signs point to looser encryption rules
TRANSCRIPT
Computers & Securify, Vol. 17, No. 3
The ICSA found that 62% of all firewalls submitted
were unable to pass certification on their first attempt. Manual reconfigurations had to be made on 35% of
firewalls and 21% needed vendor-created patches. 6% never passed. In testing, the ICSA configures the fire-
wall to support business functions, then a whole host of hacking tools are set upon it. The ICSA posts lab
notes for certified products at its Web site
( www.icsa.net). InternetWeek, 30 March 1998, p. 9.
PC manager at center of $2m grocery scam, Kim S. Nash. At first, managers at the King Soopers
supermarket chain feared that software bugs were causing the huge number of sales ‘voids’ and other
accounting anomalies. It turns out that it was PC
manager Jay Beaman, who was the problem. The PC manager and two head clerks allegedly stole more than
$20 million by manipulating supermarket computer
data. It took police more than two years to gather enough evidence to charge the men. The motive
existed: all three suspects’ had filed for personal bankruptcy. Their expensive lifestyles tipped off detec-
tives. King Soopers’ 1992-93 migration from outdated Data General hardware and software to IBM PCs may
have provided an opportunity for theft. Few managers were familiar with the new system, and so relied heav-
ily on Beaman’s PC expertise. Police say that Beaman was able to alter the bar-code pricing system to over-
charge customers while the two clerks skimmed the
difference from cash registers. Beaman allegedly
rejigged the systems so that sales were funnelled to a
fake inventory category. Beaman’s boss acknowledged that he never checked the -PC manager’s work.
ComputerWorld, 30 March 1998, p. 1, 24.
Signs point to looser encryption rules, Sharon Mach&. In a move that could make it easier for global
companies to employ a single encryption standard, the
Clinton administration may be trying to align federal views on encryption export regulations with those of
business. A number of signals point to the prospect of
more relaxed regulation from Washington: more
strong encryption products are finding their way over-
seas through licenses or legal loopholes, the Department of Justice has not sought controls on domestic encryption sales andVice President Al Gore
has endorsed negotiations towards looser import con-
trols. A number of lobbyists on the issue still remain
unconvinced that the administration is ready for change. Opponents of current encryption export reg-
ulations support the Security and Freedom through Encryption (SAFE) bill, which has 250 co-sponsors in
the US Congress. Computerworld, 30 March 1998,~. 1.
Senate probes State Department security, Laura DiDio. The US Senate’s Government Affairs
Committee would like to find out how secure the State Department’s computer networks really are.
Responding to a recent study released by the US
General Accounting Office, which highlights a num- ber of network security breaches suffered by the State
Department, Senator FredThompson, chairman of the
Government Affairs Committee, wants to conduct hearings to find who hacked into these networks. But the State Department has moved quickly to classify
portions of the report as secret, blocking Thompson’s efforts, at least temporarily. Computenvorld, 30 March 1998, p. 8.
Major hacks raise hackles, spur defenders, Laura DiDio. The recent, highly publicized series of hacking attacks worldwide has given rise to a new industry: consulting practices that field quick-response ‘white
hat’ hacking teams that attack customers’ sites and
expose security vulnerabilities. Companies such as
Price Waterhouse, Coopers & Lybrand, Ernst &Young
and IBM are employing ‘SWAT teams’ to combat rogue activity. Price Waterhouse’s Tiger Team has
grown from 20 security experts to 200 worldwide.
Prudential Insurance company of America used out- side consultants to work over its IT infrastructure to
shore up weaknesses. Security experts say that “the most glaring security weaknesses are usually the result of simple human error or not turning on security
mechanisms in their operating systems.” Computerworld, 30 March 1998, p. 49-50.
IPSec for communities of interest, Robert Moscowitz.The IETF has been hard at work fine-tun-
ing IPSec, the IP Security protocol standard that pro- vides the means for secure, private conversations between systems and networks on the Internet. The technologies involved allow companies to create pri- vate communities of interest without regard for the
225