- Email: [email protected]
IPSec for communities of interest
Computers & Securify, Vol. 17, No. 3
The ICSA found that 62% of all firewalls submitted were unable to pass certification on their first attempt. Manual reconfigurations had to be made on 35% of firewalls and 21% needed vendor-created patches. 6% never passed. In testing, the ICSA configures the firewall to support business functions, then a whole host of hacking tools are set upon it. The ICSA posts lab notes for certified products at its Web site www.icsa.net). InternetWeek, 30 March 1998, p. 9. ( PC manager at center of $2m grocery scam, Kim S. Nash. At first, managers at the King Soopers supermarket chain feared that software bugs were causing the huge number of sales ‘voids’ and other accounting anomalies. It turns out that it was PC manager Jay Beaman, who was the problem. The PC manager and two head clerks allegedly stole more than $20 million by manipulating supermarket computer data. It took police more than two years to gather enough evidence to charge the men. The motive existed: all three suspects’ had filed for personal bankruptcy. Their expensive lifestyles tipped off detectives. King Soopers’ 1992-93 migration from outdated Data General hardware and software to IBM PCs may have provided an opportunity for theft. Few managers were familiar with the new system, and so relied heavily on Beaman’s PC expertise. Police say that Beaman was able to alter the bar-code pricing system to overcharge customers while the two clerks skimmed the difference from cash registers. Beaman allegedly rejigged the systems so that sales were funnelled to a fake inventory category. Beaman’s boss acknowledged that he never checked the -PC manager’s work. ComputerWorld, 30 March 1998, p. 1, 24. Signs point to looser encryption rules, Sharon Mach&. In a move that could make it easier for global companies to employ a single encryption standard, the Clinton administration may be trying to align federal views on encryption export regulations with those of business. A number of signals point to the prospect of more relaxed regulation from Washington: more strong encryption products are finding their way overseas through licenses or legal loopholes, the Department of Justice has not sought controls on domestic encryption sales andVice President Al Gore has endorsed negotiations towards looser import con-
trols. A number of lobbyists on the issue still remain unconvinced that the administration is ready for change. Opponents of current encryption export regulations support the Security and Freedom through Encryption (SAFE) bill, which has 250 co-sponsors in the US Congress. Computerworld, 30 March 1998,~. 1. Senate probes State Department security, Laura DiDio. The US Senate’s Government Affairs Committee would like to find out how secure the State Department’s computer networks really are. Responding to a recent study released by the US General Accounting Office, which highlights a number of network security breaches suffered by the State Department, Senator FredThompson, chairman of the Government Affairs Committee, wants to conduct hearings to find who hacked into these networks. But the State Department has moved quickly to classify portions of the report as secret, blocking Thompson’s efforts, at least temporarily. Computenvorld, 30 March 1998, p. 8. Major hacks raise hackles, spur defenders, Laura DiDio. The recent, highly publicized series of hacking attacks worldwide has given rise to a new industry: consulting practices that field quick-response ‘white hat’ hacking teams that attack customers’ sites and expose security vulnerabilities. Companies such as Price Waterhouse, Coopers & Lybrand, Ernst &Young and IBM are employing ‘SWAT teams’ to combat rogue activity. Price Waterhouse’s Tiger Team has grown from 20 security experts to 200 worldwide. Prudential Insurance company of America used outside consultants to work over its IT infrastructure to shore up weaknesses. Security experts say that “the most glaring security weaknesses are usually the result of simple human error or not turning on security mechanisms in their operating systems.” Computerworld, 30 March 1998, p. 49-50. IPSec for communities of interest, Robert Moscowitz.The IETF has been hard at work fine-tuning IPSec, the IP Security protocol standard that provides the means for secure, private conversations between systems and networks on the Internet. The technologies involved allow companies to create private communities of interest without regard for the
225
Abstracts of Recent Articles and Literature
specifics of the networks involved. IPSec consists of two protocols: the Authentication Header, or AH protocol, and the Encapsulating Security Payload, or ESP protocol. Two authentication and seven encryption algorithms have been defined to date.The authentication algorithms used by AH and ESP are: HMACMD5 and HMAC-SHAl. Both are key-based algorithms where session participants share a secret key 128 bits for MD5 and 160 bits for SHAl. Encryption algorithms are as follows: DES, triple DES, CAST-128, RC5, IDEA, Blowfish and ARCFour. Specifying IPSec algorithms requires a session management protocol covered by ISAKMP (Internet Security Association Key Management Protocol) and Oakley protocol. However, because ISAKMP and Oakley are not designed specifically for IPSec, a domain of interpretation (DOI) is required. Network Computing, 1 April 1998, 1 OZ- 10.5. The revenue men, Martin Wanvick and Stetuayt Witteying. Sophisticated technologies have not beaten telecommunications fraudsters, but have simply made them more cunning and creative. Traditionally, telcos have kept the details and figures of telecoms fraud to themselves. However, BT has gone so far as to say that in one year it lost some $450 million of revenue as a result of ‘security failures’. PBXs are surprisingly easy to compromise and there are many well documented instances of companies falling victim to hackers, who, by scanning successive number ranges, gain access to critical extension codes that permit unlimited international calling.Automatic Call Distributors (ACDs) and Automatic Attendant systems have also been compromised. All PBX manufacturers routinely bundle antifraud measures with their equipment. The latest security technology includes advanced neural network technology that can learn from and be conditioned by the network itself by comparing subscriber profiling with behavioural anomalies that indicate fraud. Researchers in France have announced an anti-hacking solution which involves the insertion of chaotic fluctuations into fibre-optic cable transmissions. They claim that it is utterly immune to any kind of breakin. Meanwhile, it appears that serious fraudsters are mixing and matching the resources of different telecorns operators to create a melange of cross-technology and cross-service scams. Such crimes are proving
very difficult to prosecute. International, May 1998.
