- Email: [email protected]
Security a competitive advantage?
reports spread of inappropriate images, including pornography, from being E-mailed into or out of networks. In a climate where the White House, the New York Times, Xerox Corp. and the UK’s Houses of Parliament have all been victims of E-mail related scandals, PORNsweeper has the potential to protect both organizations and their employees. Risks posed by such transmissions are legal liability, sexual harassment and network congestion issues. PORNsweeper works by scanning the contents of image files attached to E-mails or embedded within E-mail attachments. It then conducts tests to conclude the likelihood that the file
contains a pornographic image. These tests include: • Searching the file for the colour of human pigmentation in the pixels; • Analysing the skin pixels to determine various statistics about the image — nude images contain more skin pixels than other images where skin is present; • Analysing whether the image is unacceptable through ‘face detection’ technology. PORNsweeper comes in the form of a new add-on module for Content Technologies’ MAILsweeper for SMTP. For further information please visit Content Technologies’ web site at www.contenttechnologies.com.
For information on E-mailed porn related scandals see www.mimesweeper.com/products/cs/pornography.asp.
Voice authentication smart card There is a new smart card on the market which can pick out and recognize a voice in almost any circumstance — with background noise, whilst eating, under the influence of alcohol or even when you have a cold. The 8-bit, 8 kilobyte Java Smart Card stores the voice characteristics and analyses them using a Time Encoded Signal Processing and Recognition (TESPAR) algo-
rithm which mathematically maps each voice uniquely by shape, duration and amplitude. The benefits are clear — only the authorized user can access the smart card — and the authentication key is stored only on the smart card. According to its makers, “it can easily be integrated with other security methodologies such as Public Key Infrastructure”. The system is very fast and flexible to allow differing access levels for differing applications and it is tipped for use in Internet transactions in the near future. For further information on Domain Dynamics who own the patent on TESPAR visit www.ddl.co.uk or E-mail [email protected].
Security a competitive advantage?
said that over the next five years they expected the threat posed by network security breaches to increase. A spokesman for Siemans said, “In Ecommerce, the security of a company’s network must have top priority as no netBusinesses appear to be taking security more seriously, but senior management work will mean no business. Security is do not seem to know which way to turn. Attitudes are gradually changing, howan ongoing process that cannot be done ever in the current environment few have a tight reign on internal or external once and then forgotten about”. policies. It is widely acknowledged that an effective security plan breeds trust 70% said that not enough was being which is the life’s blood of E-commerce. done to balance the threat, and this is IDC attribute this to the fact that instal- borne out by the current spate of highly IDC White Paper lation costs are high, offset against the publicized security breaches. Indeed, a survey by credit rating A survey by IDC, has found that “securi- potential cost of a breach. IDC conclude agency, Experian revealed that of the 800 that although spending is low, attitudes ty is the main inhibitor in moving to an do appear to have changed. Until recently companies questioned, 11% admitted to E-business environment” for many. According to IDC the user base of the security was perceived as ‘keeping the bad having been hacked. Internet is growing rapidly, from 327 mil- guys out’, but now it is widely realized lion in 2000 to 600 million in 2003. that a centralized security system is neces- Board room antics Similarly, it is predicted that revenue gener- sary and that it is equally important to A survey of 750 International companies, ated online will be US $1.6 trillion by 2003. ‘let the good guys in’ to the network. sponsored by Content Technologies, Pim Bilderbeck of IDC explained, highlighted inconsistent attitudes at “Enlightened organizations are beginning UK surveys board level towards security and its to regard the security of their systems not as an insurance policy, but as a competi- A survey in the UK, conducted by solutions. Almost a third of companies have no tive advantage.” Siemens Network Systems gave a rather manager responsible for their network However 75% of companies spend less bleak outlook on the future. Of 300 than 10% of their budget on security. senior IT professionals in the UK, 87% security, whilst 60% of business managers
5
reports Worst Security Breaches 1. Viruses 2. Pornography in E-mails 3. Spam 4. Hacking Fig 1: The most expensive breaches in terms of frequency, wasted time and lost revenue.
have no security training at all, and only 24% have been trained within the last 12 months. A quarter of companies saw no need to educate users in regard to Internet and E-mail policy. Two thirds had no Internet or E-mail policy, or had one that was not enforced. Paul Robinson of Secure Computing magazine who performed the survey said, “Viruses have continued to be the main source of security breaches, but connectivity
to the Internet means that pornography and confidentiality are becoming greater problems, a trend which I predict will continue.”
