Subject: RISKS DIGEST 12.71
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest  Weds 24 December 1991  Volume 12 : Issue 71

       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

 Contents: [and best wishes for the holidays...]
Illegal sales of confidential data (Fernando Pereira)
The London Stock Exchange "Taurus" System (Brian Randell)
Computer Database of Former E. German State Police (Stasi) (Sanford Sherizen)
Remember, computer data is far from sacred. (Dean Pentcheff)
Outgoing fax numbers and Mercury PIN security (Nick Rothwell via Werner Uhrig)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious.  Diversity is
welcome.  CONTRIBUTIONS to [email protected], with relevant, substantive
"Subject:" line.  Others may be ignored!  Contributions will not be ACKed.
The load is too great.  **PLEASE** INCLUDE INTERNET FROM: ADDRESS, especially
.UUCP domain folks.     REQUESTS please to [email protected].     For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 12, j always TWO digits).  Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential.  "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: Thu, 19 Dec 91 13:54:02 EST
From: [email protected] (Fernando Pereira)
Subject: illegal sales of confidential data

Associated Press writer Joseph Neff reports from Newark, NJ on 18 Dec 91 that
eighteen private investigators and Social Security Administration employees in
nine states were charged Wednesday with buying and selling confidential data
from SSA and FBI computers. The information included earnings histories and
criminal records. The private investigators, many advertising in legal
journals, sold the information to companies.  If convicted on all counts, the
defendants face maximum sentences of 20 to 150 years and multimillion dollar
fines.

Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636
Murray Hill, NJ 07974-0636   [email protected]

  [Also noted by Mark Seecof <[email protected]> and
  Rodney Hoffman <[email protected]>.  PGN]

------------------------------

Date: Sat, 21 Dec 91 12:44:17 GMT
From: [email protected]
Subject: The London Stock Exchange "Taurus" System

The following text constitutes most of the text of an article in yesterday's
Financial Times, and is reprinted without permission. (The remaining text is
not relevant to RISKs.)

Taurus poised to clear final hurdles

By Richard Walters in London

The UK government appeared yesterday to have overcome legal obstacles to the
introduction of Taurus, the London Stock exchange's much delayed computer
settlement system.  After more of a year of effort by the Department of Trade
and Industry lawyers, formal regulations were laid before parliament which
would create the legal framework necessary for Taurus.  At the same time a
safeguard for personal shareholders, which had been built into the Taurus
system at the request of ministers has been dropped.

Investors would have had to quote confidential 13-digit personal authorisation
codes before being able to deal in their shares.  This requirement has now been
judged too cumbersome for the small amount of extra security it would have
bought.  Instead shareholders will be able to tell the registrars who maintain
their shareholders only to transfer their shares after they receive written
instructions.  This extra level of security will be available only to investors
who specifically request it.

The legal changes tabled yesterday are needed because share certificates and
transfer forms, currently required by law to give evidence of title and enable
a change of title to take place, will cease to be produced under the new,
paperless system of share ownership and dealing.  ...

Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK
PHONE = +44 91 222 7923                          FAX = +44 91 222 8232

------------------------------

Date: Mon, 23 Dec 91 16:18 GMT
From: Sanford Sherizen <[email protected]>
Subject: Computer Database of Former E. German State Police (Stasi)

An unverified report indicates that a German private detective agency that was
thought to be operated by former Stasi members bought a computer database
containing the names and salaries of 97,058 members of the Stasi in 1989.  The
detective agency then pressed charges against the computer specialist who sold
them the information.  The charges are not indicated, although they may be
under the strict (West) German privacy laws.  If so, Stasi support for privacy
is new.  In addition to their prying into the lives of (East) German citizens,
the Stasi had agents actively hacking into West German systems, including
Berlin's drivers license agency.

Sanford Sherizen, Data Security Systems, Inc., Natick, MASS

------------------------------

Date: Sat, 21 Dec 91 02:07:18 -0800
From: [email protected] (Dean Pentcheff)
Subject: Remember, computer data is far from sacred.

The following "news" message greeted us today (Dec. 21, 1991) here at UC
Berkeley.  It is curious that the message is dated two days into the future...

                       U N I X   N E W S
               Items ordered most current first.

23 Dec 91 >> Important Information about Computer Systems Court Order <<

We were recently required by order of the Alameda County Superior Court to
search files on Garnet and Violet that may contain a particular individual's
name within the file.  We are complying with that court order.

We think it is important to alert you that files on the shared systems, or even
on personal workstations or microcomputers, are subject to search, and even
seizure, by court order.

Curtis Hardyck, Vice Provost

 [Dean Pentcheff, Department of Integrative Biology, University of California,
 Berkeley CA 94720 Work Phone: (415) 643-9048]

------------------------------

Date: Tue, 17 Dec 1991 10:11:08 +0000
From: Nick Rothwell <[email protected]>
Subject: Outgoing fax numbers and Mercury PIN security
Contributed-by: Werner Uhrig <[email protected]>

Perhaps I should explain the subject line... Mercury offer an alternative
long-distance telephone network which is available to ordinary users who have
the standard British Telecom connections, and which offers improved itemized
billing, lower costs, etc. etc. This is implemented by issuing Mercury users
with a long personal identification number which represents their account, and
which is known only by the user (very much like bank card PIN's, only much
longer). Mercury calls are made from standard British Telecom phones by dialing
a special prefix followed by the secret Mercury PIN and then the "real" phone
number.

See the problem yet? I can't send TelePort faxes this way because the
*destination* fax number is printed on the cover page. This includes my Mercury
PIN which would be compromised by any fax I sent using it. This is a serious
drawback.

Possible solutions: (i) suppression of printout of destination fax number on
cover sheet (yes, I could use an empty cover sheet, but I want to send faxes
from applications like text editors which don't let me paste graphics). Better
option: (ii) provision in the TelePort/Fax software for a "secret prefix" which
is dialed for all numbers but not reported on the cover sheet, or a pair of
numbers ("reported" and "dialed") for each fax address. (It's possible I'm
missing something here in the way long distance codes are specified in the
address book - in this case each long distance code would be around 20 digits -
might this do what I want?)

Is there no system in the US that works in a similar way to Mercury? Just
curious whether anyone in the US is going to come across the same problem.

       Nick.

------------------------------

End of RISKS-FORUM Digest 12.71
************************

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.