- Email: [email protected]
Pstt! Security designed for your eyes only
Computers
& Security, 15 (1996) 317-322
Abstracts of Recent Articles and Literature Helen Meyer
Security risk or security solution?, TomDawn.Java applets are potentially a serious security threat, and one which applies to any computer network with access to the Internet. People may well expose themselves to the risks without realizing what they are doing. Applets downloaded from the Web are programs that will run on a client computer and Java is cross-platform so the problems could affect almost any Web client. This is the source of the potential security threat: untrusted program running on a machine on a computer on a company network, inside the company’s firewall. In fact, firewalls cannot keep applets out. There are a number of restrictions on what applets can do, but academics have uncovered one security hole after another in Java. The most common type of hostile applet, or ‘craplet’, is a resource-consuming one. This simply hogs machine cycles, slowing the computer down, or delaying other applets, until the user shuts down the browser. More serious problems have allowed applets to inspect or alter files on the client system, and run native code. Another early flaw was a ‘DNS spoofing’bug that allowed applets to connect to servers inside their own firewall, a real danger for security. Ultimately, applet security is a balance between making them secure and retaining their function. Adding more functions to Java in the future will increase the risk of new security loopholes. Java is not the easiest path for hostile programs. Hypertext markup language pages can as easily contain hostile embedded spreadsheet or word processing macros which can wreak havoc. Computer Weekly, August 1, 1996, pp. 30-3 1.
0167-4048/96/$1%.00
0 1996, Elsevier Science Ltd
Web developers face security quandary, Frank Hayes. Developers of WWW-based applications must decide between two radically different approaches to security when they use components based on Microsoft Corp.‘s ActiveX or applets that incorporate Sun Microsystems Inc.? Java. To protect users of ActiveX components, developers can register a ‘digital signature’ that can be added to each component. The signature system allows Web browsers to confirm the source and integrity of a component before it runs on a user’s machine. Sun’s Java allows any applet to run on a user’s machine but prevents it from gaining access to a user’s files and other resources. Both security approaches have been criticized by independent security researchers, who have turned up a succession of holes in Java’s security blanket. Users can turn off ActiveX’s security checks and allow any ActiveX component to run, including those without any digital signatures. In the end, users may have to depend on their own ability as much as ActiveX or Java security schemes to protect data. Computerworld, July 29, 1996, p. 52. Pstt! Security designed for your eyes only, Kiran Mowa. Encryption is necessary for ensuring data confidentiality between parties. Whether you’re exchanging confidential data over your corporate network or the Internet, Symantec’s Your Eyes Only provides an industrial-strength encryption product for Windows 95. Your Eyes Only uses five different types of secret key encryption algorithms: DES (56 bits), Triple DES (effectively 112 bits), RC4 (128 bits), RC5 (128 bits) and Blowfish (128 bits). Even the shortest key suffices for most internal confidentiality needs. To facilitate the exchange of
317
Abstracts of Recent Articles and Literature
the secret key, the product first encrypts the data with a unique and random secret key, the length of which depends on the selected encryption algorithm. The secret key is then encrypted with the receiver’s public key. When the data reaches the receiver, the secret key is decrypted using the receiver’s private key, and then the data is decrypted using the secret key With the Administrator version you can designate any folder on the hard drive as a SmartLock folder. Files already existing in this folder, and any new files to this directory are automatically encrypted. If you try to access one of these files, it is automatically decrypted and presented to you. If another user tries to access this file and has not logged into the product at boot up, then the file appears as garbage data and the application trying to access the file will report an error. Network Computing, July 15, 1996, pp. 54, 56. Net server to secure smaller offices, Brian Riggr. PC-based access hardware typically lacks security, and the robust firewall software in high-end servers tends to be too costly for small businesses and branch offices. AbhiWeb’s AbhiWeb Firewall Server (AFS) 2000 is targeted at small to mid-sized companies and branch offices of large corporations that are looking for inexpensive yet secure Internet access. The unit’s application-level tirewall proxy supports the wwW,ftp, telnet, newsgroups and gopher database searches. A telecommuter module lets remote users dial in via analogue or ISDN connections and supports Password Authentication Protocol/Challenge Handshake Authentication Protocol and password authentication. LAN TimesJuly 22, 1996,~~. 