Multinational report The report, E-security: The Guardian angel of E-business, by Arthur D. Little’s Thijs van Tuyll seems to provide an overview of all of the issues concerning networking professionals — it is based on discourse with senior staff at 50 multinational companies. Van Tuyll calls the Internet “a medium that was never designed with security in mind,” and criticizes current systems saying, “when something that has gone wrong is noticed, the damage has already been done”.
Carnivore’s voracious appetite Wayne Madsen Testifying before the House of Representatives Judiciary Subcommittee, representatives of the Federal Bureau of Investigation (FBI) defended the Internet surveillance system code-named Carnivore as a rarely used but necessary law enforcement ‘surgical’ tool. Members of the subcommittee, however, were not convinced that Carnivore has the necessary checks and controls in place to prevent abuses of privacy of E-mail. Representative Mel Watt of North Carolina said, “I have a generalized concern about the government’s ability to invade the privacy of its citizens”, adding, “there is a growing level of ...concern about ‘Big Brotherism’ fed by the increasing electronic world.” Representative John Conyers of Michigan stressed, “Constitutional rights don’t end where cyberspace begins.” Donald Kerr, an Assistant Director of the FBI, stated, “The FBI does not use Carnivore to conduct broad searches or surveillance.” He stated that Carnivore, which is essentially a packet sniffer, uses a pre-programmed ‘filter mask’ to target IP addresses specified in a court order. The sniffer software, according to Kerr, runs as an application program on a personal computer under Windows. Kerr stressed that Carnivore does not search the contents of every message for key words like ‘bomb’ or ‘drugs’, but selects messages based solely on criteria specified in court
6
orders. This procedure, Kerr stated, is known as ‘minimization’. However, Representative Spencer Bachus of Alabama claimed he had previously been briefed by the FBI that Carnivore was capable of sniffing Internet messages for keywords like ‘bomb’. Kerr stressed that Carnivore is safe to operate on Internet Service Provider (ISP) computers. Peter Sachs, the President of ICONN, a small ISP in New Haven, Connecticut, disagreed, pointing out that Carnivore “presents a performance hit for an ISP”. Sachs said that
The way forward is through three methods: “data privacy and integrity, access control, user identification and authentication”. He forecasts a move away from authentication through traditional password protection towards digital certificates and smart cards despite the fact that these technologies are considered to be expensive. Biometrics is considered to be “a high-tech gadget, seen only in spy movies”. The report concludes with a warning that security infrastructures were not designed for the current pace of E-commerce and that firms must have a “new approach to security, not weighed down by legacy mechanisms”. Businesses face “increased chances of theft and loss of trust”.
because Carnivore intercepts all Internet traffic, performance is impeded. Subcommittee Chairman, Representative Charles Canady of Florida, also pointed out reports that another ISP, Earthlink, experienced a system crash when it was forced under court order to install Carnivore. Kerr testified that in most cases ISPs do not have the technical capabilities to conduct Carnivore-type surveillance. Sachs countered that argument by stating that any ISP, including his, can provide the FBI with the same information obtained by Carnivore. He cautioned, however, that the preponderance of systems like Carnivore will have a “chilling effect” on users sending certain sensitive information via the Internet. Several House members and witnesses pointed out that the FBI only requires a simple ‘trap and trace’ or ‘pen register’ court order to obtain access to E-mail ‘From’ and ‘To’ lines. Unlike similar orders used to obtain both called and calling phone numbers for a traditional wiretap, civil liberties advocates and Internet experts demonstrated that such wiretap orders for E-mail could also intercept content, something that requires a higher ‘Title III’ court order. Several witnesses explained that E-mail headers intercepted pursuant to a ‘trap and trace’ order could
contains a pornographic image. These tests include: • Searching the file for the colour of human pigmentation in the pixels; • Analysing the skin pixels to determine various statistics about the image — nude images contain more skin pixels than other images where skin is present; • Analysing whether the image is unacceptable through ‘face detection’ technology. PORNsweeper comes in the form of a new add-on module for Content Technologies’ MAILsweeper for SMTP. For further information please visit Content Technologies’ web site at www.contenttechnologies.com.