Communications
Security companies hype up Java risks, Cl@ Saran. Companies are being sold unnecessary Java security, leading safety experts are claiming. Security experts say that much of the worry surrounding Java crossing the Internet into corporate networks is unfounded. Security software companies are using the prevalence of Java to sell more products, they say. One analyst suggests that since most users only run Java applets when they use their Web browser to visit a site containing Java, the security risk is non-existent. According to Sun Microsystem’s Java Soft division, the chance of finding a security hole in Java is minimal. Computer Weekly, 9 April 1998, p. 1. Covering your assets, electronically, Chyic-tophey Ntrll.The performance of three of the newest network security and monitoring tools on the market is evaluated. Intrusion Detection In& Kane Security Analyst (KSA) 4.03 and Kane Security Monitor (KSM) 3.02 are geared toward testing and continuously monitoring security at the NOS level. Trusted Information Systems’ WebStalker-Pro 1 .l .l is intended to create tight security on Web sites and servers.The KSA 4.03 is an inexpensive way to profile Windows NT systems. KSM is a companion tool to KSA that actively monitors the network for security breaches. WebStalkerPro adds to the firewall line of defence by helping to prevent internal security breaches and providing better alerting capabilities. L.unTimes, 27 April 1998, p. 4445. Security tools, specs offer more protection, Rutyell Yusin. New technology could offer relief for security managers seeking tools for protecting enterprise networks. The International Computer Security Association has launched TrueSecure, a package of security assurance services to help organizations assess Internet-related vulnerabilities. The TrueSecure service was developed in response to data compiled in a recent International Computer Security Association (ICSA) survey that showed that security flaws were leaving organizations open to breaches. Meanwhile, RedCreek Communications will work with other network and security vendors to develop specifica-
The ICSA found that 62% of all firewalls submitted were unable to pass certification on their first attempt. Manual reconfigurations had to be made on 35% of firewalls and 21% needed vendor-created patches. 6% never passed. In testing, the ICSA configures the firewall to support business functions, then a whole host of hacking tools are set upon it. The ICSA posts lab notes for certified products at its Web site www.icsa.net). InternetWeek, 30 March 1998, p. 9. ( PC manager at center of $2m grocery scam, Kim S. Nash. At first, managers at the King Soopers supermarket chain feared that software bugs were causing the huge number of sales ‘voids’ and other accounting anomalies. It turns out that it was PC manager Jay Beaman, who was the problem. The PC manager and two head clerks allegedly stole more than $20 million by manipulating supermarket computer data. It took police more than two years to gather enough evidence to charge the men. The motive existed: all three suspects’ had filed for personal bankruptcy. Their expensive lifestyles tipped off detectives. King Soopers’ 1992-93 migration from outdated Data General hardware and software to IBM PCs may have provided an opportunity for theft. Few managers were familiar with the new system, and so relied heavily on Beaman’s PC expertise. Police say that Beaman was able to alter the bar-code pricing system to overcharge customers while the two clerks skimmed the difference from cash registers. Beaman allegedly rejigged the systems so that sales were funnelled to a fake inventory category. Beaman’s boss acknowledged that he never checked the -PC manager’s work. ComputerWorld, 30 March 1998, p. 1, 24. Signs point to looser encryption rules, Sharon Mach&. In a move that could make it easier for global companies to employ a single encryption standard, the Clinton administration may be trying to align federal views on encryption export regulations with those of business. A number of signals point to the prospect of more relaxed regulation from Washington: more strong encryption products are finding their way overseas through licenses or legal loopholes, the Department of Justice has not sought controls on domestic encryption sales andVice President Al Gore has endorsed negotiations towards looser import con-
trols. A number of lobbyists on the issue still remain unconvinced that the administration is ready for change. Opponents of current encryption export regulations support the Security and Freedom through Encryption (SAFE) bill, which has 250 co-sponsors in the US Congress. Computerworld, 30 March 1998,~. 1. Senate probes State Department security, Laura DiDio. The US Senate’s Government Affairs Committee would like to find out how secure the State Department’s computer networks really are. Responding to a recent study released by the US General Accounting Office, which highlights a number of network security breaches suffered by the State Department, Senator FredThompson, chairman of the Government Affairs Committee, wants to conduct hearings to find who hacked into these networks. But the State Department has moved quickly to classify portions of the report as secret, blocking Thompson’s efforts, at least temporarily. Computenvorld, 30 March 1998, p. 8. Major hacks raise hackles, spur defenders, Laura DiDio. The recent, highly publicized series of hacking attacks worldwide has given rise to a new industry: consulting practices that