Abstracts of Recent Articles and Literature
Tim Stammers. So far, the Internet has been mercifully free of regulation from the UK Government. But UK laws have been proposed which threaten not only civil liberties, but the future of the information superhighway A public consultation paper, issued in March by the last Government, proposes that all those who want to keep digital data private by encrypting it must first make sure the Government has free access to the software key to unscramble it. The system is known as key escrow, or key recovery It would require encryption keys to be copied to licensed third parties, who would make them available to any law-enforcement agency bearing a warrant. Opposition to the concept doesn’t only come from civil libertarians and cyber rights groups. In April, the Federation of German Banks issued a condemnation. In response to reports that its own Government is considering mandatory key escrow, the Federation argued such a move would be “detrimental and inappropriate”. Confidence in the security of digital transmissions is essential for commercial applications. Having keys with a third party simply increases the places from where a thief can steal, bribe or hack. Overseas companies with subsidiaries in Britain will have to trust the UK Government not to indulge in industrial espionage on behalf of British industry. Many encrypt data transmissions because they think government agencies worldwide are spying on them. Under escrow, they will be forced to abandon electronic transmission of sensitive data. The only privacy the authorities will be able to invade will be that of law-abiding citizens. If escrow becomes law, criminals and terrorists will continue using computers to plan drug shipments and bomb blasts. But the security agencies will be none the wiser, as their targets will simply switch to un-escrowed encryption. Anyone who believes access to encryption software can be restricted to escrow-only products should consider how much the software industry loses to software bootleggers. Encryption systems are emerging which use one-time-only keys, and camouflage encrypted data as innocent pictures or text. Eavesdropping will be fully automated, and the content spied on will be hugely richer than voice or fax. Network Solutions, July 1997, p. 10.
Five rules for selling security, Leo Wrobel.Security and disaster recovery have always been difIicult to sell to management. While upper management usually understands the strategic importance of the network, 216
adequate safeguards are often seen as simply one more expense. What’s more, the risk of system failure is greater than ever. The Internet and corporate intranets expose systems and data to new attacks. And as companies grow more dependent on their networks, the loss of a mission-critical system can be devastating. So how do you convince management to sign off on network protection? Most assessments of security and disaster recovery focus on what a company stands to lose. You also have to sell upper management on the need for protection. It is advisable to write and speak in non-technical terms. Outside the data centre, it is better to use business terms, not technical terms. Get support from people management believe in. Determine the actual cost to the company of a failure in any key system. Understand the business. Conduct an impact analysis of core businesses and processes to equate technical disruptions to lost business opportunities. Produce a bullet-proof executive briefing: get your figures validated beforehand. Early interviews earn the confidence of executive management. It’s important to go in and introduce meaningful, accurate figures. Data Communications, May 21, 1997, p. 23.
Banks fear Net losses, Ken Young. Is the Internet secure? You need passwords, firewalls, backup systems, verification and the trust of those running the system. The problem with the Net is it’s so high profile that you cannot afford a security breach. Publicity is likely to be widespread and the effect on the bank’s reputation disastrous. You need much imagination to realise what an employee could do if he could misappropriate accounts over the Net. I am not suggesting these banks do not have safeguards in place, but I’d bet the next big bank fraud we hear of relates to information passed over the Net. The FBI recently caught a fraudster seeking to sell 100 000 credit card numbers to an undercover FBI agent. The hacker, Carlos Delgado, used a packet sniffer to steal card details from a San Diego-based ISP Hacking into home pages is now common sport among the hacking community It’s not a major risk because no money or customer accounts are at stake but it’s the hacker equivalent of graffiti. The latest victim of this hit-andrun electronic graffiti was Universal Studios which runs a site to promote new movie The Lost World: Jurassic Park. After a few days the site got hit and the logo changed to “The Lost Pond: Jurassic Duck” with graphics to match. Many banks will simply stay away
Compufers & Security, Vol. 76, No. 3
from the Net or dip their toes in by running closed dial-up services. There seems little argument that the Internet, or online banking at least, will shake the banking world to its foundations in our lifetimes. What remains to be seen is how fast banks can move without stumbling in embarrassment and farce. Network Solutions,July 1997, p. 23.
assest may be. A network map unites the assets, which are assessed for risk against a regularly updated Trident database of 250 threats. The database is updated every two months and its 250 threats cover 90% of the security problems users encounter. The product targets network/Internet scenarios. Network Computing, May 1, 1997, p. 24, 28.
Internet Explorer security flaws, Scott Spanbauer.
Secure communications now or later? Robert Moskowitz. A consultant recently challenged the author’s position on IP security protocol (IPsec) as the strategic approach for securing TCP/IP communications. A number of concerns arose. The basic premise was that IPsec was detracting from addressing real security problems at their source: TCP/IP-based applications. Since IPsec protects the communication between two hosts, companies will feel comfortable continuing to run unsecured legacy applications. Do you secure the applications or the network? Securing one application may be fairly easy to accomplish and deploy and can give an early competitive advantage, but each application may be handled differently, and over time, the support issues may make this approach untenable. Some key applications may present a monumental task to re-engineer with security as a design objective. Network connections can be secured. This involves policy, administration and routing challenges, but the technology is understood. With IPsec, any application can use this technology. In many ways we have been too successful creating TCP/IP applications. The application development teams tend to ignore security and, in turn, their impact on the security of extended enterprise networkingit’s simple out oftheir spec. With IPsec deployment, secure communications can be the default mode of operation. Over time, IPsec can become the standard application secure protocol. There might always be concern about the vulnerability of using one basic security approach. If it is compromised, perhaps all our systems could be insecure. These technologies, unlike so many application security technologies, were worked out under public scrutiny for over four years. IPsec can use multiple cryptographic authentication engines. Network Computing, June 1.5, 1997, pp. 35-36.
March was not a good month for Microsoft’s Internet Explorer (IE) Web browser. First, students from Worcester Polytechnic Institute and the Massachusetts Institute of Technology in the USA discovered that IE allows Web pages to execute programs on your computer, bypassing Microsoft’s security controls. Also, researchers at the University of Maryland found a hole that lets a Web page bypass security to download and run potentially malicious programs on your system. The first security hole affects IE versions 2.0,3.0 and 3.01; the second version 3.0. The problems have been fixed in IE version 3.02. Internet Explorer isn’t the only Web tool with security problems. Macromedia’s widely used animation browser plug-in, Shockwave 5, can be used to surreptitiously read and upload your private E-mail or any file on your hard drive. Another developer has posted a demonstration Shockwave application that retrieves and displays the directory structure of your hard disk. This particular trick is harmless, but it shows how someone could copy your files to a remote Web server without your knowledge. PC World,June 19997, p. 5.5.
Tackling network security can be an uphill battle, Christy Hudgins-Bonufeld. Securing networks can be very difficult largely because security solutions tend to consist of one part product and three parts policy. NetRISK, from Trident Data Systems, is said to be the first rules-based risk-assessment tool for networks. It may also be the first tool to incorporate corporate-specific network and intellectual property assets into risk assessment equations. Trident officials say its product, originally conceived as part of a US Air Force-commissioned manual risk-analysis process, has been widely accepted as the risk-assessment model for the Department of Defense’s commercial and information warfare traffic. With NetRISK, IS managers can train subnet managers to describe network assets and their business value - in a database, whatever the
Secure VPNs, Andrew Cray. By setting up virtual private networks (VPNs) over the Internet or other public networks, corporate networkers can save their companies a lot of money But realising the benefits