- Email: [email protected]
E-mail for everyone
June 1994
Computer Fraud & Security Bulletin
privileges. Auditors and business managers from the various operating customers were requesting quality and informative reports which were impossible to produce. There was a requirement to encourage end-user management to more frequently review system accesses by staff. Maintenance of history files had become essential-one operational error had taken three days elapsed time to recover.
The advantages of the Consul product stretch beyond the day-to-day operational security issues at Sun Alliance. It complements the central repository of security-related information. Reports can be tailored to the needs of the auditors, end-user management, administrators and RACF developers. These reports can be run at will against the RACF backup database without impacting other users.
Hence the requirement for a third-party MIS utility program for the management, auditing and administration of the RACF systems. Investigations at RACF Guide and discussions with other users with similar problems highlighted the fact that software existed from third-parties that would potentially address the Sun Alliance issues. Two products were evaluated and ConsuVRACF was tested and chosen because it was seen to be more efficient and provided more facilities, many of which were seen as invaluable for analysing large RACF databases.
Hoadley concluded, “With Consul/RACF we will fine tune our security system, improve our auditing procedures and encourage end-user management to review accesses frequently by supplying them with meaningful reports.”
Fred Hoadley, senior security analyst at Sun Alliance comments, “Since the installation of ConsuVRACF we have made enormous savings in terms of CPU time, elapsed time and post-processing times which has generated cost savings in excess of the cost of the product”. These comments were substantiated by Sun Alliance estimates of the annual savings when using ConsuVRACF commands to replace just five of the many regularly used IBM and in-house utility programs. When asked about the product training and installation, Hoadley commented, “It was installed in minutes, and within half an hour I was producing complex user-defined reports from the complete RACF database, and became instantly aware of the product’s efficiency.” He continued, “ConsuVRACF gives me information quickly providing me with the time to manage the RACF system more effectively. I can now concentrate on the development of RACFfor new systems and applications rather than being weighed down with RACF administration.”
01994 Elsevier Science Ltd
E-MAIL FOR EVERYONE Monica Snell The US mail is federally protected against prying eyes, and the contents are considered secure by most letter writers. However, electronic mail does not provide the same guarantee. In the USA, there is no law that states E-mail is private. Many companies, such as Pacific Bell, Federal Express and General Motors have their privacy (or lack there 09 policy posted, although it is not required by law for them to do so. Companies choosing to monitor employee E-mail claim it is company property, and therefore subject to supervision. Paul Allen, Eastman Kodak spokesperson, said of its in-house E-mail system, “It is designed for company business”, and subject to company eyes. The secret monitoring of E-mail can cause a lot of discord (and lawsuits) within the company. Nissan Motor Corporation has a suit filed against it (currently under appeal) after two employees were fired when a supervisor read unpleasant remarks about herself and the company in their E-mail messages to one another. Though monitoring E-mail may seem petty, and on a par with snooping, it can help to increase office security. Borland International is now suing
7
Computer
June 7994
Fraud & Security Bulletin
a former executive, Gene Wang, and Symantec CEO, Gordon Eubanks because it was found that Wang was passing trade secrets to Symantec.
government communications intelligence agencies. The NSS would provide encrypted communications with such third-party surveillance services as monitoring agency
Though in this case ‘better safe than sorry’ could apply, Borland may be taking their invasion of privacy policy too far. Borland company
‘authentication’, NFC authentication (e.g. a Spanish NFC could not be used in Austria’s telecommunications network), communications security policy enforcement and encryption key
employees are allowed to search another employee’s desk or elsewhere at any time legally without reason.
distribution
and, if required, escrowing.
HP claims its scheme will allow vendors like A US industry analyst said that there are two ways to look at the problem; one, it is the company’s computer and company time, however, “if big-brother can look at the messages, what’s to prevent anyone else”, including co-workers with no business doing so. Even with a privacy policy, she said that without the proper security, everyone is on an honour code, “a moral position that is unenforceable”.
