Computers and Security, Vol. 17, No. 5
implementation of the standard to network equipment and software vendors. It has also volunteered to serve as a focal point for industry momentum for SOCKS v5, which it calls an Internet Access Management Framework for advanced security and management services for traffic flowing through the network. The protocol is targeted for use with Internet client/server applications, VPNs, firewalls, proxy servers and cache servers. Among its benefits are the abilities to deploy across firewalls UDP-based applications, including streaming audio and video; use a range of authentication and encryption schemes; and provide secure communication among different addressing schemes. The assumption is that IPsec provides base cryptography etc. and SOCKS, operating at a higher application level, provides more management function. LA~L’Tirnes,JIW 8, 1998,p.39. Don’t neglect browser security, Chvis~oplw ~C’rrll. The security in ActiveX and Java may be old news, but new ways to hack them are frequently discovered. While the market works to fox itself there are some products designed to do the job in the meantime. Three such products were tested and found to offer a different approach to preventing hostile applets and controls from damaging networks. First tested was Advanced Computer Research’s SecurelU 3.1 which was found to be a bit buggy.This product works quite well with Communicator, sitting quietly in the background unless a hostile applet or control is detected. Its security was good: the testing with several hostile or bug&y Java applets confirmed that none of them could take control of the system or compromise security through other means. Secure4U was successful at killing all malicious process it encountered. However, the testers experienced many browser crashes. The next product tested was eSaf> Technologies eSafe I’rotect 1 .1 which runs on Windows 95. Unfortunately, testing revealed that this application is unreliable. Under both Netscape Navigator and Internet Explorer, eSafe regularly allowed hostile applets to run out-of-control, malicious processes. eSafe rarely intervened and when it did its warning messages were cryptic. The final product tested was Network Associates’ WebScanX 3.1.2 which takes a different approach to Java and ActiveX security, building on the VirusScan strate&y of providing definition
files that contain known attack patterns. The primary limitation is that you are only safe from attack patterns that are registered. In this test WebScanX caught almost all of the attempted applet penetrations, although one hostile applet did manage to get through on one occasion. The testers found WebScanX to be the best product, with Secure4U coming in a close second, but you shouldn’t count on either package for absolute security. Fortunately, the malevolent hacker community has yet to embrace Java and ActiveX in any significant way. LANTimes,Jrnc 8, 1998, p. 30. PGP disk’s security takes a bite out of crime, Ahmad Ahrsalsamid. Notebook theft is a big problem. PGP disk, a security product by PGP Inc. attempts to solve the problem of data protection.The product lets you create encrypted disk volumes on your PC that appear as just another drive.The data within, including all folders and files, are completely inaccessible without PGP disk and your pass phrase. When not being used, the volume is stored in an encrypted file. PGP disk operates on encrypted volumes. When the author had created his first PGP disk volume, PGP disk asked him to enter a pass phrase to encrypt the volume. Next, the program mounted the encrypted volume, letting him assign a drive letter. PGP disk fully integrates with Windows Explorer. PGP disk protects data with Entrust Technologies’ CAST encryption algorithm. !%u~oY~ Cor~p~ltir;~,Jurzc 1, 2998, 1~.54. Security tool blocks document misuse, Gary ,4nthcr. PageVault from US company Authentica Security Technologies will allow users to tailor access to a document so that certain pages, paragraphs and images can be read by some users but not by others. Distribute documents that are unreadable until a specified date and time. Ensure that confidential information can’t be printed. Guarantee that employees with access to confidential information at work can’t access the same information from other locations or take it with them when they leave the company. PageVault is the brainchild of Llavid Pensak, founder, president and CEO of Authentica. Most security products offer “one-shot perimeter security”, Pensak said. That means once a hacker finds a way to break in to a system and access confidential data, he is home and dry. “But ours is persistent, distributed security”, Pensak
Abstracts of Recent Articles and Literature
added. “The security stays with the document at all times. Every time you try to access it, no matter where it is, you have to get reauthorized to see it.” Computetworld,June 8, 1998, p. 1, 90. Through the key holes, Phil Hunter. Many organizations are looking to establish a coherent approach to authentication, encryption and access control that works across the business. With an internal network this is not always easy, because different applications often have conflicting requirementsThis is particularly the case for companies opening up their networks to external access via the Internet. With an internal network, you know who the users are and can enforce particular security practices such as smartcards or tokens for access control. But with the Internet, you may want to grant access in a secure way to people that you do not know. Obviously, it is necessary to ensure that only authorized users are accessing critical systems, but over the Internet there is also a threat from techniques such as Web spoofing that attempt to lure users to phoney hosts. The user can then be tricked into revealing information that allows a hacker to access the network by masquerading as that user. Ultimately, all security systems hinge on human behaviour, both of administrators who look after the central security servers and end users, who are entrusted with passwords or other credentials for accessing the network.This will never change, and the situation is compounded by the fact that there is no universal security system suitable for all applications and all scales of network. Conzputcv Weekly, _/we 18, 1998, pp. 36-37. Firewall reality check, Rivka Tadjev. Top firewalls from major vendors have never been better, but what’s important to remember is that they are not plug-andplay, fail-safe devices and they are unlikely to become so. Two annoying and unavoidable variables prevent firewall implementation from being simple: human beings and a network design that includes lots of external sources. The FBI Computer Crime Unit reports that more than 80% of all network breaches are inside jobs. These hacks are compliments of the trusted employees sitting in offices and cubicles right around you.Today, the things that top firewalls are best
at are securing multiple layers on the network and network performance management, monitoring and auditing. You can also create digital paper trails, so once someone does hack in, you can catch the person. What you want to try and do with firewall technology, then, is maximize protection and network performance. Assuming that you will take the proper care to set up firewalls for both internal protection and your Web server, the really thorny design issue is all about devising the safest way to connect your internal network to an external network. InternetWeek, /we 2, 1998, pp. 28-30. Passwords to protection, Phil Hunter. IT security is as much a human issue as a technical one: the rule is that systems must be hard to abuse but easy to use. Paradoxically, security is weakened if applications are so heavily barricaded that legitimate users have difficulty accessing them. The Scotia Bank was aware of these potential pitfalls when it considered what security to implement for its Internet banking service, Scotia Online. The problem was that the bank has a big legacy of trust to protect, and could not afford a major security breach that would cause existing nonInternet customers to lose confidence in the bank. For banking the primary security requirement is authentication, to identify customers and so prevent imposters from gaining access to their bank accounts. Ultimately, if a system is to be easy to use, it must rely on a password for initial access. Scotia Bank believes it has done all it can to minimize the risk, first by avoiding the customers’ passwords ever being transmitted over the Internet and so risk being sniffed; and second by only requiring customers to enter the passwords once at the start of a session. Cow~putev Weekly, Jrne 2 1, 1998, pp. 36-39. Six biometric devices point the finger at security, David Willis atld Mike Lee. Every network administrator tries to balance system security against user convenience. Users hate security schemes that get in the way of their work, yet administrators need such procedures to track access and usage. Without clear user identification, you can’t have non-repudiation. Users are forced to struggle with elaborate password schemes or hardware tokens to track who does what.