For information on E-mailed porn related scandals see www.mimesweeper.com/products/cs/pornography.asp.
Voice authentication smart card There is a new smart card on the market which can pick out and recognize a voice in almost any circumstance — with background noise, whilst eating, under the influence of alcohol or even when you have a cold. The 8-bit, 8 kilobyte Java Smart Card stores the voice characteristics and analyses them using a Time Encoded Signal Processing and Recognition (TESPAR) algo-
rithm which mathematically maps each voice uniquely by shape, duration and amplitude. The benefits are clear — only the authorized user can access the smart card — and the authentication key is stored only on the smart card. According to its makers, “it can easily be integrated with other security methodologies such as Public Key Infrastructure”. The system is very fast and flexible to allow differing access levels for differing applications and it is tipped for use in Internet transactions in the near future. For further information on Domain Dynamics who own the patent on TESPAR visit www.ddl.co.uk or E-mail [email protected].
Security a competitive advantage?
said that over the next five years they expected the threat posed by network security breaches to increase. A spokesman for Siemans said, “In Ecommerce, the security of a company’s network must have top priority as no netBusinesses appear to be taking security more seriously, but senior management work will mean no business. Security is do not seem to know which way to turn. Attitudes are gradually changing, howan ongoing process that cannot be done ever in the current environment few have a tight reign on internal or external once and then forgotten about”. policies. It is widely acknowledged that an effective security plan breeds trust 70% said that not enough was being which is the life’s blood of E-commerce. done to balance the threat, and this is IDC attribute this to the fact that instal- borne out by the current spate of highly IDC White Paper lation costs are high, offset against the publicized security breaches. Indeed, a survey by credit rating A survey by IDC, has found that “securi- potential cost of a breach. IDC conclude agency, Experian revealed that of the 800 that although spending is low, attitudes ty is the main inhibitor in moving to an do appear to have changed. Until recently companies questioned, 11% admitted to E-business environment” for many. According to IDC the user base of the security was perceived as ‘keeping the bad having been hacked. Internet is growing rapidly, from 327 mil- guys out’, but now it is widely realized lion in 2000 to 600 million in 2003. that a centralized security system is neces- Board room antics Similarly, it is predicted that revenue gener- sary and that it is equally important to A survey of 750 International companies, ated online will be US $1.6 trillion by 2003. ‘let the good guys in’ to the network. sponsored by Content Technologies, Pim Bilderbeck of IDC explained, highlighted inconsistent attitudes at “Enlightened organizations are beginning UK surveys board level towards security and its to regard the security of their systems not as an insurance policy, but as a competi- A survey in the UK, conducted by solutions. Almost a third of companies have no tive advantage.” Siemens Network Systems gave a rather manager responsible for their network However 75% of companies spend less bleak outlook on the future. Of 300 than 10% of their budget on security. senior IT professionals in the UK, 87% security, whilst 60% of business managers
5
reports Worst Security Breaches 1. Viruses 2. Pornography in E-mails 3. Spam 4. Hacking Fig 1: The most expensive breaches in terms of frequency, wasted time and lost revenue.
have no security training at all, and only 24% have been trained within the last 12 months. A quarter of companies saw no need to educate users in regard to Internet and E-mail policy. Two thirds had no Internet or E-mail policy, or had one that was not enforced. