abstracts of recent articles and literature
TRANSCRIPT
0167-4048/01$20.00 © 2001 Elsevier Science Ltd 155
Companies steer towards a safe harbor, PeterPiazza. In order for US companies to effectively dobusiness with people in the EU, they must complywith the US ‘safe harbor’ agreement.This is becausepersonal data in the EU is protected by the EUCommission’s Data Privacy Directive which pro-hibits the transfer of personal data out of the EUunless it is properly protected. However, few organi-zations in the US have yet registered their compli-ance. Becky Richards from TRUSTe said, “You’regoing to be leaving yourself open to liability ifyou’re a global company and you’re not followingthese information practices.” Once a company regis-ters, it must re-register each year. Any breach of theprivacy regulations will result in action by theFederal Trade Commission under unfair and decep-tive trade practice regulations. Andrew Shen ofElectronic Privacy Information Center says that theslow up-take is due to the fact that US companies donot understand the importance of the safe harboragreement. The US Department of Commerce andthe EU are likely to re-evaluate the process in thespring. Security Management, February, p.34.
Identity thefts skyrocket, but less than 1%occur online, Dan Verton. Identity theft in the US isgrowing, but according to the Federal TradeCommission (FTC), of the 2000 calls received on theidentity theft hotline, only 1% can be proven to havea connection to the Internet. Rather, lost purses andthe theft of mail are the most common culprits. Evenso, the FTC say they are “watching that”, and thatthey have perceived an increase in Internet related
identity theft. It may be that there are many moreincidents that are just not reported, but the FTC doesnot hold this view. In industry, “regulation is a dirtyword”, according to one victim of the recent theft ofdata from the Federal Trade Commission. However,although this attack is a good high-profile example ofonline identity theft, it is likely that self-regulationwill continue to be allowed in the privacy space.Computer World, 12 February, p.7.
Security still up in the air, Tom Zeller. WirelessLAN is becoming a viable networking solution how-ever, security is still the stumbling block.The 802.11bwireless Ethernet standard works well on the smallscale, but it is unclear whether it will scale securely.The task is two fold: only authorized users must accessthe LAN, while traffic remains shielded from packetsniffers. Controlling access points is fairly straightfor-ward, allow only known Ethernet addresses to accessthe network. An attacker would have to know theEthernet address, however, this is not impossible asmany cards have the Media Access Control addressprinted on them. Another issue is scalability — thenumber of addresses which can be stored in an accesspoint is limited.Another layer of security is the use ofthe Service Set ID to require the entry of the networkname — this is basically a password, and as such isunlikely to be kept secret.Although 40-bit encryptionis available through Wireless Equivalent Privacy(WEP), this is not really strong enough and the key isshared by all users on the same access point.The WEPcan be used as a challenge to the use of an access pointin much the same way as a password. Decent 128-bit
Computers & Security, 20 (2001) 155-160
Abstracts of Recent Articlesand LiteratureChloë Palmer
Abstracts of Recent Articles and Literature
encryption is available from some major vendors,however they are invariably proprietary at themoment, making them hard to implement in a largeenterprise. Ultimately, this encryption is likely to haveto conform, interoperably, to the IEEE 802.1x stan-dard that is currently under development. NetworkComputing, 5 February, p.p. 101–104.
Junior Spy scanned secret CSIS records, AndrewMitrovica. A database containing details of the targetsof the Canadian Security Intelligence Service (CSIS)was accessed by an unauthorized person over thecourse of a year.The access took place between 1990and 1991 but has only just come to light. A juniorintelligence officer, code-named Darkshark, is nowknown to have been to person who got into therecords. Darkshark strongly denies claims that he wasa double agent: “I knew I was committing a sin. Iknew that, but I also knew I wasn’t working for aforeign power.” Rather, he was bored in his admin-istrative position at CSIS and took to finding outabout topics of personal interest — even thosesecrets marked as ‘need-to-know’. The incidentshows a significant failure on behalf of the CSIS tomonitor internal systems in a timely fashion. It alsocalls into question the ability of Canada’s spy serviceto safeguard its secrets. Toronto Globe and Mail, 12February,A7.
Stop! In the name of love. In the last two years,the viral landscape has undergone significant change.While once we worried about boot-sector and exe-cutable file infectors, the most common threats arenow VBS (visual basic script) and embedded macroviruses. Data-exchange has moved to E-mail ratherthan diskette and anti-virus scanners have to scan formore diverse file-types.There is no shortage of anti-virus vendors, and network administrators must weighup the relative merits of each in terms of ease and effi-ciency of use and the amount of time their installationand maintenance is likely to take up. The problemwith E-mail attachments is best solved by having real-time scanning anti-virus software sitting on eachworkstation because this system can handle userencrypted E-mail.Viruses that target E-mail systemsmust be dealt with separately. However, ISPs can takea more active role in protecting their customers —
enabled by their unique position of being able tomonitor global E-mail traffic patterns. The networkmanager must use the software in conjunction with aresponsible programme of user education regardingthe dangers of viruses in the corporate environment.Network Computing, 1 January, p.p. 30–35.
Getting to grips with Net security, Stuart Pearson.Privacy and security are inextricably linked and youmust ensure both in order to use the Internet safely.Small businesses and home users can protect them-selves using a few simple measures, particularly neces-sary as always-on broadband connections becomemore prevalent. For example, it is a good idea to turnoff ‘print and file sharing’ options on machines run-ning Windows 95/98 because online, everyone hasaccess to your shared resources if this option is active.There are two main types of attack: targeted and ran-dom. Viruses fall into the second category — youshould protect yourself with anti-virus software thatyou must keep up-to-date.Trojans are similar to virus-es — they are used to control your machine remote-ly and can be used to make your PC a zombie in adenial-of-service attack. Your anti-virus softwareshould take care of Trojans, however, it is good prac-tice to also use a firewall to block those coming acrossthe Internet. Spyware is similar to Trojans in that it cansteal information about you. It is far more insidiousthough, as its use is legal as long as a company informsyou that it is using it. Companies often make thenotice difficult to spot though.You can opt-out of themonitoring, but some software will not work if youdo.Another potential worry is the files that are placedon your PC during general use — cookies, historyfiles and attachments. In general, a clean-up programshould be used daily to eliminate them. Sensitive datathat you need to keep electronically should beencrypted. There are many products on the marketwhich will do this. Although the measures outlinedabove may slow down the running of your PC, this isa small price to pay for your online security. InternetMagazine, March, p.p. 97–101.
TV station blasts hacked smart cards. SatelliteTV station DirecTV has hit back at pirates by blastinghacked smart cards on the Sunday of the Superbowl.The station’s spokesperson could not confirm a
156
157
specific incident, but did say, “We do, from time totime, use electronic countermeasures … Obviously,we want only authorized people to receive our ser-vice.”The countermeasure, dubbed ‘black Sunday’ bythe hacker community, was executed by the TV com-pany beaming a logic bomb in parts to the illegitimatecards.The code used to destroy the cards was sent onno fewer than 63 occasions. The counterfeit cards,previously worth hundreds of dollars, have now been,“turned…into ice scrapers,” according to one pirate.DirecTV was exploited by pirates for four years, mademore vulnerable by the fact that because they werenot licenced to serve Canada, counterfeiting machinesare legal there. Network Security, February, p.1.
Officials take action against security hole, DanVerton. Computer Emergency Response Team(CERT) and PGP have issued a simultaneous pressrelease regarding vulnerabilities in BIND. “We don’toften issue press releases. The problem is, we don’tknow what the intruders know”, said Shawn Hernanfrom CERT. The problem is that Domain NameServers running certain versions of BIND (BerkeleyInternet Name Domain) are vulnerable to attack.BIND is used to translate domain names into numer-ic IP addresses that machines can understand. CERTdecided to disseminate the information regarding apatch for the hole after the realization that the secu-rity vulnerabilities effected 80% of all Domain NameServers. Hernan commented,“The history is unfortu-nate, in that a lot of people just don’t upgrade…It’sdifficult if you’re not really paying attention, to distin-guish the insignificant vulnerabilities from the realproblems.” A spokesperson from one consulting firmsaid,“Our greatest vulnerability is still human error orlack of information,” but acknowledged that efforts tokeep the security community informed are underway.CERT says it will not be known whether going pub-lic has been successful for several months — the usuallead-time for hacker exploitation is between two andnine months. Computer World, 5 February, p.6.