US VENDOR PUSHES INTERNATIONAL CLIPPER CHIP SCHEME Wayne Madsen At the meeting on 23 March 1994 of the Federal Computer System Security and Privacy Advisory Board, representatives of Hewlett-Packard (HP) unveiled an international ‘Clipper-like’ cryptographic key escrow scheme. HP believes that by designing small integrated circuit cards called “National Flag Cards” (NFCs) that can be dropped into special slots on PCMCIA-compatible smartcards called cryptographic units (CUs), the issue of cross-border encryption can be solved. The combined NFCs and CUs could be used in conjunction with a variety of host systems including personal digital assistants, personal computers, workstations, laptops, palmtops, network servers, mainframe computers, network printers and video display units. Communications using the NFC/CU encryption would conceivably be monitored by a network node known as a Network Security Server (NSS). This node would be developed, owned and operated by
8
HP to “provide global information technology products featuring security, while respecting the current problem of various standards groups trying to develop a common cryptographic algorithm that is suitable for international use. HP stated that the cryptographic policies are governed by issues relating to national sovereignty. HP feels that it is unrealistic to expect various national cryptographic policies to be joined together in an international standard. HP feels that its proposed flag cards will allow each nation to establish and maintain its own cryptographic communications to proceed unhindered. Some European communications vendors are worried about US intentions to export Clipper-type key escrowed technologyto Europe. They have seen US Government Clipper chip salesmen from the NSA and the FBI travelling through Europe to sell the surveillance technology to the European Commission and other European countries. NSA representatives have reportedly marketed the Clipper concept to Britain’s Government Communications Headquarters in Cheltenham, while the FBI has sent Clipper promoters to talk to Germany’s Bundeskriminalamt (Federal Criminal Police). Other countries expressing interest in Clipper-type escrowed cryptography include Australia, Canada, France, Italy, the Netherlands, Norway and Singapore. The US Government laments that American encryption manufacturers will lose business to rival unregulated European escrow encryption system would open the market to American vendors. The HP proposed international crypt0 card’s drop-in national flag cards could contain various
01994
Elsevier Science Ltd
Computer Fraud & Security Bulletin
privileges. Auditors and business managers from the various operating customers were requesting quality and informative reports which were impossible to produce. There was a requirement to encourage end-user management to more frequently review system accesses by staff. Maintenance of history files had become essential-one operational error had taken three days elapsed time to recover.
The advantages of the Consul product stretch beyond the day-to-day operational security issues at Sun Alliance. It complements the central repository of security-related information. Reports can be tailored to the needs of the auditors, end-user management, administrators and RACF developers. These reports can be run at will against the RACF backup database without impacting other users.
Hence the requirement for a third-party MIS utility program for the management, auditing and administration of the RACF systems. Investigations at RACF Guide and discussions with other users with similar problems highlighted the fact that software existed from third-parties that would potentially address the Sun Alliance issues. Two products were evaluated and ConsuVRACF was tested and chosen because it was seen to be more efficient and provided more facilities, many of which were seen as invaluable for analysing large RACF databases.
Hoadley concluded, “With Consul/RACF we will fine tune our security system, improve our auditing procedures and encourage end-user management to review accesses frequently by supplying them with meaningful reports.”
Fred Hoadley, senior security analyst at Sun Alliance comments, “Since the installation of ConsuVRACF we have made enormous savings in terms of CPU time, elapsed time and post-processing times which has generated cost savings in excess of the cost of the product”. These comments were substantiated by Sun Alliance estimates of the annual savings when using ConsuVRACF commands to replace just five of the many regularly used IBM and in-house utility programs. When asked about the product training and installation, Hoadley commented, “It was installed in minutes, and within half an hour I was producing complex user-defined reports from the complete RACF database, and became instantly aware of the product’s efficiency.” He continued, “ConsuVRACF gives me information quickly providing me with the time to manage the RACF system more effectively. I can now concentrate on the development of RACFfor new systems and applications rather than being weighed down with RACF administration.”
