Concerns over the effectiveness of security measures is the number one reason why businesses in the UK are hesitant to let the Internet into their companies. Many people perceive the Internet as a fundamentally insecure environment where Email, attachments and commercial transactions can be trapped in the ether by unscrupulous persons. People also think it is relatively easy to hack sites to access commercially sensitive information, or, as Citibank recently found, to be robbed by cyber thieves working from other countries. Hackers According to Andy Harris, technical director with security specialist Integralis, "Hackers use a range of fairly simple techniques to discover insecure sites. Beyond that, they attack the browser." Without going into detail, Harris says the most common problems arise because Webmasters forget to take simple precautions like locking down home pages or failing to reactivate security measures following maintenance. As one person said: "It's surprising how often people forget to quite literally shut the door behind them." However, Harris warns that professional computer thieves are difficult to stop: "If someone is determined enough, they'll find a way in." On the question of security adequacy, Secure Computing has recently completed interviews with 4,000 customers which indicated that fewer than 50% had written corporate security policies in place prior to seeking consulting services. Worse still, of those that do have policies, well over half were out of date. This reflects an earlier survey conducted by the National Computer Centre (NCC) which showed that fewer than half of the participants who reported incidents had IT standards in place and, in 56% of cases, these standards had to be amended or new counter measures implemented following a security breach. The lesson is clear. If companies are to use the Internet as a potential medium for trading, then policy reviews and procedures that work are absolutely vital. Data protection However, assuming you get past this hurdle life isn't made any easier when you start thinking about transferring data around the extranet. There is an EC directive which comes into full force in October 1998 - The EC Data Protection Directive (95/46/EC) which governs the way in which data about individuals can be moved around between member states and also talks about the rights of the individual related to that data. According to Protegrity's UK managing director Clive Archer, "Italy, for example, has to introduce privacy laws, we have to strengthen ours and Germany has to weaken its laws. So by definition there is a danger that we end up with the lowest common denominator." Under the directive, data can only be held if the individual has given an unambiguous authority to do so, but this leads to many definitions and problems. Health records in particular are a nightmare. "How can you expect to get permission to have medical records transmitted from one country to another from someone involved in a road accident?" asks Archer. Some countries have bigger problems than others. In Sweden, individuals have a civic number that is used in all official documents related to them including tax, bank accounts and social security, but it is illegal to merge that information electronically unless you can guarantee anonymity. If you are wondering whether the lack of coherent regulation acts as a deterrent, consider this. The Data Protection Registrar has fined US Robotics several thousand pounds together with costs, under the Data Protection Act. US Robotics was obtaining information about individual visitors to its Web site and then using that information for the purposes of selling further products. It was not registered for such a purpose under the Act. Encryption You could encrypt data but it could be lost when merging, so in reality encryption is impractical. But it gets worse. In France you aren't allowed to encrypt data at all, so it's left with creating a security model through access controls, smart cards and biometric access methods. While talking about encryption, it is worthwhile reviewing the farcical situation in the US, where the federal government refuses to allow 128-bit encryption to leave its shores unless there is a special dispensation in place. As this only applies to certain financial institutions, companies that trade globally are in the ludicrous position of having to find ways of implementing standards worldwide when there is no level playing field. Archer says, "The situation is daft, uncontrollable and unmanageable. You can download strong encryption algorithms, so despite the US government's paranoia about crime gangs using encryption to prevent investigation, almost anyone can get round the federal government." In the commercial world, Archer believes this leaves companies with difficult choices and one of the trends is for US software houses to create offshore subsidiaries that cannot be touched by the Feds. In reality, the US stance is weakening evidence for which is found in the Key Escrow Agreement which president Bill Clinton has accepted. Essentially, you deposit a "key" for strong encryption with a "safe" third party so that when Uncle Sam decides he wants to poke around your files, the means is there to do so without the need to employ the services of a nest of Cray supercomputers. Domain name scheming One of the many things currently being discussed is copyright and trade marking infringement. When it comes to defending your rights, the subject is a minefield. According to Andrew Clay, intellectual property partner at solicitors, Hammond Suddards, "The Internet is like a massive copying machine and extremely difficult to control or police. Anyone with a connection has the potential to copy and infringe another person's copyright. Defending your rights can be extremely expensive. In simple cases, an injunction might cost around #15,000, while a full blown trial with the inevitable expert testimony could be as high as an alleged #1 million". Last year, NetBenefit exposed the activities of Euroweb Internet in what it described as a "scam". Many people thought they could make a fast quid by vacuuming up names that commercial enterprises were likely to want and then effectively holding prospective buyers to ransom. NetBenefit accused Euroweb International of just such activities. There have been a number of cases of which the Harrods case was especially notable. Michael Lawrie was found to be infringing Harrods registered trademark and guilty of "passing off" when he registered the name. However, the results in one jurisdiction are unpredictable in another. According to Aardvark News, based in New Zealand, "The name harrods.co.nz is registered to Internet Marketing International, with Peter Belt of WebWorld being listed as the contact name. Indeed, Belt has run advertisements in Aardvark promoting his private domain registry service, using harrods.co.nz as an eye catcher. Belt is on record as saying he will hand over the name if Harrods lawyers request it but as Aardvark points out, "This is no guarantee that Harrods won't take legal action anyway, simply to deter others from attempting similar stunts with their intellectual property." Although the position appears clear cut in this case, there are real practical difficulties. According to IT lawyer Robert Bond, partner with Hobson Audley Hopkins and Wood, "Despite there being numerous reciprocal arrangements the fact remains there is no global harmonised law of copyright. Countries such as China and Taiwan don't have good reputations for enforcement." In some cases this has led to bizarre collections of URLs being gathered by companies that might at some point wish to use them. A couple of cases point up both the seriousness with which business takes this issue, yet farcical nature of the domain name game. Kraft Foods, for example, has registered more than 150 domain names, such as velveeta.com and parkay.com, in order to prevent trademark infringement. Procter & Gamble has registered names like underarm.com and diarrhea.com, just to be sure. In an effort to balance the rights of domain name holders and trademark owners, the International Ad Hoc Committee (IAHC) proposes a number of changes in the way domain names are registered. Currently, domain names are granted on a first-come, first-served basis. Just a couple of years ago, there were only about 120,000 domain names registered. A year ago, there were approximately 306,000 domain names registered. Today, the figure runs into millions. NSI, for example, is processing about 85,000 new applications for domain names each month, a rate that has been increasing steadily and shows no signs of abating. Copyright However, the issue of copyright goes deeper than that. The free availability of material on the Web and the ability of individuals to digitise just about anything including audio and video clips has led to a rash of problems. In a recent case, Easynet removed a site where there were unauthorised Oasis sound clips. Oasis' management company Ignition refused to comment on the action. However, it raises some interesting points. According to Tony Martin, managing director of Internet strategist, The Music Network, "Much of what's being said is a red herring. MPEG3 trading sites aren't really commercial or viable, they're for trainspotters." He points out that while the issue of copyright is real, the fuss over songs being downloaded from the Web is out of all proportion to reality. Martin asserts that the work necessary to download, decompress and then assemble a set of files to get even a single track is such that, "You might as well have gone down to your local record shop and bought one." He also says: "Record companies need to take a responsible attitude. A 30-second taster should be enough to hook a potential buyer." He believes that the answer to piracy lays with Liquid Audio. This is a new streaming technology that embeds the copyright information into the "track" and is very easy to use. Martin believes Liquid Audio will eliminate the piracy problem and suggests it will change the face of retailing as well as entertainment. "Sharp, Apple and Japanese computer manufacturers are incorporating mini disc or recordable CD drives. In five or 10 years' time, you'll be able to audition tracks in a music store, swipe your credit card at a listening post and have the CD made to order as you leave the store," he adds. I haven't touched on the many other problems that can arise like spamming, defamation, libel (see below) - which recently cost Norwich Union #450,000 in damages - and the numerous arguments over freedom of speech and the political dimension of the Internet. What you should have gathered by now though is that democracy of the type epitomised by the Net comes at a price. And, sometimes, this can be very high. Security measures: the golden rules If you are really concerned about security matters, the first thing to remember is that the success of your security policy depends on three things - practicality, attention to detail and enforceability. There's no point in having a "You get the sack if you bring in a virus" order, because no-one is going to admit to doing such a thing, whether intentionally or otherwise. However, a "You bring in disks that aren't cleared through IT and you're sacked", might work. Above any threat, persuasion and explanation seem to work best, especially when combined with sensible security activities, like automated backup, floppy disk lock-down and virus protection as standard, backed up by network detect and alert technologies. Here's a useful list of contacts that might steer you down the right path: Firewalls: CheckPoint-1 - the network favourite - #2,000 to #13,000. 01223 421338 VCS Firewall - Unix version - part of Chest, from #1,650. 