Abstracts of Recent Articles and Literature
specifics of the networks involved. IPSec consists of two protocols: the Authentication Header, or AH protocol, and the Encapsulating Security Payload, or ESP protocol. Two authentication and seven encryption algorithms have been defined to date.The authentication algorithms used by AH and ESP are: HMACMD5 and HMAC-SHAl. Both are key-based algorithms where session participants share a secret key 128 bits for MD5 and 160 bits for SHAl. Encryption algorithms are as follows: DES, triple DES, CAST-128, RC5, IDEA, Blowfish and ARCFour. Specifying IPSec algorithms requires a session management protocol covered by ISAKMP (Internet Security Association Key Management Protocol) and Oakley protocol. However, because ISAKMP and Oakley are not designed specifically for IPSec, a domain of interpretation (DOI) is required. Network Computing, 1 April 1998, 1 OZ- 10.5. The revenue men, Martin Wanvick and Stetuayt Witteying. Sophisticated technologies have not beaten telecommunications fraudsters, but have simply made them more cunning and creative. Traditionally, telcos have kept the details and figures of telecoms fraud to themselves. However, BT has gone so far as to say that in one year it lost some $450 million of revenue as a result of ‘security failures’. PBXs are surprisingly easy to compromise and there are many well documented instances of companies falling victim to hackers, who, by scanning successive number ranges, gain access to critical extension codes that permit unlimited international calling.Automatic Call Distributors (ACDs) and Automatic Attendant systems have also been compromised. All PBX manufacturers routinely bundle antifraud measures with their equipment. The latest security technology includes advanced neural network technology that can learn from and be conditioned by the network itself by comparing subscriber profiling with behavioural anomalies that indicate fraud. Researchers in France have announced an anti-hacking solution which involves the insertion of chaotic fluctuations into fibre-optic cable transmissions. They claim that it is utterly immune to any kind of breakin. Meanwhile, it appears that serious fraudsters are mixing and matching the resources of different telecorns operators to create a melange of cross-technology and cross-service scams. Such crimes are proving
very difficult to prosecute. International, May 1998.
Communications
Security companies hype up Java risks, Cl@ Saran. Companies are being sold unnecessary Java security, leading safety experts are claiming. Security experts say that much of the worry surrounding Java crossing the Internet into corporate networks is unfounded. Security software companies are using the prevalence of Java to sell more products, they say. One analyst suggests that since most users only run Java applets when they use their Web browser to visit a site containing Java, the security risk is non-existent. According to Sun Microsystem’s Java Soft division, the chance of finding a security hole in Java is minimal. Computer Weekly, 9 April 1998, p. 1. Covering your assets, electronically, Chyic-tophey Ntrll.The performance of three of the newest network security and monitoring tools on the market is evaluated. Intrusion Detection In& Kane Security Analyst (KSA) 4.03 and Kane Security Monitor (KSM) 3.02 are geared toward testing and continuously monitoring security at the NOS level. Trusted Information Systems’ WebStalker-Pro 1 .l .l is intended to create tight security on Web sites and servers.The KSA 4.03 is an inexpensive way to profile Windows NT systems. KSM is a companion tool to KSA that actively monitors the network for security breaches. WebStalkerPro adds to the firewall line of defence by helping to prevent internal security breaches and providing better alerting capabilities. L.unTimes, 27 April 1998, p. 4445. Security tools, specs offer more protection, Rutyell Yusin. New technology could offer relief for security managers seeking tools for protecting enterprise networks. The International Computer Security Association has launched TrueSecure, a package of security assurance services to help organizations assess Internet-related vulnerabilities. The TrueSecure service was developed in response to data compiled in a recent International Computer Security Association (ICSA) survey that showed that security flaws were leaving organizations open to breaches. Meanwhile, RedCreek Communications will work with other network and security vendors to develop specifica-