- Email: [email protected]
Secure electronic-mail: return to sender
Abstracts of Recent Articles and Literature
That ain’t no standard spec, Friedman Mutthew.The Secure Electronic Transactions (SET) specification may have already run its course. Merchants and bankers say that the technology is seriously flawed, warning that the SET specification does not guarantee compatibility across vendor implementations and that it is too complex to integrate with legacy transaction systems. The SET initiative has been likened to the Unix and modem markets, both of which are inundated with incompatible platforms. Microsoft and Netscape are not expected to support SET in their browsers before the technology matures. Despite the slow acceptance of SET, its sponsors are already talking about SET version 2.0. Internet Week, 24 November 1997, p. 12. Dutch move to block French crypt0 laws, Kenneth Cukier. Dutch officials are using a technical procedure in the European Commission to stall French legislation intended to liberalize cryptography regulation in France.The Dutch claim that France’s rules violate European open market principles. The proposed French legislation demands that all encryption users, including multinational corporations, hand over private keys capable of decrypting data to governmentapproved trusted third parties. Companies may also be required to reveal the source code of the cryptographic products before receiving approval. French PM Jospin has said that encryption liberalization is a top priority, and has set up a group to work on electronic commerce issues. However, France is the only European state demanding key escrow. Communications Week International, 21 November 1997, p. 2. Wireless crime’s inside story, Patrl&bin. Wireless communications providers are finding that much of the $700 million they lose each year to service theft stems from crimes committed by their own employees. Communications Co. of Chicago recently uncovered two scams involving full-time staff selling electronic serial numbers from cellular phones to criminals who use the information to illegally clone phones. In some cases employees are stealing confidential background information from subscriber files and then using that information to obtain credit cards fraudulently. Wireless service providers are responding with more careful screening of prospective employees,
678
setting up fraud prevention departments and education programmes and tightening security controls on computer access by changing passwords more frequently and having employees log off their computers when they leave their workstations. Tele.com, November 1997,p. 14. Encryption: hot topic on the Hill, Steve McGookin. The issue of computer security and encryption is.yet again a hot topic on Washington’s Capitol Hill. A bill proposed by Republican Congressman Bob Goodlatte appears to be gaining bi-partisan support and may be voted on in early 1998. The Security and Freedom through Encryption (SAFE) Act would overturn US laws which restrict US companies from exporting socalled strong encryption products. Under existing regulations exporters must provide law enforcement authorities with access to decoding keys for such software. Supporters of the Goodlatte bill argue that US regulations give foreign so&are makers already shipping stronger encryption products an unfair advantage over their US competitors. Financial Times, 17 November 1997. Secure electronic-mail: return to sender, David Willis. With regard to security, E-mail is in a perilous state. Within an organization domain security can be guaranteed, but when messages cross organizational boundaries there is no assurance that they cannot be intercepted. Unfortunately, the major proprietary collaborative computing platforms, notably Lotus Notes, Novell GroupWise and Microsoft Exchange, offer security only within the confines of the organization. Few encryption services are available for Post Office Protocol (POP) and Internet Mail Access Protocol (IMAP) based E-mail which link proprietary and foreign systems. However, enhanced security can be deployed at the gateway level, as it is in Allegro Group’s Encryption Gateway for GroupWise (a PGPbased solution) or in WorldTalk’s WorldSecure Server (an S/MIME solution). Standard plug-ins which use the PGP and S/MIME approaches are emerging for many POP/IMAP-based E-mail clients, enabling ‘piece-meal’ deployments without having to alter the infrastructure. Tests show that entire messaging S/MIME is more appropriate for the enterprise given its relative maturity, its ability to be managed from a
Computers & Security, Vol. 16, No. 8
central location and its widespread industry support. Network Computing, 1 November 1997, pp. 108- 116. Who goes there? Andrew Gray.Passwords are insecure. They are easy to crack because they are rarely, if ever, changed, and in many cases, users unwittingly share their passwords with co-workers and choose ones that are easy to remember. This gives hackers plenty of opportunity to figure them out. Hackers can quite easily get a hold of a copy of the encrypted password database residing on the corporate authentication server. As a consequence, a growing number of network managers are abandoning passwords and adopting authentication instead. Authentication can be broken down into three components. User authentication ensures that users are who they say that they are. Then there is host authentication, which gives users the ability to check that they are talking to a valid host. Finally, there is message authentication, which permits documents to be digitally signed and traceable. Token-based systems and smartcards take advantage of all three authentication components. Data Communications, November 1997, pp. 110-l 13. Bulletproof IP, Thayer Rodney. Experience has shown that the TCP/IP networking protocol is not entirely secure. IPSec is a collection of security protocols from the Internet Engineering Task Force (IETF) that adds authentication and encryption to IP networks. Its authentication features let network managers guard against attacks launched from inside or outside of the network, and encryption prevents hackers from decoding data packets. IPSec adds new fields to packet headers, and these fields are what make authentication and encryption possible. The term IPSec actually covers a series of protocols which fall into three categories: encapsulating security payload (ESP) and authentication header (AH) which together define encryption and authentication methods, and the IP security association key management protocol (ISAKMP) which manages the exchange of secret keys between senders and recipients of ESP and AH packets. IPSec handles cases where network information must remain confidential and where access to the network should be limited to authorized users. But IPSec adds nothing when specific applications already use security facilities at other layers, nor will it add
