- Email: [email protected]
IS managers beware! OLE may open the door to hackers
February
1994
Computer Fraud & Security Bulletin
would amend the Export Administration Act to reduce existing controls and bureaucratic red tape on the export of software products containing encryption mechanisms. According to
“Cryptography is on the irreducible list”. Apparently the NSA feels that cryptography should never come off the export control list. According to Walker, the NSA also feels that
Cantwell, the worldwide market for cryptographic software is growing rapidly and American companies must be allowed to meet the demand. She feels that her proposed legislation is needed
cryptography discussions must not take place in meetings outside the Department of Defense, meaning that representatives from other Federal agencies and industry should be shut out of
to ensure that American critical international
encryption export policy meetings altogether. The NSA is worried that industry could put forth evidence that the Government may take out of context.
companies do not lose markets to foreign
competitors. According to some estimates, around 200 software and hardware products for text, file and data encryption are available from 33 countries including Denmark, Germany, Israel, the Netherlands, Russia, Switzerland and the UK. Of the 200 products, 123 employ the Data Encryption Standard (DES). Some encryption products from Russia use the Government Standard of the USSR (GOST) 28147-89, the Russian equivalent of DES. Cantwell said that her legislation would not interfere with the Government’s ability to control exports to terrorist nations such as Iran, North Korea or Libya. “On the other hand”, she said, “current controls on American software do not prevent anyone from obtaining cryptographic software.” “Much of this is ordinary shrink-wrapped software”, Cantwell said, “the kind millions of people buy every day for their home and business computers at regular retail outlets. International consumers who cannot purchase American computers systems and software programs with encryption features don’t do without, they just buy those products elsewhere. They are concerned with protecting their privacy and keeping their businesses secure.” Although Cantwell said that she is determined to bring the issue from behind closed doors into the light of public debate, she may find that goal difficult. In a prepared statement to the Computer System Security and Privacy Advisory Board, Steve Walker of Trusted Information Systems asserted that the National Security Agency (NSA) has gone on record in stating that
There
is some
evidence
that the Clinton
administration may be considering amending encryption export controls on its own. According to some industry and Government sources, the White House may have secretly cut a deal with the software industry to permit more liberal exports of encryption software in return for the software industry’s cooperation on the proposed key-escrow encryption standard (Clipper/ Skipjack/Capstone). Some civil libertarians complain that such an arrangement, while increasing the profit margins for American software companies, would decrease the amount of privacy Americans could expect when using domestic encryption software employing the key-escrow
standard.
IS MANAGERS BE AWARE! OLE MAY OPEN THE DOOR TO HACKERS Brian Riggs IS departments may be opening a door to hackers by using object-oriented technology for their LANs. By using technologies such as Microsoft’s Object Linking and Embedding, it creates a back-door for hackers to enter and embed viruses and worms. According to Joel Diamond, technical director for the Windows User Group Network, the best thing that IS directors can do is to be informed that this type of situation may creep up at any time. Educating users may be another option as well. “If a company uses software applications
01994
Elsevier Science Ltd
that
7
February
Computer Fraud & Security Bulletin
are compliant with the OLE 1 .O specification, and a user is an OLE 1.0 client, when the user packages data, it can be an executable object that can wreak havoc wherever it ends up”, Diamond explained.
l
l
The basic problem is that when an object is posted, the user calling up the file with the embedded object has no idea whether it contains a destructive command such as delete *.*. or merely a simple document. Diamond said that he learned of this situation from within the Windows User Group Network. He also mentioned OLE may not be causing problems on a broad level since OLE 1 .O is not yet used to that extent. However, as more users begin implementing such programs as Microsoft Office 4.0, the intricacies of OLE will become better known. “It is very difficult to control and there is no real protection against it happening”, Diamond said. Microsoft officials said that they are studying the issue and considering whether to write utilities to address OLE security. In the meantime, the company recommends that IS managers may want to disable certain OLE features on client desktops, including the Packager utility for embedding objects.
