Computer Audit Update April 1995

Howard Nicholson has over six years experience as an Information Systems Auditor within the Audit Branch of the Australian Department of Social Security. During this time

he has been responsible for taking audits of the department’s online systems and applications; datacentre reviews; audits of the systems

development life cycle; and logical security reviews. The views expressed in this paper,

which was first presented at EDPAC ‘94, are entirely those of the author and do not reflect any offical position of the Australian Department of Security.

NEWS

German railway computerized payroll repeatedly fails

The recently privatized German Railway System (Deutsche Bahn) has been reported to have been unable for several months to prepare an correct employee payroll. The arrangement under which the System’s workers had been transferred from the German Civil Service had provided that the individual’s actual wages would remain essentially unchanged. Calculation of their Civil Service payments, reportedly, was complex, involving elaborate adjustments and credits. These were transferred to the new

Railway System payroll program.

Unfortunately, both the database and the new program that used it were riddled with errors. These faults allegedly remained uncorrected for several monthly payroll periods. As a result of this, some employees were not paid at all. Others received only a small fraction of the amount that they were due. Still other workers - mostly apprentices, as it turned out - were paid 10 or 15 times the amount that they should have been paid. Overpayments, reportedly, were corrected promptly by Railway System officials. Underpayments, however, were not corrected anywhere nearly as quickly. One of the reasons that the problem persisted, it was alleged, is because the payroll was too large and complex to prepare in a manual fashion. Finally Railway System workers were asked to keep personal

18

records of the amounts that they actually received and the sums that they were due for each of the pay periods in question.

Be/den Menkus

Flaw in tax-preparation program

could lead to many unhappy returns

The MaclnTax Personal 1040 program, used by thousands of Macintosh users to manage tax details, has been found to contain an error according to Democrat & Chronic/e, NY. The flaw occurs when the program is used in conjunction with Quicken, Intuit’s popular home accounting software, which leads to the omission of every 30th entry made into the tax program. The bug has since been fixed by intuit who have also announced that all registered users can get a free updated version of the software as well as payment for any penalties resulting from the error.

Glitch leads to $350 000 bank theft

Thieves ran off with nearly $350 000 in the

space of a weekend from 48 automatic teller

machines in Oregon, USA recently reports

Buffalo News, NY. Apparently, the thieves made

over 700 withdrawals in several cities from the

Oregon Telco Credit Union in Northwest Oregon

using only one credit card which had been stolen

form a parked car. An error in the credit union’s

new computer system allowed the thieves to

withdraw unlimited amounts of cash out of each

ATM, which they then covered up by making

bogus deposits totalling nearly $1 million. A

special agent of the Secret Service in Portland,

USA said that three people had been arrested and a fourth was being searched in connection with the November thefts from Oregon Telco

Credit Union.

Unpublicized US centre city flood disrupts computing

The collapse of a century-old underground cast iron water utility main pipe adjacent to its

01995 Elsevier Science Ltd

AMI 1995 Computer Audit Update

Midwestern Central City headquarters has disrupted the DP and telecommunication capabilities of a National US concern. A similar risk reportedly exists in every major US city.

These types of pipes typically are 75 to 100 or more years old. Minerals in the water interact with the unfinished iron pipe sides. Eventually the two interact, the pipe collapses, and a flood follows. The only ‘good’ aspect of this disaster, according to one source, was that it did not affect the buried cast iron ‘sanitary sewer’ pipe that paralleled the water line. This same source noted as well that this incident shared two characteristics that are

common to many disasters. It occurred at an inconvenient time - very early on a weekend morning and not during regular midweek office

hours. And, it proved to be unexpectedly time-consuming to restore the concern’s major communications services.

The buried pipe erupted at 4:30am Saturday. It sent a 70 ft water jet against the side of the building for 90 minutes before the water utility was able to turn off the line. One indication of the force of the water was the discovery of a section of the displaced roadway paving resting on an executive office swivel chair located on the building’s fourth storey. The flood was unexpected: a centre city, one source indicated, is not a place where one expects a building to be inundated.

The flood forced the evacuation of the lower five floors of the building, destroyed the key units

of the organization’s client/server system, and

made it necessary to reconstruct all of the firm’s

major databases. The drenching covered these

floors with mud and debris. Removing this

accumulation; drying out the offices and their

water-soaked furnishings; and repairing and

replacing damaged furniture, electronic cables,

and light fixtures and cable raceways required

several days.

For several days the firm was unable to

communicate with its local offices, their suppliers

and customers, and even within its own building.

The local telecommunrcation common carrier

took 10 days to repair and replace their cabling

and to make the necessary connections between

the on-site switch and the nearby office space to

which some of the firm’s employees had been

relocated.

Be/den Menkus

UK launch of SQLoSECURE Audit Manager announced

The UK launch of SQLoSECURE Audit Manager has been announced. The product helps with the effective management of the abundant audit data that is generated by client/server systems and closely monitors the security status of these systems. It is available for Unix and OpenVMS based systems serving PC or workstation based clients and supported interfaces include MS-Windows, X-Motif GUI and character cell terminals. Prices start at f7500 for the basic system.

For more details contact: Tom Humphrey, Brain Tree Technology; tel: +44 (0) 16 1 945 15 17.

Open file solution for NetWare networks

A software utility from Emerald Systems has been announced which will allow NetWare backup programs to back-up open files. The product, Open File Manager, can back-up all files including databases and E-mail without disrupting ongoing transactions or jeopardizing data integrity. It is designed to complement a wide variety of industry standard back-up applications from major software vendors. It will

also support a number of popular databases and E-mail packages, as well as most common applications. The product is due for shipment in June. Emerald Systems claim that it will be the only product available in the industry to ensure open file back-up integrity in the NetWare environment for such a broad range of applications. As it is an add-on utility, there will be no need to change back-up hardware or software to use the product.

For more details contact: Stephanie Craig, Emerald Systems, San Diego, USA; tel: + 1 619 673 2167 (ext. 4506).

01995 Elsevier Science Ltd 19