No credit? No problem! Digital cash madeeasy, Karen J. Bannan. More than one-third of US cit-izens do not possess a credit card.This means that onein three Americans do not have access to shoppingonline. A host of companies offering alternatives to
plastic have been popping up since 1994, but onlyrecently have large shopping sites started to take themseriously. Merchants reap the benefits of simpler andcheaper sign-up costs, as well as being able to sell low-cost items (less than $10) whose profit margins wouldbe wiped out by the cost of processing a credit cardpayment. Alternative or ‘E-cash’ payment systems aredogged by acceptance problems. However, the advan-tages include reducing the dependency upon creditcards, there are no interest charges and best of all youcan shop with anonymity.This improves the securityof a transaction as credit card details are notexchanged. However, credit card anonymizer services,which generate a one-time use random number ateach site, can achieve the same result. PC World,February, p.p. 60–62.
Security at your fingertips — new notebooksoffer biometric protection, Jamie Fenton.Biometric authentication is safer than using pass-words alone. This is why both Compaq and Acerhave released notebooks with built in fingerprintscanners — fingerprinting being the most advancedof the biometric recognition technologies.To use it,you must first identify yourself to the computer’sdatabase, which will map the precise nature of yourfingerprint over several sessions. The problem is,when you present your finger to log in, it will neverbe a 100% match — you might scratch the skin, orposition it differently on the scanner. The problemwith this is that if you set the limit for compatibili-ty too high, you might end up locked out of yourown system. Set it too low, and anyone who owns afinger can get in.This sort of technology will help tosolve the problem caused by the fact that most peo-ple choose bad passwords. For example, in situationswhere a notebook — perhaps full of nuclear secrets,as happened to the Nuclear Emergency Search Teamin June 2000 — is stolen. Fingerprint scans in theircurrent incarnation are not yet quite mature — youneed patience and practice to get the authenticationon the notebooks working in a satisfactory manner.PC World, March, p.60.
Opening you E-business perimeter, Brooke Paul.The move from bricks-and-mortar to E-businessrequires that you let others in to the most sensitive
Computers & Security, Vol. 20, No. 2
Abstracts of Recent Articles and Literature
parts of your network. Historically, this had meant afocus upon keeping everyone out — this attitudemust shift towards one of enabling business by allow-ing authorized access from suppliers, customers andpartners. At the very start of planning your enter-prise you must make operational and implementa-tion plans to include network security as a routinetask for maintenance. Your security should be‘defence in depth’ where many overlapping systemswork together to keep the bad guys out. These badguys could be black hat hackers, but may also beyour competitors in the marketplace.You must alsomake sure that you do not end up as a launch pad ina distributed denial-of-service attack. Of course, if allthis is too much then you can outsource your appli-cations to an Application Service Provider, takingcare to ensure you negotiate a Service LevelAgreement appropriate to the level of security, avail-ability and functionality that your business requires.Network Computing, 8 January, p.p. 38–46.
The Internet Election? Bill Thompson, The UK’selection, scheduled for 3 May, looms ever closer, how-ever, few amongst the great British public will pauseto consider the impact that the ruling party will haveon the development of the Internet. The currentadministration’s failure to manage BT resulted in adelay of two years for broadband technology in theUK.They are also the people responsible for passingthe RIP Act. One of the main areas for concern ispolicy on cybercrime. The European Commission’sDirective on cybercrime would make it illegal to pos-sess a hacking tool — even if you’re a consultant ornetwork administrator — or means to crack copy-righting encryption.The bad news is that both of themain parties in the UK, Labour and Conservative, arelikely to endorse the directive. Other issues includecontent and regulation — liability in cases of libel is atopical example after the Demon case — and a newInternet police force.Although detailed technical pol-icy does not impress of Joe Public, it is predicted thatover half of adults in the UK will be online by thesummer. So, Internet users should have a voice inelecting the issues that make or break the politicians.If this does not happen in time for the 2001 election,it certainly should happen in time for 2006. InternetMagazine, February, p.p. 64–68.