7, 10. Servers get single sign-on, Claudia Graziano.To help simplify the task of tracking and securing users’ access rights across heterogeneous LANs, several makers of server administration utilities are shipping new or updated products that aim to provide single sign-on to server resources. ICL began shipping AccessManager for Windows 95 and NT This product is designed to automate logon to distributed applications in a multiserver environment. It uses role-based access control to enhance security and reduce administration costs.Axent Technologies and CKS North America are both releasing single sign-on tools later this year that provide user identification and authentication across a range of platforms. Both Axent’s OmniGuard/Enterprise SignOn and CKS’ MyNet work by establishing a distributed
318
security directory for mapping users’ passwords and identification information. Instead of logging in to multiple servers to gain access to applications and resources, users login to a central security server and are authenticated once. LAN Times&y 22,1996,pp. 25,28. In the ‘net shall we trust, Gary Anthes.Electronic commerce won’t take off without a security infrastructure to protect users, but vendors have been slow to invest in a security foundation because there is so little commercial activity to support it. NIST has announced a research and development partnership with 10 companies involved in communications, electronic commerce and information security. The partners will develop interoperability standards for public-key infrastructures (PKI) that will let users who may not have met confidently exchange digitally signed documents. PKIs are built on trusted ‘certification authorities’ that digitally sign public keys to attest to their authenticity. The NIST partners will develop a minimum interoperability specification for PKIs, which will be given to anyone building a PKI component. NIST will develop the interoperability specification and will build a prototype and a reference test suite based on it. The national PKI will allow government agencies to share information securely and enable the public to securely access government services. Computerworld, July 29, 2996, pp. 59-61.
White House launches cybershield, Gary Anthes. President Clinton has launched an effort to defend the nation’s vital information systems from attack. The newly created President’s Commission on Critical Infrastructure Protection will be chaired by a person outside the Government and consist of industry and government officials. The commission’s charter is to assess the threats and come back within a year with recommendations for policies to protect the nation’s computers and networks. In the meantime, the US Department ofJustice is forming an interim task force, led by the FBI to respond to attacks, help restore service, issue threat warnings and assist in criminal investigations. The commission will seek ways to protect eight critical areas: telecommunications, electric power, oil and gas, banking and finance, transportation, water supply, emergency services and government operations. Computeworld, July 22, 1996, p. 29.
Puffer 2.0 buys you some E-mail security via easy encryption,]. W Olsen.If you exchange sensitive
& Security, 15 (1996) 317-322
Abstracts of Recent Articles and Literature Helen Meyer
Security risk or security solution?, TomDawn.Java applets are potentially a serious security threat, and one which applies to any computer network with access to the Internet. People may well expose themselves to the risks without realizing what they are doing. Applets downloaded from the Web are programs that will run on a client computer and Java is cross-platform so the problems could affect almost any Web client. This is the source of the potential security threat: untrusted program running on a machine on a computer on a company network, inside the company’s firewall. In fact, firewalls cannot keep applets out. There are a number of restrictions on what applets can do, but academics have uncovered one security hole after another in Java. The most common type of hostile applet, or ‘craplet’, is a resource-consuming one. This simply hogs machine cycles, slowing the computer down, or delaying other applets, until the user shuts down the browser. More serious problems have allowed applets to inspect or alter files on the client system, and run native code. Another early flaw was a ‘DNS spoofing’bug that allowed applets to connect to servers inside their own firewall, a real danger for security. Ultimately, applet security is a balance between making them secure and retaining their function. Adding more functions to Java in the future will increase the risk of new security loopholes. Java is not the easiest path for hostile programs. Hypertext markup language pages can as easily contain hostile embedded spreadsheet or word processing macros which can wreak havoc. Computer Weekly, August 1, 1996, pp. 30-3 1.