DATA MATCHING IN MOST CASES
NOT JUSTIFIED
Wayne Madsen The US General
Accounting
Office (GAO)
has released a report to Representative, Gary Condit (Democrat of California) criticizing numerous Federal agencies for not abiding by the terms of the Computer Matching and Privacy Protection Act (CMPPA) of 1988. The Act, designed to ensure cost justification for computer matching and preservation of individual privacy, became effective on 1 January 1990. The Act requires:
l
The privacy of data in computer protected;
matches be
l
1994
Federal agencies to complete cost-benefit analyses on all computer matches and report annually on findings; Federal agencies to establish Data Integrity Boards to approve and review computer matches; The
Office
of Management
(OMB) to develop guidelines for computer matches. Computer
and
Budget
and regulations
matching
Computer matching identifies any irregularities in two or more personal data files. Data comparisons involve the matching of names, Social Security numbers, addresses and other personal identifiers. Matching can establish or verify applicant and recipient eligibility for federal benefits programmes and recover overpayments, incorrect payments or delinquent debts from such benefits programmes. In an era of slim budgets and cut-backs on entitlement programmes, computer matching has been promoted as one way to limit fraud, waste and abuse. Privacy advocates fear that computer matching erodes individual privacy rights, especially when such matching is conducted without any real cost savings to the Government. Compliance The GAO discovered that Data Integrity Boards never cancelled a computer matching program. In one case, the Department of Justice Data Integrity Board temporarily suspended a matching program between the Immigration and Naturalization Service (INS) and the Massachusetts Department of Employment and Training because certain administrative procedures had not been met. The matching program was subsequently approved. GAO cited most Data Integrity Boards for acting as de facto rubber stamp bodies on an ad hoc basis to approve every proposed computer matching program. Furthermore, GAO found that the OMB had failed to issue specific guidelines and regulations to Federal agencies conducting computer matches.
01994
Elsevier Science Ltd
1994
Computer Fraud & Security Bulletin
would amend the Export Administration Act to reduce existing controls and bureaucratic red tape on the export of software products containing encryption mechanisms. According to
“Cryptography is on the irreducible list”. Apparently the NSA feels that cryptography should never come off the export control list. According to Walker, the NSA also feels that
Cantwell, the worldwide market for cryptographic software is growing rapidly and American companies must be allowed to meet the demand. She feels that her proposed legislation is needed
cryptography discussions must not take place in meetings outside the Department of Defense, meaning that representatives from other Federal agencies and industry should be shut out of
to ensure that American critical international
encryption export policy meetings altogether. The NSA is worried that industry could put forth evidence that the Government may take out of context.
companies do not lose markets to foreign
competitors. According to some estimates, around 200 software and hardware products for text, file and data encryption are available from 33 countries including Denmark, Germany, Israel, the Netherlands, Russia, Switzerland and the UK. Of the 200 products, 123 employ the Data Encryption Standard (DES). Some encryption products from Russia use the Government Standard of the USSR (GOST) 28147-89, the Russian equivalent of DES. Cantwell said that her legislation would not interfere with the Government’s ability to control exports to terrorist nations such as Iran, North Korea or Libya. “On the other hand”, she said, “current controls on American software do not prevent anyone from obtaining cryptographic software.” “Much of this is ordinary shrink-wrapped software”, Cantwell said, “the kind millions of people buy every day for their home and business computers at regular retail outlets. International consumers who cannot purchase American computers systems and software programs with encryption features don’t do without, they just buy those products elsewhere. They are concerned with protecting their privacy and keeping their businesses secure.” Although Cantwell said that she is determined to bring the issue from behind closed doors into the light of public debate, she may find that goal difficult. In a prepared statement to the Computer System Security and Privacy Advisory Board, Steve Walker of Trusted Information Systems asserted that the National Security Agency (NSA) has gone on record in stating that
There
is some
evidence
that the Clinton
administration may be considering amending encryption export controls on its own. According to some industry and Government sources, the White House may have secretly cut a deal with the software industry to permit more liberal exports of encryption software in return for the software industry’s cooperation on the proposed key-escrow encryption standard (Clipper/ Skipjack/Capstone). Some civil libertarians complain that such an arrangement, while increasing the profit margins for American software companies, would decrease the amount of privacy Americans could expect when using domestic encryption software employing the key-escrow
standard.
