Barclays Bank Prosecutes Rather Than Covering Up

2
make bad laws”. Recently, it has become significant that legislators are implement- ing laws that have a significant impact on information security, without properly considering the consequences. I have recently written about the UK Private Security Industry Act, but, here I want to consider recent laws regarding intellectual property. Under the guise of protecting the entertainment industries from the evils of minor losses of revenue, or in the US, the underlying constitutional principles of fair use, we now have laws that protect corporate stupidity and incompetence at the expense of hard won personal free- doms and civil rights. The Digital Millennium Copyright Act, and other national laws implement- ing the recent amendments to interna- tional copyright treaties, place criminal law restrictions on basic research and dis- cussion of cryptography and authentica- tion systems. I am all for protecting intellectual prop- erty by the rigorous implementation of strong cryptographic measures. I do not happen to think that it is possible, but I am perfectly willing to be proved wrong. However, protecting weak systems like CSS, where it might be argues that the sponsoring companies deserve to be pub- licly ridiculed for their incompetence is just encouraging the spread of bad security. The fact that it enables copyright giants to attack the weak personal copying market rather than the strong criminal mass copiers is also morally dubious. Extensions of this schema to protect copyright by reducing our ability to con- trol our own IPR or work, such as Senator Hollings' proposed SSSCA, are further evidence that politicians require a massive amount of education before they should be permitted even to discuss information security. It didn't take everybody's favourite amoral behemoth long to wade into the fray, on the side of the gremlins, of course. Scott Culp, manager of Microsoft's Security Response Centre, called recently for the end to full disclo- sure of vulnerabilities. This has already been widely and appropriately criticised, despite there being a valid point or two embedded deep within the marketing. My wife, upon reading the original call away from arms, did come up with an interesting side notion. Most of the vulner- ability hunters work day-time within the security or network management spheres. If you accepted the “can't tell, won't tell” attitude, and one of your day-time cus- tomers was using a product you knew to be fundamentally flawed, you would not be in a position to advise them not to. Let's be honest here, we are talking about IIS, after CodeRed, Nimda and the Gartner report. Most of us already try to steer customers away from IIS, anyway. If they got ripped apart, and you turned around and it turns out that you knew about the remote admin hole that was used to exploit them, what do you feel are the professional negligence issues? Just because Microsoft is in a position to ignore product liability, fit for purpose and almost all other commercial laws, it doesn't mean that we wouldn't be caught, sued and screwed. Watch your- self, out there in the corporate jungle! Finale We do not know how things are going to turn out over the next few months. Calls for restraint, whether of military force or legislation, are likely to be drowned out within the sea of popular revulsion at the acts of 11 September. Arguments against politicians and their populist actions, whether grounded in libertarian or constitutional ideals, or from deep technical scepticism, are very likely to be, at best, ignored, and at worst called treasonous. It is essential that we ensure that, once the current crisis is over, we still have the necessary building blocks to continue our slow and halting progress towards a secure global structure for E-commerce and E-communication. feature 10 The case is also a welcome example of a prosecution rather than a cover up, and as such illuminates the way forward for other enterprises, according to Chris Smith, head of the IT security practice at Logica. “It is essential that there are more prosecutions,” said Smith, who implied that there were plenty of other cases that had been hushed up for fear of adverse publicity. More com- panies must be willing to put their heads above the parapet for the greater common good, Smith urged. Apart from adverse publicity, there is the risk of security being compromised through having it discussed in open court where the defence is at liberty to use all means at its disposal to dismantle the case against its client. Such considerations at first appeared to have motivated the unprecedented step of holding two pre- liminary court hearings in closed sessions. Yet, according to the Crown Prosecution Service, which took up the case after Barclays called in the police, the application to hold hearings in camera was made not by Barclays, but by the defence lawyers. The full trial is now being conducted at the Old Bailey in open court, with the former encryption expert, Graham Barclays Bank Prosecutes Rather Than Covering Up Philip Hunter, Network Security Reporter An ongoing case at the Old Bailey, in which the former head of a Barclays encryption team is being tried for alleged blackmail against the company, highlights the human dimension of IT security and the need for continuous scrutiny of staff who have high privileges.

Transcript of Barclays Bank Prosecutes Rather Than Covering Up

make bad laws”. Recently, it has becomesignificant that legislators are implement-ing laws that have a significant impact oninformation security, without properlyconsidering the consequences.