01994 Elsevier Science Ltd
E-MAIL FOR EVERYONE Monica Snell The US mail is federally protected against prying eyes, and the contents are considered secure by most letter writers. However, electronic mail does not provide the same guarantee. In the USA, there is no law that states E-mail is private. Many companies, such as Pacific Bell, Federal Express and General Motors have their privacy (or lack there 09 policy posted, although it is not required by law for them to do so. Companies choosing to monitor employee E-mail claim it is company property, and therefore subject to supervision. Paul Allen, Eastman Kodak spokesperson, said of its in-house E-mail system, “It is designed for company business”, and subject to company eyes. The secret monitoring of E-mail can cause a lot of discord (and lawsuits) within the company. Nissan Motor Corporation has a suit filed against it (currently under appeal) after two employees were fired when a supervisor read unpleasant remarks about herself and the company in their E-mail messages to one another. Though monitoring E-mail may seem petty, and on a par with snooping, it can help to increase office security. Borland International is now suing
7
Computer
June 7994
Fraud & Security Bulletin
a former executive, Gene Wang, and Symantec CEO, Gordon Eubanks because it was found that Wang was passing trade secrets to Symantec.
government communications intelligence agencies. The NSS would provide encrypted communications with such third-party surveillance services as monitoring agency
Though in this case ‘better safe than sorry’ could apply, Borland may be taking their invasion of privacy policy too far. Borland company
‘authentication’, NFC authentication (e.g. a Spanish NFC could not be used in Austria’s telecommunications network), communications security policy enforcement and encryption key
employees are allowed to search another employee’s desk or elsewhere at any time legally without reason.
distribution
and, if required, escrowing.
HP claims its scheme will allow vendors like A US industry analyst said that there are two ways to look at the problem; one, it is the company’s computer and company time, however, “if big-brother can look at the messages, what’s to prevent anyone else”, including co-workers with no business doing so. Even with a privacy policy, she said that without the proper security, everyone is on an honour code, “a moral position that is unenforceable”.
US VENDOR PUSHES INTERNATIONAL CLIPPER CHIP SCHEME Wayne Madsen At the meeting on 23 March 1994 of the Federal Computer System Security and Privacy Advisory Board, representatives of Hewlett-Packard (HP) unveiled an international ‘Clipper-like’ cryptographic key escrow scheme. HP believes that by designing small integrated circuit cards called “National Flag Cards” (NFCs) that can be dropped into special slots on PCMCIA-compatible smartcards called cryptographic units (CUs), the issue of cross-border encryption can be solved. The combined NFCs and CUs could be used in conjunction with a variety of host systems including personal digital assistants, personal computers, workstations, laptops, palmtops, network servers, mainframe computers, network printers and video display units. Communications using the NFC/CU encryption would conceivably be monitored by a network node known as a Network Security Server (NSS). This node would be developed, owned and operated by
8
HP to “provide global information technology products featuring security, while respecting the current problem of various standards groups trying to develop a common cryptographic algorithm that is suitable for international use. HP stated that the cryptographic policies are governed by issues relating to national sovereignty. HP feels that it is unrealistic to expect various national cryptographic policies to be joined together in an international standard. HP feels that its proposed flag cards will allow each nation to establish and maintain its own cryptographic communications to proceed unhindered. Some European communications vendors are worried about US intentions to export Clipper-type key escrowed technologyto Europe. They have seen US Government Clipper chip salesmen from the NSA and the FBI travelling through Europe to sell the surveillance technology to the European Commission and other European countries. NSA representatives have reportedly marketed the Clipper concept to Britain’s Government Communications Headquarters in Cheltenham, while the FBI has sent Clipper promoters to talk to Germany’s Bundeskriminalamt (Federal Criminal Police). Other countries expressing interest in Clipper-type escrowed cryptography include Australia, Canada, France, Italy, the Netherlands, Norway and Singapore. The US Government laments that American encryption manufacturers will lose business to rival unregulated European escrow encryption system would open the market to American vendors. The HP proposed international crypt0 card’s drop-in national flag cards could contain various
01994
Elsevier Science Ltd