field quick-response ‘white hat’ hacking teams that attack customers’ sites and expose security vulnerabilities. Companies such as Price Waterhouse, Coopers & Lybrand, Ernst &Young and IBM are employing ‘SWAT teams’ to combat rogue activity. Price Waterhouse’s Tiger Team has grown from 20 security experts to 200 worldwide. Prudential Insurance company of America used outside consultants to work over its IT infrastructure to shore up weaknesses. Security experts say that “the most glaring security weaknesses are usually the result of simple human error or not turning on security mechanisms in their operating systems.” Computerworld, 30 March 1998, p. 49-50. IPSec for communities of interest, Robert Moscowitz.The IETF has been hard at work fine-tuning IPSec, the IP Security protocol standard that provides the means for secure, private conversations between systems and networks on the Internet. The technologies involved allow companies to create private communities of interest without regard for the
225
Abstracts of Recent Articles and Literature
specifics of the networks involved. IPSec consists of two protocols: the Authentication Header, or AH protocol, and the Encapsulating Security Payload, or ESP protocol. Two authentication and seven encryption algorithms have been defined to date.The authentication algorithms used by AH and ESP are: HMACMD5 and HMAC-SHAl. Both are key-based algorithms where session participants share a secret key 128 bits for MD5 and 160 bits for SHAl. Encryption algorithms are as follows: DES, triple DES, CAST-128, RC5, IDEA, Blowfish and ARCFour. Specifying IPSec algorithms requires a session management protocol covered by ISAKMP (Internet Security Association Key Management Protocol) and Oakley protocol. However, because ISAKMP and Oakley are not designed specifically for IPSec, a domain of interpretation (DOI) is required. Network Computing, 1 April 1998, 1 OZ- 10.5. The revenue men, Martin Wanvick and Stetuayt Witteying. Sophisticated technologies have not beaten telecommunications fraudsters, but have simply made them more cunning and creative. Traditionally, telcos have kept the details and figures of telecoms fraud to themselves. However, BT has gone so far as to say that in one year it lost some $450 million of revenue as a result of ‘security failures’. PBXs are surprisingly easy to compromise and there are many well documented instances of companies falling victim to hackers, who, by scanning successive number ranges, gain access to critical extension codes that permit unlimited international calling.Automatic Call Distributors (ACDs) and Automatic Attendant systems have also been compromised. All PBX manufacturers routinely bundle antifraud measures with their equipment. The latest security technology includes advanced neural network technology that can learn from and be conditioned by the network itself by comparing subscriber profiling with behavioural anomalies that indicate fraud. Researchers in France have announced an anti-hacking solution which involves the insertion of chaotic fluctuations into fibre-optic cable transmissions. They claim that it is utterly immune to any kind of breakin. Meanwhile, it appears that serious fraudsters are mixing and matching the resources of different telecorns operators to create a melange of cross-technology and cross-service scams. Such crimes are proving
very difficult to prosecute. International, May 1998.
Communications
Security companies hype up Java risks, Cl@ Saran. Companies are being sold unnecessary Java security, leading safety experts are claiming. Security experts say that much of the worry surrounding Java crossing the Internet into corporate networks is unfounded. Security software companies are using the prevalence of Java to sell more products, they say. One analyst suggests that since most users only run Java applets when they use their Web browser to visit a site containing Java, the security risk is non-existent. According to Sun Microsystem’s Java Soft division, the chance of finding a security hole in Java is minimal. Computer Weekly, 9 April 1998, p. 1. Covering your assets, electronically, Chyic-tophey Ntrll.The performance of three of the newest network security and monitoring tools on the market is evaluated. Intrusion Detection In& Kane Security Analyst (KSA) 4.03 and Kane Security Monitor (KSM) 3.02 are geared toward testing and continuously monitoring security at the NOS level. Trusted Information Systems’ WebStalker-Pro 1 .l .l is intended to create tight security on Web sites and servers.The KSA 4.03 is an inexpensive way to profile Windows NT systems. KSM is a companion tool to KSA that actively monitors the network for security breaches. WebStalkerPro adds to the firewall line of defence by helping to prevent internal security breaches and providing better alerting capabilities. L.unTimes, 27 April 1998, p. 4445. Security tools, specs offer more protection, Rutyell Yusin. New technology could offer relief for security managers seeking tools for protecting enterprise networks. The International Computer Security Association has launched TrueSecure, a package of security assurance services to help organizations assess Internet-related vulnerabilities. The TrueSecure service was developed in response to data compiled in a recent International Computer Security Association (ICSA) survey that showed that security flaws were leaving organizations open to breaches. Meanwhile, RedCreek Communications will work with other network and security vendors to develop specifica-