I have recently written about the UKPrivate Security Industry Act, but, here Iwant to consider recent laws regardingintellectual property.

Under the guise of protecting theentertainment industries from the evils ofminor losses of revenue, or in the US, theunderlying constitutional principles offair use, we now have laws that protectcorporate stupidity and incompetence atthe expense of hard won personal free-doms and civil rights.

The Digital Millennium CopyrightAct, and other national laws implement-ing the recent amendments to interna-tional copyright treaties, place criminallaw restrictions on basic research and dis-cussion of cryptography and authentica-tion systems.

I am all for protecting intellectual prop-erty by the rigorous implementation ofstrong cryptographic measures. I do nothappen to think that it is possible, but I amperfectly willing to be proved wrong.However, protecting weak systems likeCSS, where it might be argues that thesponsoring companies deserve to be pub-licly ridiculed for their incompetence is justencouraging the spread of bad security. The

fact that it enables copyright giants toattack the weak personal copying marketrather than the strong criminal masscopiers is also morally dubious.

Extensions of this schema to protectcopyright by reducing our ability to con-trol our own IPR or work, such asSenator Hollings' proposed SSSCA, arefurther evidence that politicians require amassive amount of education before theyshould be permitted even to discussinformation security.

It didn't take everybody's favouriteamoral behemoth long to wade into thefray, on the side of the gremlins, ofcourse. Scott Culp, manager ofMicrosoft's Security Response Centre,called recently for the end to full disclo-sure of vulnerabilities. This has alreadybeen widely and appropriately criticised,despite there being a valid point or twoembedded deep within the marketing.

My wife, upon reading the original callaway from arms, did come up with aninteresting side notion. Most of the vulner-ability hunters work day-time within thesecurity or network management spheres.If you accepted the “can't tell, won't tell”attitude, and one of your day-time cus-tomers was using a product you knew to befundamentally flawed, you would not be ina position to advise them not to.

Let's be honest here, we are talkingabout IIS, after CodeRed, Nimda and the

Gartner report. Most of us already try tosteer customers away from IIS, anyway.

If they got ripped apart, and youturned around and it turns out that youknew about the remote admin hole thatwas used to exploit them, what do youfeel are the professional negligence issues?Just because Microsoft is in a position toignore product liability, fit for purposeand almost all other commercial laws, itdoesn't mean that we wouldn't becaught, sued and screwed. Watch your-self, out there in the corporate jungle!

FinaleWe do not know how things are going toturn out over the next few months. Callsfor restraint, whether of military force orlegislation, are likely to be drowned outwithin the sea of popular revulsion at theacts of 11 September.

Arguments against politicians and theirpopulist actions, whether grounded inlibertarian or constitutional ideals, orfrom deep technical scepticism, are verylikely to be, at best, ignored, and at worstcalled treasonous.

It is essential that we ensure that, oncethe current crisis is over, we still have thenecessary building blocks to continue ourslow and halting progress towards asecure global structure for E-commerceand E-communication.

feature

10

The case is also a welcome example of aprosecution rather than a cover up, and assuch illuminates the way forward for otherenterprises, according to Chris Smith, headof the IT security practice at Logica. “It isessential that there are more prosecutions,”

said Smith, who implied that there wereplenty of other cases that had been hushedup for fear of adverse publicity. More com-panies must be willing to put their headsabove the parapet for the greater commongood, Smith urged.

Apart from adverse publicity, there isthe risk of security being compromisedthrough having it discussed in open courtwhere the defence is at liberty to use allmeans at its disposal to dismantle the caseagainst its client. Such considerations atfirst appeared to have motivated theunprecedented step of holding two pre-liminary court hearings in closed sessions.

Yet, according to the CrownProsecution Service, which took up thecase after Barclays called in the police, theapplication to hold hearings in camerawas made not by Barclays, but by thedefence lawyers.

The full trial is now being conducted at the Old Bailey in open court, with the former encryption expert, Graham

Barclays Bank ProsecutesRather Than Covering UpPhilip Hunter, Network Security Reporter

An ongoing case at the Old Bailey, in which the former head of a Barclays encryptionteam is being tried for alleged blackmail against the company, highlights the humandimension of IT security and the need for continuous scrutiny of staff who have highprivileges.