IS MANAGERS BE AWARE! OLE MAY OPEN THE DOOR TO HACKERS Brian Riggs IS departments may be opening a door to hackers by using object-oriented technology for their LANs. By using technologies such as Microsoft’s Object Linking and Embedding, it creates a back-door for hackers to enter and embed viruses and worms. According to Joel Diamond, technical director for the Windows User Group Network, the best thing that IS directors can do is to be informed that this type of situation may creep up at any time. Educating users may be another option as well. “If a company uses software applications
01994
Elsevier Science Ltd
that
7
February
Computer Fraud & Security Bulletin
are compliant with the OLE 1 .O specification, and a user is an OLE 1.0 client, when the user packages data, it can be an executable object that can wreak havoc wherever it ends up”, Diamond explained.
l
l
The basic problem is that when an object is posted, the user calling up the file with the embedded object has no idea whether it contains a destructive command such as delete *.*. or merely a simple document. Diamond said that he learned of this situation from within the Windows User Group Network. He also mentioned OLE may not be causing problems on a broad level since OLE 1 .O is not yet used to that extent. However, as more users begin implementing such programs as Microsoft Office 4.0, the intricacies of OLE will become better known. “It is very difficult to control and there is no real protection against it happening”, Diamond said. Microsoft officials said that they are studying the issue and considering whether to write utilities to address OLE security. In the meantime, the company recommends that IS managers may want to disable certain OLE features on client desktops, including the Packager utility for embedding objects.
DATA MATCHING IN MOST CASES
NOT JUSTIFIED
Wayne Madsen The US General
Accounting
Office (GAO)
has released a report to Representative, Gary Condit (Democrat of California) criticizing numerous Federal agencies for not abiding by the terms of the Computer Matching and Privacy Protection Act (CMPPA) of 1988. The Act, designed to ensure cost justification for computer matching and preservation of individual privacy, became effective on 1 January 1990. The Act requires:
l
The privacy of data in computer protected;
matches be
l
1994
Federal agencies to complete cost-benefit analyses on all computer matches and report annually on findings; Federal agencies to establish Data Integrity Boards to approve and review computer matches; The
Office
of Management
(OMB) to develop guidelines for computer matches. Computer
and
Budget
and regulations
matching
Computer matching identifies any irregularities in two or more personal data files. Data comparisons involve the matching of names, Social Security numbers, addresses and other personal identifiers. Matching can establish or verify applicant and recipient eligibility for federal benefits programmes and recover overpayments, incorrect payments or delinquent debts from such benefits programmes. In an era of slim budgets and cut-backs on entitlement programmes, computer matching has been promoted as one way to limit fraud, waste and abuse. Privacy advocates fear that computer matching erodes individual privacy rights, especially when such matching is conducted without any real cost savings to the Government. Compliance The GAO discovered that Data Integrity Boards never cancelled a computer matching program. In one case, the Department of Justice Data Integrity Board temporarily suspended a matching program between the Immigration and Naturalization Service (INS) and the Massachusetts Department of Employment and Training because certain administrative procedures had not been met. The matching program was subsequently approved. GAO cited most Data Integrity Boards for acting as de facto rubber stamp bodies on an ad hoc basis to approve every proposed computer matching program. Furthermore, GAO found that the OMB had failed to issue specific guidelines and regulations to Federal agencies conducting computer matches.
01994
Elsevier Science Ltd