taylor@hplabsc.UUCP (Dave Taylor) (06/25/86)
--------
Computers and Society Digest, Number 19
Tuesday, April 22nd 1986
Topics of discussion in this issue...
The UK Driving Vehicle Licensing Centre (from RISKS)
Message to C&S Readers...
Hacking & forgery laws (from RISKS)
----------------------------------------------------------------------
From: Brian Randell <brian%cheviot.newcastle.ac.uk@cs.ucl.ac.uk>
Date: Tue, 8 Apr 86 12:03:45 gmt
Subject: The UK Driving Vehicle Licensing Centre (from RISKS)
Several newspapers and magazines here have carried stories about
the alleged activities of hackers regarding the Driving Vehicle Licensing
Centre - a very large computer system that has received much bad
publicity in the press and in parliament over the years because
of cost over-runs and delays.
Here is a sample, from the April 1986 glossy journal "Business":
"Computer hackers have been running a brisk racket "cleaning up" the
driving licences of wealthy business men. For a charge of [pounds] 100
a point endorsements have been erased from the files of the British
Government's Licensing Centre at Swansea and its supposedly impenetrable
computer ordered to issue new licences. Drivers who accumulate 12 penalty
points within 3 years are liable to ban or disqualifications. Reckless
driving, for instance, attracts 10 points; failing to stop after an accident
5.9 points; drunken driving 10 points (plus a 12 months disqualification).
Drivers' records at Swansea are held on the Department of Transport's
3081 Model G mainframe, whose manufacturers, of course, are not responsible
for its customers security procedures. About a year ago, an access code
number appeared on at least four "bulletin boards" - informal computer
games and information exchange facilities set up and used by home computer
enthusiasts (not in this instance mischevious schoolboys).
"I am not suggesting the number on the board was that of the DVLC", says a
source, "but it gave you access to a database with levels of password
protection. It was obviously a secure system and was related to DVLC
because the name headed the file. The access was not very privileged
but knowing the procedures allowed priority in the system and enabled you
to eliminate endorsements and order new licences to be issued."
Amendments to the DVLC mainframe were automatically carried through to
the back-up records kept on magnetic disc storage."
Such stories have inspired denials from the DVLC - for example in Datalink:
"The Driving and Vehicle Licensing Centre in Swansea has denied press
reports that computer hackers have broken into its database and wiped
traffic offenses off driver records.
The DVLC, which employs 1500 staff in a computer centre running a variety of
kit including two IBM 3083s, is adamant that its system is secure from
outside interference. "We have no dial-in facility, there's no electronic
access at all from off-site," a spokesman said.
Some 160 programmers work at the DVLC, and the spokesman admitted that
officials are "looking at internal arrangements" to see whether files have
been amended in return for payment."
My cynical view is that from most other sources such a denial would be
immediately accepted, and indeed it may well be true. However the thought that
such record tampering just might be going on, and so allowing banned drivers
back onto the roads, is a worrying one.
Cheers, Brian Randell - Computing Laboratory, University of Newcastle upon Tyne
ARPA : brian%cheviot.newcastle@ucl-cs.arpa
UUCP : <UK>!ukc!cheviot!brian
JANET : brian@uk.ac.newcastle.cheviot
------------------------------
From: Dave Taylor <taylor>
Date: Mon, 14 Apr 86 14:31:22 PST
Subject: Message to C&S Readers...
[slightly edited to present a more readable format...]
We are preparing a study about the psychological and sociological
consequences of young people have intensive contacts with (home-)
computers. So we are looking for empirical studies (in wide spread)
dealing with that subject.
Especially we are searching for articles about
- different methodological approaches (e.g. analytical, ethnological,
qualitative and quantitative aspects ...)
- empirical designs and ideas
- results.
If you have any informations (or know anyone who has) please help us
by contacting
1. Harald Baerenreiter
Fernuniversitaet
Arbeitsbereich Allgemeine Soziologie
Postfach 940
D-5800 Hagen
F.R.G.
or 2. ERA01 AT DHAFEU11.BITNET
Thank you for being so helpful,
Harald
------------------------------
From: Robert Stroud <robert%cheviot.newcastle.ac.uk@cs.ucl.ac.uk>
Date: Fri, 18 Apr 86 10:18:28 gmt
Subject: Hacking & forgery laws (from RISKS)
This was printed in The Times yesterday April 16th. I am particularly
intrigued by the prosecution under the forgery laws. I don't see how
you can forge something like a telephone number - surely to be protected
by a forgery law, an identification should be personal in some sense.
Numeric codes are completely impersonal.
===========================================================================
Prestel blunder 'helped hacker'. (c) Times Newspapers Limited, 1986
A top-level blunder allowed a computer journalist to penetrate British
Telecom's Prestel information system, a court was told yesterday. A secret
identification code allowing access to secret files was left unprotected
within the computer system it was said. Mr Robert Schifreen, aged 22, used
it to get the confidential identity numbers and passwords of every Prestel
customer, Southwark Crown Court was told.
Mr Schifreen, who subscribed to Prestel under the codename "Bug Hunter",
later wrote an article on how easily he had cracked the system. But Mr
Schifreen, who works for a computer magazine, denied he did so for personal
gain, and accused Prestel of "negligence".
Mr Austin Issard-Davies, for the prosecution, said a random experiment first
gave him the telephone numbers of Prestel's private computers. The telephone
numbers were not published to normal subscribers, and only a few people had
access. But Mr Schifreen was said to have broken into the Prestel development
test computer. It was alleged that he typed an experimental line of numbers,
all twos, when the computer asked for a 10-digit identification. It worked,
and the computer then asked for a four-digit password. He typed 1234 which
turned out to be a test account and gave him access. But Mr Schifreen's
attempts to get information out failed because he did not have the
confidential identity code and password of the system manager. Nine months
later, he came across the code and password "lying around" in one of the
private Prestel computers.
When questioned by police, Mr Schifreen allegedly admitted making
unauthorised access into the system from his home computer, but claimed he
had made Prestel more secure by doing so. Mr Issard-Davies said: "It is a
bit like a burglar claiming all the credit for improved house security
because the householder has put locks on all the windows." He added it was
"twentieth century" forgery because Mr Schifreen allegedly used someone
else's computer identification, like signing someone's name without consent.
[omitted material]
The charges have been brought under section one of the Forgery and
Counterfeiting Act, 1981. The test case trial is the first contested case
to go to court. The hearing continues today.
============================================================================
Robert Stroud,
Computing Laboratory,
University of Newcastle upon Tyne.
ARPA robert%cheviot@ucl-cs.ARPA
UUCP ...!ukc!cheviot!robert
[I reported on a breakin to British Telecom's Prestel Information
Service in the ACM Software Engineering Notes vol 10 no 1 (January
1985). A 19-yr-old young man had penetrated the unencrypted password
file. To demonstrate the vulnerability, he let a London Daily Mail
reporter watch (reported in the LDM on 2 Nov 84) while he read
Prince Philip's mailbox and then altered a financial market database.
Things seem not to have improved much. Peter G Neumman, editor of
the RISKS digest & the ACM Software Engineering Notes]
-----------------------------------
To have your thoughts included in this digest, or to join the mailing
list, please send electronic mail to Dave Taylor at any of the following
addresses:
taylor@HPLABS.{CSNET,ARPA} -- or -- ..hplabs!taylor
This digest is published approximately bi-monthly and does not necessarily
express the views of HP nor anyone else other than the individual authors
of the messages.
***********************************
End of Computers and Society Digest
***********************************