security to E-mail already protected by PGP, or financial transactions using Secure Electronic Transmission (SET). IPSec products are available for PCs, Unix systems and internetworking gear like routers, firewalls and Virtual Private Network devices. Unfortunately, IPSec’s interoperability has yet to be adequately demonstrated. Data Communications, 21 November 1997, pp. 45-48. High-tech crime’s hidden face, Edward Martin. Despite the widespread increase in hacking and IT security breaches, few companies are willing to report the computer crimes committed against them. In many cases, businesses which fall victim to computer crime are unaware that any crime has taken place. An FBI report concludes that 97% of crimes remain undetected. Companies are often reluctant to report high-tech crime for fear that investigators will tie up or impound their computers, or because the publicity could frighten customers away. Unfortunately, few investigators have the training to crack technology crimes. Some recommendations for security include clear, written policies on data security; when pursuing joint ventures, mergers or acquisitions, companies should have written agreements protecting proprietary information; self-penetration tests should be performed on computer systems; consider secure ID cards for remote access; and commercial firewall systems should be customised. Business Journal, 13 October 1997,p.25. OECD leader targets Internet security accords, Jennifer L. Schenker. Donald Johnson, GeneralSecretary of the Organization for Economic Cooperation and Development (OECD), is heading a campaign for the OECD to organize international agreements regarding methods of promoting electronic commerce and security over the Internet. He argues that the time has come for government, industry and other interest groups to set out a policy framework for security issues on a global scale.The OECD campaign comes amid tensions between the US and Europe on encryption and data privacy Last month, the European Commission rejected the US Government’s proposal to require online users to relinquish message decoding keys to law enforcement authorities keys. For its part, Washington objects to an EU directive that limits data
679
That ain’t no standard spec, Friedman Mutthew.The Secure Electronic Transactions (SET) specification may have already run its course. Merchants and bankers say that the technology is seriously flawed, warning that the SET specification does not guarantee compatibility across vendor implementations and that it is too complex to integrate with legacy transaction systems. The SET initiative has been likened to the Unix and modem markets, both of which are inundated with incompatible platforms. Microsoft and Netscape are not expected to support SET in their browsers before the technology matures. Despite the slow acceptance of SET, its sponsors are already talking about SET version 2.0. Internet Week, 24 November 1997, p. 12. Dutch move to block French crypt0 laws, Kenneth Cukier. Dutch officials are using a technical procedure in the European Commission to stall French legislation intended to liberalize cryptography regulation in France.The Dutch claim that France’s rules violate European open market principles. The proposed French legislation demands that all encryption users, including multinational corporations, hand over private keys capable of decrypting data to governmentapproved trusted third parties. Companies may also be required to reveal the source code of the cryptographic products before receiving approval. French PM Jospin has said that encryption liberalization is a top priority, and has set up a group to work on electronic commerce issues. However, France is the only European state demanding key escrow. Communications Week International, 21 November 1997, p. 2. Wireless crime’s inside story, Patrl&bin. Wireless communications providers are finding that much of the $700 million they lose each year to service theft stems from crimes committed by their own employees. Communications Co. of Chicago recently uncovered two scams involving full-time staff selling electronic serial numbers from cellular phones to criminals who use the information to illegally clone phones. In some cases employees are stealing confidential background information from subscriber files and then using that information to obtain credit cards fraudulently. Wireless service providers are responding with more careful screening of prospective employees,
678
