank Rees, Melbourne, Australia, John Sterlicchi , California, USA.

NEWSUsers cry foul at toll fraud 1EC data protection directives 2Top US hackers arrested 3The Netherlands passes anti-hacking

law 3US credit card fraud escalates 3Belgium opts for electronic voting 4Riots raise new contingency issues 4First states implement EC software

copyright directive 4US benefits SUbject to rnultlple frauds 5UK Act fails prosecutors again : 5Marketplace 5SECURITY MANAG EMENT OF

DISTRIBUTED UNIX SYSTEMSA bomb with a slow burning fuse 7DIGITAL SIGNATURES AND KEY

MANAGEMENTThe need for digital signatures 10DISASTER RECOVERYWhen the computer goes on the blink 13BOOK REViEW 15STOP PRESS 16

NEWSUsers cry foul at toll fraud

After suffering more than $650 000 in tollfraud charges, five frustrated users appeared infront of the US House Telecommunications &Finance Subcommittee during the summer. Theyasked for help in pressuring telecomms carriersand equipment vendors to assist customers toprevent toll fraud, and to shoulder more of theresponsibility when it does happen. The usersenlisted a pledge from US Representative andsubcommittee chair , Edward Markey, to puttogether a bill that will make the vendors andcarriers take more of the responsibility.

The bill is to be prepared in time forpresentation at an upcoming FCC En Banemeeting on toll fraud in October. There are twokey ideas that Markey is planning to inclu.~e in theBill. One would require the vendors and carriersto fully inform users of the risk of phone fraud andhelp them prevent it. The other is a requirementthat local carriers offer customers the option ofblocking all international calls to suspicious areacodes at the local switch ,

1992 Elsevier Science Publishers Ltd., England./92/$O.OO + 3.00No part of this publication may be reproduced. stored in a retrieval system, or transmitted by any form or by any means. electronic ,mechanical. photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - pleasesee special regulations listed on back cover.)

Computer Fraud & Security Bulletin

The users stated at the hearing that vendorsand carriers did nothing to warn them about anyoccurring fraud, and have yet to offer anysuggestions on preventing it happening again."No one has notified me of protection", said LindaHoffman, director of communications at VacationTravel Inc. "AT&T provides our equipment andSprint is our carrier. Neither has sent me anyinformation about their protection services. Welost $92 000 in toll charges and $96 000 worth ofbusiness because our lines were jammed upduring a four week period in May 1991. If thecarrier offered protection services, it is somethingI would definitely be interested in. All they areinterested in is getting paid."

Both Sprint and AT&T have recentlyintroduced fraud limiting schemes (see JulyCFS). A basic service offers no liability limits andonly monitors a user's phone system, notifyingthem if fraudulent activity occurs. Additionalprotection provides liability coverage and otherservices for a charge. "Right now there's a lot offinger pointing going on and no one is winningbesides the hackers", says Sally York,communications manager at US LeasingInternational which had $56 000 worth of tollfraud charges in 1991. "I think that the plansdrawn up by the carriers are just an attempt toquiet things down for now. Everyone needs towork together to solve the problem."

Mike Moeller

EC data protection directivesThe Commission of the EC will publish the

revised text of its draft directive on data protectionin September. The new text will address a few ofthe criticisms made of the original draft, but thecommission is sticking to its overall stance infavour of tight controls. The directive attracted anoutspoken attack from the financial servicesindustry at a public meeting of the Confederationof European Computer Users Associations(CECUA) in Brussels in July. "The commission'sapproach to data protection is that all use by the

2

September 1992

private sector is bad - that is a Ludditeapproach," said Michael Fitzgerald of the IrishInsurance Federation. And from the Irish BankersFederation, Victor Hume argued that the banksmust be, "allowed to process certain types of dataon criminal records to prevent crime".

The second round of debate in the EuropeanParliament and the Council of Ministers promisesto be even more acrimonious than the firstreading. The EC has now published proposeddirectives to ensure that database serviceproviders receive legal protection for theirproducts. The draft directive has already beencriticised for providing too much protection. Forexample, the directive would allow 'facts' to beprotected; it is feared that this could lead to a rushto load all sorts of information into databases inorder to claim copyright.

The EC has also published a proposeddirective to ensure that there is commonlegislation on 'distance sales', such as mail order.Electronic sales methods are expected tobecome more common with the arrival of thesingle market - in France Minitel is a popular toolfor ordering goods by mail order. With crossborder sales on the increase the Commissionwants to ensure that the consumer has the samerights wherever the goods are ordered.

CNIL (Commission nationale deI'informatique en des ubertes) in France and theUK Data Protection Registrar both recorded asharp increase in the number of files held aboutindividuals in their latest annual reports.However, despite the common increasedconcern about 'matching' and other abuse ofpersonal data, the authorities face differentbudgetary attitudes from their respectivegovernments. CNIL's budget increased from 19million francs to 23.5 million (from about 1.9m to2.35m) while in the UK the Registrar saw hisbudget cut by 6% in real terms. The Registrar,Eric Howe, said, "This year I lost out and I am abit worried about future years."

Paul Gannon

1992 Elsevier Science Publishers Ltd