- Email: [email protected]
NetWare 4 receives high marks for security
SECURITY REPORTS Note: Software products incorporating the proposed criteria methods other than key escrow encryption methods will be evaluated for export on the basis of each encryption method included, as is already the case with existing products. Accordingly, these criteria apply only to the key escrow encryption method and not to other non-escrowed encryption methods it may incorporate. For instance, non-escrowed encryption using a key length of 40 bits or less will continue to be exportable under existing export regulations. Several industry representatives criticized the proposed criteria for not being realistic in a robust world marketplace demanding adherence to current conditions involving telecommunications and software innovations, the fiduciary responsibilities of corporations, an increase in economic intelligence gathering by governments, and the needs of political, social, and human rights organizations. Some members of industry complained that the administration did not present the vendor community with requirements but merely a set of technical specifications. A representative of Sun Microsystems flatly stated that he and other vendors have been bluntly told by European customers that they would not, under any circumstances, use encryption products that “would allow NSA [the US National Security Agency] to spy on them”. Other industry attendees stated that they felt Criteria number 9 to be an attempt to ‘back door’ the mandatory use of escrowed encryption products within the United States. If, for example, a software company were to produce 10 million copies of dual domestic use/export software programs containing exportable encryption, all 10 million encryption keys would have to be escrowed in some fashion regardless of whether the programs were used internationally or domestically. Some administration representatives claimed that such an arrangement was necessary in the event that a foreign government with which the United States had a formal bilateral agreement had to decrypt the messages or files of an American citizen or resident who was under investigation by another country’s law enforcement or intelligence service.
“industry representatives criticized the proposed criteria”
One former senior US government official claimed the issue of bilateral agreements had held up the announcement of the cryptographic escrow initiative for nearly a year. But the announcement by Spyrus Inc., the major manufacturer
Computer Fraud & Security 0 1995 Eleevier Science Ltd
October 1995
of the NSA-developed Fortezza escrowed encryption PCMCIA card, that it had signed contracts with several foreign companies to use the card seems to indicate the bilateral agreement issue had been overcome in a few cases. The countries involved in the export of Fortezza include the UK, Australia, Germany, Israel, Ireland and Switzerland. Government participants at the NIST workshop included representatives from NIST, NSA, the Department of Justice, the Department of Commerce, the National Security Council (NSC) and the Department of State. Corporations represented included IBM, EDS, Sun, Hewlett Packard, National Semiconductor, Computer Sciences Corp. (CSC), Microsoft, MCI, AT&T and Oracle. Industry associations included the Software Publisher’s Association, the Business Software Alliance and the American Bankers’ Association. Public Advocacy groups in attendance included the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and Voters’ Telecom Watch.
NetWare 4 Receives High Marks for Security Erin English Inc. is well on its way to becoming the first Novell company to receive a prestigious Class C2 security rating for a general purpose operating system. The rating - formally known as “Trusted Network Interpretation Class C2” - is offered by the National Computer Security Center, a subsidiary of the National Security Agency. Novell’s NetWare 4.1 has reached the formal examination stages by the NCSC, and the company hopes testing is complete in six months to a year. In the past, the NCSC simply rated standalone workstations on security, not components as they function in a network. Essentially the entire architecture of NetWare 4.1 is being judged; the client and server components as well as the entire network. The security of data and file system, and the authentication log-in process are some of the features undergoing judgement. C2 gives more of a “real world” evaluation of a company’s wares, said David Clare, product line manager for NetWare core services. Though Clare claims that
9
NetWare 4.1 is secure even without C2, the rating further assures users that multiple third-party products are able to plug into a “secure, trusted computing environment.”
virus, followed by Form, Stealth.B, AntiEXE, Michelangelo, Stoned, Satan Bug Natas, V-Sign, NoInt and NYB.
As companies networks become more entwined with the ‘global network’, it is becoming more important to be confident of security at a local level. “If you were to do a standalone workstation evaluation, once you stick in a NIC, you’ve invalidated that rating”, Clare said.
The company said that, regardless of what company’s product they use, users need to update their anti-virus software frequently, because the proliferation of viruses means that after three months most anti-virus software can intercept and destroy only 60-70% of viruses.
The C2 rating, Clare said, will be another “checklist” item for users when they are making a NOS purchase decision. “The real customer value is when people make a purchase decision [and see the C2 rating] is that it makes them feel warm and fuzzy inside”, Clare said. “But it’s not a make or break decision.”
Peter Tippett, president of the NCSA, said that since 1992, when the Michelangelo virus first put the fear of viruses into the public, the pesky programs have exploded in number. “The problem is three times worse than when Michelangelo came around”, Tippett said. “We can now say there are 6000 different computer viruses. Five years ago, there were less than lOO.“Tippett estimated that destructive viruses will cost corporate America over $1 billion in damage and lost time in 1995.
Viruses Get a Day of Their Own Chris Bucholtz emphasize the need for users to protect their computers T oagainst viruses, a group of US security software producers and online groups launched a 20-day anti-virus campaign beginning with ‘Virus Awareness Day’ on September 8. The national event, sponsored by anti-virus product developer members of the National Computer Security Association, included a toll-free phone-in support service to help remedy user problems, an virus assortment of trial copies of security applications that could be downloaded from CompuServe, and online forums intended to educate users about how viruses work, what sort of damage they can do and how to avoid them.