Let’s get physical, Robert Moskowitz. The journeytowards security begins with a single step, and ratherthan become daunted by the importance of securingan entire business, maybe we should start at the begin-ning. It is a good idea to physically secure yourservers. Start by assessing the risks involved in eachasset — the threat of internal and external theft, theaccessibility of screens and keyboards to unauthorizedpersons and the security of your portable PCs. Beginby asset tagging and locking the cupboards in whichyou keep your computer supplies. Instill a culture ofpaperwork for all movement of equipment in yourcompany — even laptops. Your security guards,assuming you have them, should be trained in theftawareness — a thief stealing computer equipmentfrom you is likely to display the same body languageas one stealing diamonds from a jeweler. Notebookusers should be given alarms on their computers andtraining in how to use them.Taking these most obvi-ous steps in physical security is vital to your business.After all, what use are the best anti-virus, smart cardsand firewalls, when someone can just walk into yourbuilding and take a server? Network Computing, 22January, p. 53.
Fraud Busters, Mathew Schwartz. Even when you arefully ensconced in real-time, secure B2B E-commerce— it is still all about money. In this environment, smallmistakes which are overlooked in the automatedworld have been known to cost millions of dollars.The Association of Certified Fraud Examiners in theUS says that most organizations loses about 6% of itsrevenue to internal and external fraud through suppli-ers, customers and employees. It is hard to put a figureon the losses as many businesses try to cover up thefraud that they have suffered. Many businesses haveheld back on B2B E-commerce because of the lack ofelectronic counterparts to the paperwork mainstays oftraditional business. Many lauded Electronic DataInterchange (EDI) as a solution, but it is limited —you need to use a VPN, one can send only one mes-sage at a time and the start-up costs are prohibitive.Many companies have turned their attention insteadto Transaction Delivery Networks (TDNs) which usePublic-Key Infrastructure (PKI) to identify both par-ties and to ensure the non-repudiation of transactions.Peter Millar from LabMorgan, which does work in
158
159
electronic finance said,“the ability to commit fraud inthose B2B transactions would be very significantlyreduced”, with the use of TDNs. Arthur Brieske atIdentrus said,“With digital certificates and signatures,it’s easier for you to trace back and get that evidence,and if the evidence isn’t there, it’s easier for you topoint the finger at who was negligent.” GartnerGroup predicts swift take-up of TDNs because thestart-up costs are low and many companies are alreadyin need of such a system. Computerworld, 19 February,p.p. 40–41.
Site security patches are ignored, Andy McCue. Ahacking group known as the Sm0ked Krew hasexploited the websites of Intel, Compaq, the New YorkTimes and Hewlet Packard. The thing that all of thewebsites had in common is that they were all runningMicrosoft IIS4 on Windows NT4.This combinationis widely known to be vulnerable and patches havebeen available since August 2000. However, the com-panies had not applied the patches and so wereexploited by hackers using the popular ‘unicode’weakness. Chris McNab, a consultant at MISCorporate Defence, said, “It’s a lesson for companiesto be proactive with security and to continuallyreassess their risks instead of just waiting for a hackerto break in. With someone like Intel, you wouldexpect them to have a dedicated security team tomake sure all the latest patches are deployed.”Computing 22 February, p. 6.
We lift the lid on E-crime in the UK, Ian Stobie.A recent survey of 250 readers of Computing showedthat 11% had suffered online credit card fraud. Onereader said, “Security would have to be muchimproved before I would consider buying or bankingonline.” Another said, “Until techniques have beendeveloped to totally foil hackers and fraudsters, and Iam happy with the technical solution, I will neversubmit my credit card details to an Internet bank.”Even so, there was some optimism in than 65%thought that credit card fraud would be more undercontrol in three years time. Almost a quarter of thefirms that readers work for had been the target of adenial-of-service attack. The most prolific problemwas viruses 85% had personally experienced an attackand 88% had been hit at work. The mood among
respondents was fairly pragmatic: government andorganizations should make well-thought out policyrather than rushing into a knee-jerk reaction to aone-off threat. Computing, 8 February, p.p. 47–48.
