22Apr98 NEW ZEALAND: WHO'S WATCHING YOUR KEYBOARD?
By STEPHEN BELL.

Security sweeps for microphone bugs before confidential discussions may
soon have to be extended to the PC world.

A digital "bug" is available, says NCR marketing director Will Mooney, to
stick to the bottom of a PC keyboard.

It will capture every keystroke - private documents, confidential passwords
- and store them in a microchip until retrieved.

This is the far end of computer espionage, he admits. Today's information
technology manager should be more concerned about a variety of simpler
threats.

These include skilled invaders "labelling" their Internet messages to look
as though they come from staff, staff going where they're not supposed to
on the network, staff moving sensitive data off-site without authority and
taking dangerous labour-saving shortcuts.

NCR, like many a computer vendor before it, is trying to stir up interest
and worry about computer security problems among management with
out-of-date ideas about digital danger.

NCR is looking to sell new services as a security monitor and adviser.
But it seems to be caught in a marketing bind: trying to ramp up interest
in the local market before it has any staff in New Zealand dedicated to, or
expert in the field, or a very clear plan.

Asked who would perform the services here, local representative Nick
Halikias talks of "partners" expert in security. Some of these Optical Data
Systems and Internet Security Systems - are United States-based companies
with no current local representation.

He mentions Cisco, maker of networking equipment, with Auckland and
Wellington offices. A Cisco spokesman confirms the company is preparing to
participate in the plan. Large accounting/ consultancy firms may also be
interested, Halikias hints.

Tools and procedures developed in the US for testing security and devising
counter-measures are internationally applicable, Mooney says.
"We have a defined approach, which is franchised, like the appearance of a
McDonald's restaurant." It can be operated on the same basis by a local NCR
branch and/or various partners.

But he acknowledges the local operation may need to be flexible to the
different size and practices of New Zealand businesses.
"Different countries have different laws about[digital crime], and about
what data you would have to collect and keep to bring a successful
prosecution," he says.

"McSecurity" begins to look less uniform. NCR's briefing material refers to
the use of "white-hat hackers" - reformed intruders now willing to help NCR
customers test their vulnerabilities.

[NCR hires hackers.]

But Mooney says hackers will not be used. "We intend to train 200 of our
own staff[worldwide] and use alliances with security specialists."
Mooney warns companies to think beyond accustomed assumptions on security.

[We hire hackers.. but we don't. We train our own people to do what
 a hacker does (hah), and work with these partners. (who may be hackers).]

A survey of 4,500 US firms by the FBI and the quasi-Government Computer
Security Institute established that between 75% and 83% of security
breaches were perpetrated by insiders intentionally and inadvertently.
Unthinking breaches cover a wide range. A worker might prop open the door
into a supposedly secure computer room with a chair, to avoid having to
keep putting his/her card in the slot.

In one case, a worker was told to store personal data on a designated disk
drive, but when standard maintenance procedures kept deleting it because it
had not been accessed for a certain time, he shifted it to another, less
secure drive, precipitating a breach.

A clear policy is the first line of defence, Mooney says. It should be
strictly enforced, with sanctions for breaches.

When it comes to breaches from outside, most companies open to the Internet
or dial-in links set up a "firewall," a device programmed to allow only
approved kinds of digital traffic from the outside world into the internal
computer network. But this can lull the company into a false sense of
security.

Sophisticated policing equipment can conquer this problem by monitoring the
timing of messages.

If the automatic computer acknowledgement of an outgoing message comes back
a little later than it should, it may not be coming from inside the
company.

The equipment is programmed with all access rights. Not only does this
prevent irregular access by staff, but "if someone comes into the system
from outside pretending to be you, they'll probably try to go somewhere
where you're not allowed, and the policing system will pick it up."

[More sufficiently vague information on this 'policing system'.
 The timing issue doesn't seem to make much sense or doesn't account for 
 network latency.]