The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 4 Issue 3

Monday, 3 November 1986

Contents

o The Big Bang at the London Stock Exchange
Jonathan Bowen
o UK computer security audit
Robert Stroud
o Austin's computer-controlled traffic lights
Alan Wexelblat
o Computers and Medical Charts
Elliott S. Frank
o Info on RISKS (comp.risks)

The Big Bang at the London Stock Exchange

Jonathan Bowen <bowen%sevax.prg.oxford.ac.uk@Cs.Ucl.AC.UK>
Tue, 28 Oct 86 17:24:41 GMT
Headlines in `The Independent' (new British `serious' newspaper) on Tuesday
28 October 1986:

        Stock Exchange computers fail under strain
        Shambles as the Big Bang hits the floor

THE CITY'S "Big Bang" exploded after just 29 minutes' trading yesterday
morning when the computers buckled under the strain.  The Stock Exchange
system which speads information to dealers and investors went off the air at
8.29 am, to be followed 18 minutes later by the central dealing computer,
the Stock Exchange Automated Quotations system known as SEAQ.  By that time,
market makers were already experiencing problems in putting their prices
into the system, and some of them had ceased to trade at all. The failures
were blamed by the Stock Exchange on brokers overloading the system, both to
look at their competitors prices and out of pure curiosity.

Jonathan Bowen, Programming Research Group, Oxford University


UK computer security audit

Robert Stroud <robert%kelpie.newcastle.ac.uk@Cs.Ucl.AC.UK>
Thu, 30 Oct 86 12:27:45 gmt
There was an item in today's Independent (a new UK paper) about the results
of a security audit of 50 UK companies. Sadly, the results will be all too
familiar to RISKS readers. When will practice catch up with theory?

Robert Stroud, Computing Laboratory, University of Newcastle upon Tyne.
UUCP ...!ukc!cheviot!robert

  [Sorry for the absence of a specific reference to the original report.  PGN]
  ["It is probably one of those expensive management consultancy things
   costing ten pounds a page!" - Robert]

      ============================================================

  Reproduced without permission from The Independent 30th October 1986 p.16

  "How Fred lets the fraudsters in" (c) Newspaper Publishing PLC
  by Michael Cross

  Frauds involving computers will cost British companies 40m pounds next year,
  the insurance broker Hogg Robinson said yesterday. The culprits are not
  usually teenage computer wizards but disgruntled employees and previous
  employees.

  Hogg Robinson's report, an audit of 50 firms, suggests that British
  companies are extraordinarily careless about looking after their computers.
  Apart from fraud, the dangers are sabotage, damage caused by carelessness,
  and run of the mill disasters such as fire or flood.

  The chink in most computers' armour is the password. All but three sites the
  auditors examined used passwords to control access to computers. Most were
  useless. When people choose their passwords, they often pick names of
  spouses or pets. These are easy for colleagues to guess. America's favourite
  password is "love", closely followed by "sex". Top of the list in Britain is
  "Fred".

  Other favourites, said David Davis, director of research at Hogg Robinson,
  are "pass", "God", "genius" and "hacker". "If a hacker tries these he will
  get through 20 per cent of the time", Mr Davis said.

  Passwords are particularly vulnerable when they remain unchanged for a long
  time.  The chairman of one major company the auditors investigated had kept
  the same password for five years. It was "chairman".

  Another danger point is in computers that allow unlimited guesses at
  passwords.  One in 10 of the sites surveyed allowed any number of attempts
  to "log in". The really secure passwords are the dual-key encrypted type.
  These are codes distributed in two parts, which link up inside a computer.
  But only two or three computers, all government installations, carry such
  protection in Britain.

  Despite the vulnerability of passwords, the report suggests that few
  computers fall victim to outside "hackers". Three of the sites inspected
  showed signs that hackers had gained access to the computers through
  external telephone lines.  Dr Frank Taylor, chairman of the British Computer
  Society's security committee, said there is no real evidence that hackers
  are causing large financial losses.

  Dr Taylor's horror stories have a more humdrum flavour. One concerns a
  building supplies company which had no security on its counter terminals.
  Crooked employees were able to give huge discounts to friends, and the
  company went broke. Another company lost its data - and nearly everything
  else - when lightning struck a power cable.