NovNese.qxd 11/9/01 12:25 PM Page 10

feature

11

What is stalkingStalking is a form of harassment andcomes in many forms ranging from telephone calls, letters and unwantedgifts, to cyber-stalking, where email andthe Internet are used to persue a victim.The common factors are repeated threatsor harassment.

According to www.antistalking.com, 8%of American women and 2% of Americanmen will be stalked in their lifetime.

This becomes a business issue and inparticular a network security issue becausethe stalking often happens in the work-place. The person sitting next to you ordown the hall could well be a stalker, or

victim and this can lead to technological aswell as personnel problems.

Stalker characteristicsPsychologists used existing categories ofcriminals to build up stalker profiles.They found these three broad groups:• Partner stalkers, often ex-partners of

the victim who become obsessivewhen spurned;

• Delusional stalkers, who frequentlyseek out the famous or those they donot know, most of these have othermental health problems;

• Vengeful stalkers, those who stalkthrough anger at something the vic-tim has done, or they believe theyhave done.

Browne, 57, standing accused of threat-ening to disclose encryption codes unlessBarclays paid £25 million to himself and13 others.

The threats were made in emails sentby Browne to Barclays' chief executive,and there was also a demand that Barclaysset up a unit to improve security.

This last detail enabled Browne'sdefence to claim that the threats had nomalicious intent and were a ruse to drawattention to poor security at the bank.This is not the first time such a defencehas been made, and the prosecution cancertainly contend that supposedly altruis-tic motives cannot mitigate unlawfulactions.

The greater question though, as NeilJarvis, a security expert at De Loitte &Touche, pointed out, is how such situa-tions can be prevented from arising.

In this case, it appears that Brownebecame frustrated, whether with goodreason or not, at what he perceived wasthe bank's failure to recognise his skilland the value of his work. “There mustbe continuous vetting of such staff,” saidJarvis, who admitted that this was diffi-cult given the need to give staff freedomfrom overt intrusion, and also legal rightsto privacy. “To remain operational, youhave to give trust to your employees”.

HR issuesAccording to Logica's Smith, the vettingquestion also impinges on employmentlaw, given that there have to be reason-able grounds for dismissal, and even insome cases for blocking job applicationsfrom otherwise well qualified individuals.

It may be that an employer has reason tobelieve a particular individual has become asecurity risk, but cannot prove it. Equally,an employer might use its rights to sidelineor dismiss individuals on spurious securitygrounds when the real motive may be apersonality clash in the boardroom.

The whole issue is a thorny one, butwhat is certain is that employers need tobeef up on workplace psychology andbecame mores sensitive to signs of growingdisillusionment.

It is not uncommon for relativelysenior staff, who have been in the samejob for a while, to become disaffected,especially when they are nearing the endof their careers and becoming less attrac-tive to headhunters. The need for recog-nition appears to increase at such times,and so employers need a sensitive fadeout strategy towards perhaps a lucrativeand rewarding early retirement.

Strangely, this is not the only IT securityblackmail case involving Barclays this year.

In the other, totally unrelated, case,

Stuart Kearns, 24, was convicted inAugust 2001 of blackmail and faced threeyears in prison. His crime, committed inJanuary 2001, involved a threat in a type-written note to bring down the computersof the Barclays branch in Beckenham, UK,unless he was paid £200 000.

Who’s Watching You?Katherine Lang

A cold clammy feeling, your neck hair rising and an increased level of twitchiness.I’m sure most readers will have had this experience when they feel that inexplicably,and often illogically, someone is watching them. Unfortunately for some people thisis real — stalkers, both in the real and cyber-world do exist and you need to knowwhat to do if and when it happens to your company.

Top 10 Tips for Blackmailers

Tips are courtesy of ‘Count’ Victor Lustig,an infamous 20th Century embezzler.

1 Be a patient listener.

2 Never look bored.

3 Wait for the other person to revealany political opinions, then agreewith them.

4 The same with religious views.

5 Hint at sex talk, but don't follow it upunless the other fellow shows astrong interest.

6 Never discuss illness.

7 Never pry.

8 Never boast — just let your impor-tance be quietly obvious.

9 Never be untidy.

10 Never get drunk.

Source: Fakes, Frauds & Other Malarkey,by Kathryn Lindskoog, Grand Rapids, MI:Zondervan Publishing House, 1993.

NovNese.qxd 11/9/01 12:25 PM Page 11