0167-4048/96/$1%.00
0 1996, Elsevier Science Ltd
Web developers face security quandary, Frank Hayes. Developers of WWW-based applications must decide between two radically different approaches to security when they use components based on Microsoft Corp.‘s ActiveX or applets that incorporate Sun Microsystems Inc.? Java. To protect users of ActiveX components, developers can register a ‘digital signature’ that can be added to each component. The signature system allows Web browsers to confirm the source and integrity of a component before it runs on a user’s machine. Sun’s Java allows any applet to run on a user’s machine but prevents it from gaining access to a user’s files and other resources. Both security approaches have been criticized by independent security researchers, who have turned up a succession of holes in Java’s security blanket. Users can turn off ActiveX’s security checks and allow any ActiveX component to run, including those without any digital signatures. In the end, users may have to depend on their own ability as much as ActiveX or Java security schemes to protect data. Computerworld, July 29, 1996, p. 52. Pstt! Security designed for your eyes only, Kiran Mowa. Encryption is necessary for ensuring data confidentiality between parties. Whether you’re exchanging confidential data over your corporate network or the Internet, Symantec’s Your Eyes Only provides an industrial-strength encryption product for Windows 95. Your Eyes Only uses five different types of secret key encryption algorithms: DES (56 bits), Triple DES (effectively 112 bits), RC4 (128 bits), RC5 (128 bits) and Blowfish (128 bits). Even the shortest key suffices for most internal confidentiality needs. To facilitate the exchange of
317
Abstracts of Recent Articles and Literature
the secret key, the product first encrypts the data with a unique and random secret key, the length of which depends on the selected encryption algorithm. The secret key is then encrypted with the receiver’s public key. When the data reaches the receiver, the secret key is decrypted using the receiver’s private key, and then the data is decrypted using the secret key With the Administrator version you can designate any folder on the hard drive as a SmartLock folder. Files already existing in this folder, and any new files to this directory are automatically encrypted. If you try to access one of these files, it is automatically decrypted and presented to you. If another user tries to access this file and has not logged into the product at boot up, then the file appears as garbage data and the application trying to access the file will report an error. Network Computing, July 15, 1996, pp. 54, 56. Net server to secure smaller offices, Brian Riggr. PC-based access hardware typically lacks security, and the robust firewall software in high-end servers tends to be too costly for small businesses and branch offices. AbhiWeb’s AbhiWeb Firewall Server (AFS) 2000 is targeted at small to mid-sized companies and branch offices of large corporations that are looking for inexpensive yet secure Internet access. The unit’s application-level tirewall proxy supports the wwW,ftp, telnet, newsgroups and gopher database searches. A telecommuter module lets remote users dial in via analogue or ISDN connections and supports Password Authentication Protocol/Challenge Handshake Authentication Protocol and password authentication. LAN TimesJuly 22, 1996,~~. 7, 10. Servers get single sign-on, Claudia Graziano.To help simplify the task of tracking and securing users’ access rights across heterogeneous LANs, several makers of server administration utilities are shipping new or updated products that aim to provide single sign-on to server resources. ICL began shipping AccessManager for Windows 95 and NT This product is designed to automate logon to distributed applications in a multiserver environment. It uses role-based access control to enhance security and reduce administration costs.Axent Technologies and CKS North America are both releasing single sign-on tools later this year that provide user identification and authentication across a range of platforms. Both Axent’s OmniGuard/Enterprise SignOn and CKS’ MyNet work by establishing a distributed
318
security directory for mapping users’ passwords and identification information. Instead of logging in to multiple servers to gain access to applications and resources, users login to a central security server and are authenticated once. LAN Times&y 22,1996,pp. 25,28. In the ‘net shall we trust, Gary Anthes.Electronic commerce won’t take off without a security infrastructure to protect users, but vendors have been slow to invest in a security foundation because there is so little commercial activity to support it. NIST has announced a research and development partnership with 10 companies involved in communications, electronic commerce and information security. The partners will develop interoperability standards for public-key infrastructures (PKI) that will let users who may not have met confidently exchange digitally signed documents. PKIs are built on trusted ‘certification authorities’ that digitally sign public keys to attest to their authenticity. The NIST partners will develop a minimum interoperability specification for PKIs, which will be given to anyone building a PKI component. NIST will develop the interoperability specification and will build a prototype and a reference test suite based on it. The national PKI will allow government agencies to share information securely and enable the public to securely access government services. Computerworld, July 29, 2996, pp. 59-61.
White House launches cybershield, Gary Anthes. President Clinton has launched an effort to defend the nation’s vital information systems from attack. The newly created President’s Commission on Critical Infrastructure Protection will be chaired by a person outside the Government and consist of industry and government officials. The commission’s charter is to assess the threats and come back within a year with recommendations for policies to protect the nation’s computers and networks. In the meantime, the US Department ofJustice is forming an interim task force, led by the FBI to respond to attacks, help restore service, issue threat warnings and assist in criminal investigations. The commission will seek ways to protect eight critical areas: telecommunications, electric power, oil and gas, banking and finance, transportation, water supply, emergency services and government operations. Computeworld, July 22, 1996, p. 29.
Puffer 2.0 buys you some E-mail security via easy encryption,]. W Olsen.If you exchange sensitive