setting up fraud prevention departments and education programmes and tightening security controls on computer access by changing passwords more frequently and having employees log off their computers when they leave their workstations. Tele.com, November 1997,p. 14. Encryption: hot topic on the Hill, Steve McGookin. The issue of computer security and encryption is.yet again a hot topic on Washington’s Capitol Hill. A bill proposed by Republican Congressman Bob Goodlatte appears to be gaining bi-partisan support and may be voted on in early 1998. The Security and Freedom through Encryption (SAFE) Act would overturn US laws which restrict US companies from exporting socalled strong encryption products. Under existing regulations exporters must provide law enforcement authorities with access to decoding keys for such software. Supporters of the Goodlatte bill argue that US regulations give foreign so&are makers already shipping stronger encryption products an unfair advantage over their US competitors. Financial Times, 17 November 1997. Secure electronic-mail: return to sender, David Willis. With regard to security, E-mail is in a perilous state. Within an organization domain security can be guaranteed, but when messages cross organizational boundaries there is no assurance that they cannot be intercepted. Unfortunately, the major proprietary collaborative computing platforms, notably Lotus Notes, Novell GroupWise and Microsoft Exchange, offer security only within the confines of the organization. Few encryption services are available for Post Office Protocol (POP) and Internet Mail Access Protocol (IMAP) based E-mail which link proprietary and foreign systems. However, enhanced security can be deployed at the gateway level, as it is in Allegro Group’s Encryption Gateway for GroupWise (a PGPbased solution) or in WorldTalk’s WorldSecure Server (an S/MIME solution). Standard plug-ins which use the PGP and S/MIME approaches are emerging for many POP/IMAP-based E-mail clients, enabling ‘piece-meal’ deployments without having to alter the infrastructure. Tests show that entire messaging S/MIME is more appropriate for the enterprise given its relative maturity, its ability to be managed from a
Computers & Security, Vol. 16, No. 8
central location and its widespread industry support. Network Computing, 1 November 1997, pp. 108- 116. Who goes there? Andrew Gray.Passwords are insecure. They are easy to crack because they are rarely, if ever, changed, and in many cases, users unwittingly share their passwords with co-workers and choose ones that are easy to remember. This gives hackers plenty of opportunity to figure them out. Hackers can quite easily get a hold of a copy of the encrypted password database residing on the corporate authentication server. As a consequence, a growing number of network managers are abandoning passwords and adopting authentication instead. Authentication can be broken down into three components. User authentication ensures that users are who they say that they are. Then there is host authentication, which gives users the ability to check that they are talking to a valid host. Finally, there is message authentication, which permits documents to be digitally signed and traceable. Token-based systems and smartcards take advantage of all three authentication components. Data Communications, November 1997, pp. 110-l 13. Bulletproof IP, Thayer Rodney. Experience has shown that the TCP/IP networking protocol is not entirely secure. IPSec is a collection of security protocols from the Internet Engineering Task Force (IETF) that adds authentication and encryption to IP networks. Its authentication features let network managers guard against attacks launched from inside or outside of the network, and encryption prevents hackers from decoding data packets. IPSec adds new fields to packet headers, and these fields are what make authentication and encryption possible. The term IPSec actually covers a series of protocols which fall into three categories: encapsulating security payload (ESP) and authentication header (AH) which together define encryption and authentication methods, and the IP security association key management protocol (ISAKMP) which manages the exchange of secret keys between senders and recipients of ESP and AH packets. IPSec handles cases where network information must remain confidential and where access to the network should be limited to authorized users. But IPSec adds nothing when specific applications already use security facilities at other layers, nor will it add
security to E-mail already protected by PGP, or financial transactions using Secure Electronic Transmission (SET). IPSec products are available for PCs, Unix systems and internetworking gear like routers, firewalls and Virtual Private Network devices. Unfortunately, IPSec’s interoperability has yet to be adequately demonstrated. Data Communications, 21 November 1997, pp. 45-48. High-tech crime’s hidden face, Edward Martin. Despite the widespread increase in hacking and IT security breaches, few companies are willing to report the computer crimes committed against them. In many cases, businesses which fall victim to computer crime are unaware that any crime has taken place. An FBI report concludes that 97% of crimes remain undetected. Companies are often reluctant to report high-tech crime for fear that investigators will tie up or impound their computers, or because the publicity could frighten customers away. Unfortunately, few investigators have the training to crack technology crimes. Some recommendations for security include clear, written policies on data security; when pursuing joint ventures, mergers or acquisitions, companies should have written agreements protecting proprietary information; self-penetration tests should be performed on computer systems; consider secure ID cards for remote access; and commercial firewall systems should be customised. Business Journal, 13 October 1997,p.25. OECD leader targets Internet security accords, Jennifer L. Schenker. Donald Johnson, GeneralSecretary of the Organization for Economic Cooperation and Development (OECD), is heading a campaign for the OECD to organize international agreements regarding methods of promoting electronic commerce and security over the Internet. He argues that the time has come for government, industry and other interest groups to set out a policy framework for security issues on a global scale.The OECD campaign comes amid tensions between the US and Europe on encryption and data privacy Last month, the European Commission rejected the US Government’s proposal to require online users to relinquish message decoding keys to law enforcement authorities keys. For its part, Washington objects to an EU directive that limits data
679