“users need to update their anti-virus software frequently”
The effort came at a time when viruses were beginning to creep back into the news. While the Microsoft Word Macro virus captured front-page headlines, other viruses are more common and much easier to contract. Symantec, which makes the Norton AntiVirus family of software, reported that Monkey is the most prevalent
10
Cisco Adds Security Features to Network System Chris Bucholtz eisco Systems has introduced a new internetworking uoperating system with security features that the company says will help prevent tampering with networks. Cisco’s Internetworking Operating System (IOS), which went on the market in September, will include new firewalls, encryption, access management, route authentication and IP access control list violation logging to provide protection to network data and keep track of those who attempt to misuse the network.
“include new firewalls, encryption, access management, route authentication and IP access control list violation logging”
Computer Fraud 81 Security October 1995 0 1995 Elsevier Science Ltd
“industry representatives criticized the proposed criteria”
One former senior US government official claimed the issue of bilateral agreements had held up the announcement of the cryptographic escrow initiative for nearly a year. But the announcement by Spyrus Inc., the major manufacturer
Computer Fraud & Security 0 1995 Eleevier Science Ltd
October 1995
of the NSA-developed Fortezza escrowed encryption PCMCIA card, that it had signed contracts with several foreign companies to use the card seems to indicate the bilateral agreement issue had been overcome in a few cases. The countries involved in the export of Fortezza include the UK, Australia, Germany, Israel, Ireland and Switzerland. Government participants at the NIST workshop included representatives from NIST, NSA, the Department of Justice, the Department of Commerce, the National Security Council (NSC) and the Department of State. Corporations represented included IBM, EDS, Sun, Hewlett Packard, National Semiconductor, Computer Sciences Corp. (CSC), Microsoft, MCI, AT&T and Oracle. Industry associations included the Software Publisher’s Association, the Business Software Alliance and the American Bankers’ Association. Public Advocacy groups in attendance included the Electronic Privacy Information Center (EPIC), the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and Voters’ Telecom Watch.
NetWare 4 Receives High Marks for Security Erin English Inc. is well on its way to becoming the first Novell company to receive a prestigious Class C2 security rating for a general purpose operating system. The rating - formally known as “Trusted Network Interpretation Class C2” - is offered by the National Computer Security Center, a subsidiary of the National Security Agency. Novell’s NetWare 4.1 has reached the formal examination stages by the NCSC, and the company hopes testing is complete in six months to a year. In the past, the NCSC simply rated standalone workstations on security, not components as they function in a network. Essentially the entire architecture of NetWare 4.1 is being judged; the client and server components as well as the entire network. The security of data and file system, and the authentication log-in process are some of the features undergoing judgement. C2 gives more of a “real world” evaluation of a company’s wares, said David Clare, product line manager for NetWare core services. Though Clare claims that
9
NetWare 4.1 is secure even without C2, the rating further assures users that multiple third-party products are able to plug into a “secure, trusted computing environment.”
virus, followed by Form, Stealth.B, AntiEXE, Michelangelo, Stoned, Satan Bug Natas, V-Sign, NoInt and NYB.
As companies networks become more entwined with the ‘global network’, it is becoming more important to be confident of security at a local level. “If you were to do a standalone workstation evaluation, once you stick in a NIC, you’ve invalidated that rating”, Clare said.
The company said that, regardless of what company’s product they use, users need to update their anti-virus software frequently, because the proliferation of viruses means that after three months most anti-virus software can intercept and destroy only 60-70% of viruses.
The C2 rating, Clare said, will be another “checklist” item for users when they are making a NOS purchase decision. “The real customer value is when people make a purchase decision [and see the C2 rating] is that it makes them feel warm and fuzzy inside”, Clare said. “But it’s not a make or break decision.”
Peter Tippett, president of the NCSA, said that since 1992, when the Michelangelo virus first put the fear of viruses into the public, the pesky programs have exploded in number. “The problem is three times worse than when Michelangelo came around”, Tippett said. “We can now say there are 6000 different computer viruses. Five years ago, there were less than lOO.“Tippett estimated that destructive viruses will cost corporate America over $1 billion in damage and lost time in 1995.
Viruses Get a Day of Their Own Chris Bucholtz emphasize the need for users to protect their computers T oagainst viruses, a group of US security software producers and online groups launched a 20-day anti-virus campaign beginning with ‘Virus Awareness Day’ on September 8. The national event, sponsored by anti-virus product developer members of the National Computer Security Association, included a toll-free phone-in support service to help remedy user problems, an virus assortment of trial copies of security applications that could be downloaded from CompuServe, and online forums intended to educate users about how viruses work, what sort of damage they can do and how to avoid them.
“users need to update their anti-virus software frequently”
The effort came at a time when viruses were beginning to creep back into the news. While the Microsoft Word Macro virus captured front-page headlines, other viruses are more common and much easier to contract. Symantec, which makes the Norton AntiVirus family of software, reported that Monkey is the most prevalent
10
Cisco Adds Security Features to Network System Chris Bucholtz eisco Systems has introduced a new internetworking uoperating system with security features that the company says will help prevent tampering with networks. Cisco’s Internetworking Operating System (IOS), which went on the market in September, will include new firewalls, encryption, access management, route authentication and IP access control list violation logging to provide protection to network data and keep track of those who attempt to misuse the network.
“include new firewalls, encryption, access management, route authentication and IP access control list violation logging”
Computer Fraud 81 Security October 1995 0 1995 Elsevier Science Ltd