Author finds ‘hacker ethic’ may have somethingto offer, Mathew Ingram. The traditional perceptionof hackers, as spotty, long-haired twenty-somethings isone that hackers themselves refute, saying that this ismore fittingly applied to malicious hackers, alsoknown as ‘crackers’. In his book, The Hacker Ethic andthe Spirit of the Information Age, Professor Himanen ofHelsinki University, Finland, argues that hackers havea healthier outlook on life than the traditionalWestern ‘Protestant work ethic’ espoused by much ofsociety. Himanen says the Protestant ethic states,“Work is a duty and it doesn’t matter what it is orwhether you like it as long as it makes you money.”Conversely, the hacker sub-culture runs on earningthe esteem of the hacker community while,“You willbe at your most creative if you find your work inter-esting and if you are passionate about doing it.”A for-mer hacker himself Himanen is now 27, having com-pleted his doctorate at 20, and says that the hackerethics of valuing passion over finance can be appliedto any field of work. He argues that this creative,problem-solving way of thought is responsible formuch of the Internet, and that using an individual’spassion is a more productive method of working thanthe Protestant ethic where work is seen merely as aduty. Toronto Globe and Mail, 5 February.
Hackers can penetrate wireless network, JaredSandberg. Researchers at the University of Californiaat Berkley have discovered vulnerabilities in 802.11bwireless security known as WEP (Wired EquivalentPrivacy) algorithm. One researcher said,“We found anumber of ways to intercept transmissions and dis-cover what the contents are… We found ways tomodify transmissions as they are sent. And we foundways to access the network even if it’s restricted.” Oneof the weakness is within the checksum — the pack-ets and checksum can be altered without detection.Steve Bellovin, a security researcher at AT&T high-lighted the presence of human error in the develop-ment of systems,“Some of the mistakes they made arehowlers.” Greg Ennis — a former member of the
Computers & Security, Vol. 20, No. 2
Abstracts of Recent Articles and Literature
Institute of Electrical and Electronics Engineers(IEEE), the group responsible for developing the802.11b system — says that WEP “has been knownfrom the start not to be an end-all-be-all security sys-tem.” He recommends the use of other security toaugment WEP, such as using encryption through aVPN. Ennis also claims that to exploit the vulnerabil-ity would require “a significant mounted effort”.Security experts argue that once one person makesthis ‘mounted effort’ they could write a script thatwould then be disseminated to script-kiddies, whocould then make an unskilled attack. Cryptographersare angry that they are not consulted before commer-cial products are sent to market, “During the designprocess the crypto community wasn’t invited to par-ticipate.” Ennis refutes this claim, “It is open to any-body,” he said. Wall Street Journal, 5 February.
Small thefts, big trouble, Michael James. Anyonewho has used their credit card to shop online shouldbe wary of a new fad for fraud which is sweeping theworld. The scam runs on the principal of stealing asmall amount, between five and 10 dollars a time,from a large number of cards.The methodology is areal headache for banks and credit card companies
who have spent millions trying to replace the com-promised cards. Law enforcement agencies are illmotivated to chase after these crooks as the smallamounts stolen on each occasion have too low a pro-file to attract their attention. “It’s almost the perfectcrime, because no-one is getting too angry,” said aBaltimore attorney. The fraudulent payments whichshow up on victim’s statement come from a numberof companies in Russia. The hackers have beencharging cards in Russia, forwarding the funds viathe Internet to an account in Slovenia, setting upwebsites registered to an office in Panama and rout-ing calls through a phone company in California.Victims have come forward from all over the worldand are bewildered as to how the hackers obtainedtheir credit card numbers. It seems likely that thehackers hit a credit card transaction clearing house— such as creditcards.com which had 40 000 num-bers stolen in December of 2000. One online mer-chant said, “I don’t see it ever ending. Millions ofpeople are going to be hit with it and it’s going tomake a huge mess for the customers and the banksand the police. We’re not going to see any nuclearmissiles from those guys. They’re just going to ruinus financially.” Baltimore Sun, 22 January, p.p. 1C–6C.
160