0117 900 7500 BorderWare Firewall - platform independent - #3,500 to #5,500. 0181 606 9924 Encryption software: SafeHouse - PC Dynamics. 001 818 889 1741 EDS - Sophos. 01235 559933 Encryption Plus - PC Guardian. 001 415 459 0190 AE-STED - Slammin' Tech Software - [email protected] (free downloads available) ID signatures - Verisign. 001 415 961 7500 (free downloads and digital signatures) Content management: MIMESweeper - Integralis. 0118 930 6060 I-Gear - UR Labs. 001 757 865 0810 Solicitors: Hammond Suddards. 0113 234 500 Hobson Audley Hopkins & Wood. 0171 248 2299 Bird & Bird. 0171 415 6000 Libel and defamation: know your rights The potential for libelling or defaming someone over the Internet is far greater than in traditional methods of communication. This is because Emails are more informal and vociferous than anything you are likely to send in a memo. Yet, from a legal standpoint, Email is no different to any other form of communication. Most people don't worry about libel because they see Email as transitory, whereas in reality, mail is often retained on servers, making it a potential smoking gun. However, according to Mark Hofke, intellectual property partner with solicitors Bird and Bird, "There are rapid development changes in the law at the same time as there are rapid technology changes." This is made more complicated by the Defamation Act 1996, which sought to provide a measure of protection to ISPs following several landmark cases that confused the issue of legal responsibility and control. According to Hofke: "The UK law is logically flawed because the issues of responsibility and control as they apply to ISPs create a potential Catch 22 position." In essence, ISPs are obliged to take responsibility for content, but if they do, it then becomes a question-mark about the potential liability, if they exercise content control. Many companies and indeed governments are sensitive to the issue and use lexical analysis to provide a measure of protection. According to Integralis' technical director Andy Harris, "Defamation and blasphemy are not that far apart, and in reality it is the placement of words in context that matters." If you are concerned about this as a potential issue - which might include commercially sensitive material related to going public on the Stock Exchange or launching a new product - then you need to consider using tools such as MIME-sweeper or WEBsweeper. These can be set up to trap words on the basis of likelihood in context. Security survey: DataPro 1997 worldwide survey on information security issues DataPro has just completed a worldwide survey of over 1,000 IT professionals who deal directly with security. The full results are due to be published in February 1998. Worldwide, DataPro reported that the Internet has become a more important security issue than in 1996. Respondents rated Net security second (28%) in terms of importance to the threat of viruses (31%). DataPro was also stunned by the impact of firewalls. Usage of firewalls in LANs doubled in 1997 compared to 1996. Becky Duncan, security analyst at DataPro, said: "This reflects the infiltration of firewalls in the LAN market." For security as a whole, DataPro found that the 1997 results revealed that 69% of the European respondents have a computer security policy which, it says, is a marked improvement over the 1996 results where only 55% indicated they had a security policy. As with the other world regions surveyed, the European respondents cited, "lack of a dedicated security function" according to DataPro, as the primary reason they did not have a security policy in place. Attacks from viruses and malicious code continues to be the leading security incident for European respondents (46%) according to the survey. This result is lower than the 1996 results when 63% of the European respondents chose viruses as the leading security incident they had to grapple with. The introduction of new viruses has not diminished in the past 12 months. In fact, it has been steadily increasing. Therefore, this year's lower percentage by survey respondents may be the result of security professionals upgrading their anti-virus products to protect their systems from the newer strain of macro viruses being released. When asked whether upper management recognises and supports the implementation of information security practices, among the European respondents: 48% stated that upper management recognises the importance of information security and supports the implementation of security practices. 39% stated that upper management recognises the importance but DOES NOT provide sufficient resources to support good information security practices, and 12% stated that upper management does not recognise the importance of information security. Without upper management's support, security professionals face an up-hill battle in trying to protect company resources. Security is as much a management issue as it is a technical one. When asked how they thought vendors were doing with regard to developing robust security solutions, 69% of European respondents said, vendors had "improved, compared with past years". While the media provides a lot of coverage on the topic of electronic commerce, it appears that less than a quarter of the European respondents have any electronic commerce applications running. This result is similar to the other regions' results. In fact, 42% of European respondents stated that they did not have any electronic commerce applications and had no plans to develop them. One reason for the lack of implementation is because the security controls are not in place to secure the application. As the security solutions become more defined, wider acceptance and implementation is expected.
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural network also shows clinicians how it reached its judgement