The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 12 Issue 71

Weds 24 December 1991

Contents

o Illegal sales of confidential data
Fernando Pereira
o The London Stock Exchange "Taurus" System
Brian Randell
o Computer Database of Former E. German State Police (Stasi)
Sanford Sherizen
o Remember, computer data is far from sacred.
Dean Pentcheff
o Outgoing fax numbers and Mercury PIN security
Nick Rothwell via Werner Uhrig
o Info on RISKS (comp.risks)

illegal sales of confidential data

Fernando Pereira <pereira@mbeya.research.att.com>
Thu, 19 Dec 91 13:54:02 EST
Associated Press writer Joseph Neff reports from Newark, NJ on 18 Dec 91 that
eighteen private investigators and Social Security Administration employees in
nine states were charged Wednesday with buying and selling confidential data
from SSA and FBI computers. The information included earnings histories and
criminal records. The private investigators, many advertising in legal
journals, sold the information to companies.  If convicted on all counts, the
defendants face maximum sentences of 20 to 150 years and multimillion dollar
fines.

Fernando Pereira, 2D-447, AT&T Bell Laboratories, 600 Mountain Ave, PO Box 636
Murray Hill, NJ 07974-0636   pereira@research.att.com

   [Also noted by Mark Seecof <marks@capnet.latimes.com> and
   Rodney Hoffman <Hoffman.El_Segundo@Xerox.com>.  PGN]


The London Stock Exchange "Taurus" System

<Brian.Randell@newcastle.ac.uk>
Sat, 21 Dec 91 12:44:17 GMT
The following text constitutes most of the text of an article in yesterday's
Financial Times, and is reprinted without permission. (The remaining text is
not relevant to RISKs.)

Taurus poised to clear final hurdles

By Richard Walters in London

The UK government appeared yesterday to have overcome legal obstacles to the
introduction of Taurus, the London Stock exchange's much delayed computer
settlement system.  After more of a year of effort by the Department of Trade
and Industry lawyers, formal regulations were laid before parliament which
would create the legal framework necessary for Taurus.  At the same time a
safeguard for personal shareholders, which had been built into the Taurus
system at the request of ministers has been dropped.

Investors would have had to quote confidential 13-digit personal authorisation
codes before being able to deal in their shares.  This requirement has now been
judged too cumbersome for the small amount of extra security it would have
bought.  Instead shareholders will be able to tell the registrars who maintain
their shareholders only to transfer their shares after they receive written
instructions.  This extra level of security will be available only to investors
who specifically request it.

The legal changes tabled yesterday are needed because share certificates and
transfer forms, currently required by law to give evidence of title and enable
a change of title to take place, will cease to be produced under the new,
paperless system of share ownership and dealing.  ...

Computing Laboratory, The University, Newcastle upon Tyne, NE1 7RU, UK
PHONE = +44 91 222 7923                          FAX = +44 91 222 8232


Computer Database of Former E. German State Police (Stasi)

Sanford Sherizen <0003965782@mcimail.com>
Mon, 23 Dec 91 16:18 GMT
An unverified report indicates that a German private detective agency that was
thought to be operated by former Stasi members bought a computer database
containing the names and salaries of 97,058 members of the Stasi in 1989.  The
detective agency then pressed charges against the computer specialist who sold
them the information.  The charges are not indicated, although they may be
under the strict (West) German privacy laws.  If so, Stasi support for privacy
is new.  In addition to their prying into the lives of (East) German citizens,
the Stasi had agents actively hacking into West German systems, including
Berlin's drivers license agency.

Sanford Sherizen, Data Security Systems, Inc., Natick, MASS


Remember, computer data is far from sacred.

Dean Pentcheff <dean2@garnet.berkeley.edu>
Sat, 21 Dec 91 02:07:18 -0800
The following "news" message greeted us today (Dec. 21, 1991) here at UC
Berkeley.  It is curious that the message is dated two days into the future...

                        U N I X   N E W S
                Items ordered most current first.

23 Dec 91 <> Important Information about Computer Systems Court Order <<

We were recently required by order of the Alameda County Superior Court to
search files on Garnet and Violet that may contain a particular individual's
name within the file.  We are complying with that court order.

We think it is important to alert you that files on the shared systems, or even
on personal workstations or microcomputers, are subject to search, and even
seizure, by court order.

Curtis Hardyck, Vice Provost

  [Dean Pentcheff, Department of Integrative Biology, University of California,
  Berkeley CA 94720 Work Phone: (415) 643-9048]


Outgoing fax numbers and Mercury PIN security

Nick Rothwell <nick@dcs.edinburgh.ac.uk>
Tue, 17 Dec 1991 10:11:08 +0000
Perhaps I should explain the subject line... Mercury offer an alternative
long-distance telephone network which is available to ordinary users who have
the standard British Telecom connections, and which offers improved itemized
billing, lower costs, etc. etc. This is implemented by issuing Mercury users
with a long personal identification number which represents their account, and
which is known only by the user (very much like bank card PIN's, only much
longer). Mercury calls are made from standard British Telecom phones by dialing
a special prefix followed by the secret Mercury PIN and then the "real" phone
number.

See the problem yet? I can't send TelePort faxes this way because the
*destination* fax number is printed on the cover page. This includes my Mercury
PIN which would be compromised by any fax I sent using it. This is a serious
drawback.

Possible solutions: (i) suppression of printout of destination fax number on
cover sheet (yes, I could use an empty cover sheet, but I want to send faxes
from applications like text editors which don't let me paste graphics). Better
option: (ii) provision in the TelePort/Fax software for a "secret prefix" which
is dialed for all numbers but not reported on the cover sheet, or a pair of
numbers ("reported" and "dialed") for each fax address. (It's possible I'm
missing something here in the way long distance codes are specified in the
address book - in this case each long distance code would be around 20 digits -
might this do what I want?)

Is there no system in the US that works in a similar way to Mercury? Just
curious whether anyone in the US is going to come across the same problem.

        Nick.

Please report problems with the web pages to the maintainer