  Computers face a host of dangers from everyday activities, the report says.
  Mr Davis said that computers are designed to be operated by, "a race of
  supermen who do not eat, drink or smoke". He has a useful tip for computer
  people who cannot give up human habits; drink black coffee rather than
  white. It causes less damage if spilt.


Austin's computer-controlled traffic lights

Alan Wexelblat <wex@mcc.com>
Mon, 3 Nov 86 13:07:27 CST
A while back I reported that a lighning strike had taken out the computer
that controlled the synchronization of Austin's downtown traffic lights.
(Local control units took over - only two lights went "on the blink".)

I recently learned that there was more to the story.  It seems that Austin
has a "traffic flow program" embedded in that system that changes the
durations of red/yellow/green lights for given intersections based on the
time of day.  The goal is to give more time for people to get intown in the
mornings and out of town in the evening.  The local control units fall back
to an "equal time for all" scheme, regardless of time of day.

Since the power loss occurred late in the afternoon, evening rush hour
traffic was snarled more than usual.  In addition, there were several near-
accidents caused by people who "knew" that the yellow light would be long
enough (based on months of commuting experience).

Alan Wexelblat
UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex


Computers and Medical Charts

Elliott S. Frank <amdahl!esf00@decwrl.DEC.COM>
Mon, 3 Nov 86 12:44:14 PST
The following items were posted to the delphi digest on mod.mac.  The issues
have been covered before in mod.risks, but the example is worth noting.

Elliott S Frank    ...!{ihnp4,hplabs,amd,nsc}!amdahl!esf00     (408) 746-6384

     ==============================

Delphi Mac Digest          Thursday, 30 October 1986      Volume 2 : Issue 55
From: PIZZAMAN (14213)
Subject: Computers and Medical Charts
Date: 26-OCT 16:26 Business Mac

The most amazing thing happened at the hospital yesterday. I was accused of
unethical behavior because I used my computer to prepare a conference for the
Department of Surgery!

Let me explain.... I am the Clinical Coordinator of the Department of
Surgery at a rural community hospital. This is a voluntary job, in addition
to my regular practice of surgery. My responsibilities include the preparing
of the mortality and morbidity conferences each month, as well as trying to
put together educational topics of interest for the other surgeons. Having
trained at a University Hospital in Philadelphia, I enjoy doing this teaching.

In order to prepare for one of these conferences, I took my Tandy 100 to the
record room, and took my notes on it. When I got to the office, I plugged
the Imagewriter cable into the RS-232 connector on the back of the Tandy,
and using Smartcom II, loaded the information into the Mac for work
processing, spread sheeting, and graph creation.

Now, I am being accused of taking confidential information out of the
hospital in the form of patient records and doctors names! All I had on the
computer were my notes. The paranoid medical staff is afraid that having
this information in my "COMPUTER" is dangerous, in some way. Since I
consider my two computers just extensions of other work tools that I use, I
can't understand this. Would they be just as paranoid if I used a legal pad
to make notes instead of the computer?

By the way, the bylaws of the hospital allow for the use of records for
research, and I had permission from the President of the Medical Staff to do
the study in question.

Pretty amazing paranoia, huh? Do people really still fear computers this way?
Any physicians out there have similar experiences? Any legal advice?

     ==============================           

From: PEABO (14226)
Subject: RE: Computers and Medical Charts (Re: Msg 14213)
Date: 26-OCT 19:45 Business Mac

It might have something to do with Legislators, who tend to know even less
about computers than hospital staff.  I've read some stories about how some
corporations are getting concerned about what J. Q.  Middlemanager is taking
home to work on using his own computer after downloading from the company
mainframe.

peter

     ==============================

From: LAMG (14239)
Subject: RE: Computers and Medical Charts (Re: Msg 14213)
Date: 27-OCT 01:20 Business Mac

Yes, it's paranoid behavior, but no, it's not amazing, I'm afraid.  In my
institution (UCLA Dept. of Radiological Sciences) most of the data used for
teaching and research is in "machine readable" form at one time or another.
Clearly there is a valid issue related to the removal of confidential patient
records from the hospital (I don't know what the regulations are there) but
these would apply equally to data whether in handwritten, printed or machine
readable form.

You didn't say exactly who is objecting to your work and on what
grounds, but it sounds like they don't have a very good idea of what
you're using the computers for.  I can't give you legal advice though.

Franklin Tessler, M.D.

Please report problems with the web pages to the maintainer

Top