22Apr98 NEW ZEALAND: WHO'S WATCHING YOUR KEYBOARD? By STEPHEN BELL. Security sweeps for microphone bugs before confidential discussions may soon have to be extended to the PC world. A digital "bug" is available, says NCR marketing director Will Mooney, to stick to the bottom of a PC keyboard. It will capture every keystroke - private documents, confidential passwords - and store them in a microchip until retrieved. This is the far end of computer espionage, he admits. Today's information technology manager should be more concerned about a variety of simpler threats. These include skilled invaders "labelling" their Internet messages to look as though they come from staff, staff going where they're not supposed to on the network, staff moving sensitive data off-site without authority and taking dangerous labour-saving shortcuts. NCR, like many a computer vendor before it, is trying to stir up interest and worry about computer security problems among management with out-of-date ideas about digital danger. NCR is looking to sell new services as a security monitor and adviser. But it seems to be caught in a marketing bind: trying to ramp up interest in the local market before it has any staff in New Zealand dedicated to, or expert in the field, or a very clear plan. Asked who would perform the services here, local representative Nick Halikias talks of "partners" expert in security. Some of these Optical Data Systems and Internet Security Systems - are United States-based companies with no current local representation. He mentions Cisco, maker of networking equipment, with Auckland and Wellington offices. A Cisco spokesman confirms the company is preparing to participate in the plan. Large accounting/ consultancy firms may also be interested, Halikias hints. Tools and procedures developed in the US for testing security and devising counter-measures are internationally applicable, Mooney says. "We have a defined approach, which is franchised, like the appearance of a McDonald's restaurant." It can be operated on the same basis by a local NCR branch and/or various partners. But he acknowledges the local operation may need to be flexible to the different size and practices of New Zealand businesses. "Different countries have different laws about[digital crime], and about what data you would have to collect and keep to bring a successful prosecution," he says. "McSecurity" begins to look less uniform. NCR's briefing material refers to the use of "white-hat hackers" - reformed intruders now willing to help NCR customers test their vulnerabilities. [NCR hires hackers.] But Mooney says hackers will not be used. "We intend to train 200 of our own staff[worldwide] and use alliances with security specialists." Mooney warns companies to think beyond accustomed assumptions on security. [We hire hackers.. but we don't. We train our own people to do what a hacker does (hah), and work with these partners. (who may be hackers).] A survey of 4,500 US firms by the FBI and the quasi-Government Computer Security Institute established that between 75% and 83% of security breaches were perpetrated by insiders intentionally and inadvertently. Unthinking breaches cover a wide range. A worker might prop open the door into a supposedly secure computer room with a chair, to avoid having to keep putting his/her card in the slot. In one case, a worker was told to store personal data on a designated disk drive, but when standard maintenance procedures kept deleting it because it had not been accessed for a certain time, he shifted it to another, less secure drive, precipitating a breach. A clear policy is the first line of defence, Mooney says. It should be strictly enforced, with sanctions for breaches. When it comes to breaches from outside, most companies open to the Internet or dial-in links set up a "firewall," a device programmed to allow only approved kinds of digital traffic from the outside world into the internal computer network. But this can lull the company into a false sense of security. Sophisticated policing equipment can conquer this problem by monitoring the timing of messages. If the automatic computer acknowledgement of an outgoing message comes back a little later than it should, it may not be coming from inside the company. The equipment is programmed with all access rights. Not only does this prevent irregular access by staff, but "if someone comes into the system from outside pretending to be you, they'll probably try to go somewhere where you're not allowed, and the policing system will pick it up." [More sufficiently vague information on this 'policing system'. The timing issue doesn't seem to make much sense or doesn't account for network latency.]