- Email: [email protected]
Calling in confidence
Abstracts of Recent Articles and Literature
A hacker’s lines of attack, CharlesBabcock. The FBI and computer security experts recently arrested Kevin Mitnick. The Internet is more prone to security problems than a corporate network and online services such as The Well in Sausalito, California, offer more points of entry than mainframes. However, all the telephone lines linking employees working at home, suppliers and outside consultants to a company’s corporate network are not as secure as some people believe. Mitnick is known as a criminal hacker, but it may be more accurate to describe as a ‘phone phreak’. His previous arrest and conviction stemmed from his breaking into Digital’s internal DECnet. To appreciate the hazard posed by skilled hackers, consider the central office switches of the local telephone company as merely specialized computers, with their own software commands and limited safeguards. These computers can be broken into by outsiders who know how to methodically search for the lines that are connected to your computers. Computerworld, March 6, 1995,~. 8. Crash course in ‘net security, Alan Radding.From a security point of view, the Internet falls short in two of the three critical security dimensions.Availability is easy; the Internet has so many paths that availability is never a problem. However, ensuring confidentiality and integrity presents seemingly insurmountable problems. Firewalls, usually part of a router, filter incoming and outgoing messages. They inspect the messages down to packet level and can be set to pass or reject messages on the basis of user identification, point of origin, file and other code or actions. However, firewalls have proved vulnerable. For organizations that want to conduct business over the Internet encryption is essential. But, before a company even gets to the point of firewalls and encryption, it must master the basics of good IT security as well as educate users about the threats. Few organizations have someone solely dedicated to Internet security, but a few more highly publicized attacks may make someone with Internet security skills a hot commodity. Computenvorld, March 6, 1995, p. 90. Calling in confidence, Tony Dennis. As more and more businesses provide their staff with remote access, they open themselves up to new security problems. Call Line Identification (CLI) is emerging as one way of keeping hackers at bay. CL1 is currently generally available in the UK and could provide a vital weapon in the fight against the computer hacker. A number of competitive pressures are forcing businesses to open up their
120
corporate networks for remote access by staff. They all need a simple and flexible means of remote access. Providing access to important sections of the corporate network is a high-risk exercise. With CLI, hackers might have obtained all the necessary passwords but will be barred from access because they are calling in from a telephone number not recognized by the network security system. However, there are still some major gaps in the CL1 service; CL1 is not presented if the caller is still attached to a very old BT exchange. A far more serious problem is presented by the fact that Mercury is currently not passing CLIs &om its system to BT’s. The same applies to cellular networks. It is likely, however, that pressure from the end-users will soon persuade the telephone network operators to change their stance on this question and come to some arrangement with BT over passing CLI. In reality CL1 is useful as an anti-hacking device only if it forms part of an overall security strategy. It should not be viewed as the only protection against hacking, nor should it replace all other anti-intrusion methods. An example of where CL1 might form a use&l part of a secure network access system is with the practice of password call-back via modem, which, it is generally agreed is not entirely secure. With a call-back approach, a network receives a call from a remote PC equipped with a modem. The system accepts the password from the remote PC, drops the line and then dials the number associated with the password it has just received. A skilful hacker could defeat this system by holding open the line after supplying a password. Hence, while the network thinks it is dialling out, the hacker is actually waiting at the other end of the line. Computer Weekly, March 16, 1995, pp. 38-39. Security aspects of card systems, Leo Schuster and Andreas Wagner. The procedures for handling payment transactions have a significant influence on the development of modern economics. The ‘electronic highways’ used for such transactions are often compared with arterial roads in the transportation system and as with them, security is of the highest importance. This article deals with various aspects of security in card systems. ASCOM TechnicalMagazine, l/95,24-28. New computer system causes chaos, Hans Gliss. Twelve hours after being set into operation the brand new computer system “Bar 16”, designed for traffic steering and control of Hamburg’s important station
A hacker’s lines of attack, CharlesBabcock. The FBI and computer security experts recently arrested Kevin Mitnick. The Internet is more prone to security problems than a corporate network and online services such as The Well in Sausalito, California, offer more points of entry than mainframes. However, all the telephone lines linking employees working at home, suppliers and outside consultants to a company’s corporate network are not as secure as some people believe. Mitnick is known as a criminal hacker, but it may be more accurate to describe as a ‘phone phreak’. His previous arrest and conviction stemmed from his breaking into Digital’s internal DECnet. To appreciate the hazard posed by skilled hackers, consider the central office switches of the local telephone company as merely specialized computers, with their own software commands and limited safeguards. These computers can be broken into by outsiders who know how to methodically search for the lines that are connected to your computers. Computerworld, March 6, 1995,~. 8. Crash course in ‘net security, Alan Radding.From a security point of view, the Internet falls short in two of the three critical security dimensions.Availability is easy; the Internet has so many paths that availability is never a problem. However, ensuring confidentiality and integrity presents seemingly insurmountable problems. Firewalls, usually part of a router, filter incoming and outgoing messages. They inspect the messages down to packet level and can be set to pass or reject messages on the basis of user identification, point of origin, file and other code or actions. However, firewalls have proved vulnerable. For organizations that want to conduct business over the Internet encryption is essential. But, before a company even gets to the point of firewalls and encryption, it must master the basics of good IT security as well as educate users about the threats. Few organizations have someone solely dedicated to Internet security, but a few more highly publicized attacks may make someone with Internet security skills a hot commodity. Computenvorld, March 6, 1995, p. 90. Calling in confidence, Tony Dennis. As more and more businesses provide their staff with remote access, they open themselves up to new security problems. Call Line Identification (CLI) is emerging as one way of keeping hackers at bay. CL1 is currently generally available in the UK and could provide a vital weapon in the fight against the computer hacker. A number of competitive pressures are forcing businesses to open up their
120
corporate networks for remote access by staff. They all need a simple and flexible means of remote access. Providing access to important sections of the corporate network is a high-risk exercise. With CLI, hackers might have obtained all the necessary passwords but will be barred from access because they are calling in from a telephone number not recognized by the network security system. However, there are still some major gaps in the CL1 service; CL1 is not presented if the caller is still attached to a very old BT exchange. A far more serious problem is presented by the fact that Mercury is currently not passing CLIs &om its system to BT’s. The same applies to cellular networks. It is likely, however, that pressure from the end-users will soon persuade the telephone network operators to change their stance on this question and come to some arrangement with BT over passing CLI. In reality CL1 is useful as an anti-hacking device only if it forms part of an overall security strategy. It should not be viewed as the only protection against hacking, nor should it replace all other anti-intrusion methods. An example of where CL1 might form a use&l part of a secure network access system is with the practice of password call-back via modem, which, it is generally agreed is not entirely secure. With a call-back approach, a network receives a call from a remote PC equipped with a modem. The system accepts the password from the remote PC, drops the line and then dials the number associated with the password it has just received. A skilful hacker could defeat this system by holding open the line after supplying a password. Hence, while the network thinks it is dialling out, the hacker is actually waiting at the other end of the line. Computer Weekly, March 16, 1995, pp. 38-39. Security aspects of card systems, Leo Schuster and Andreas Wagner. The procedures for handling payment transactions have a significant influence on the development of modern economics. The ‘electronic highways’ used for such transactions are often compared with arterial roads in the transportation system and as with them, security is of the highest importance. This article deals with various aspects of security in card systems. ASCOM TechnicalMagazine, l/95,24-28. New computer system causes chaos, Hans Gliss. Twelve hours after being set into operation the brand new computer system “Bar 16”, designed for traffic steering and control of Hamburg’s important station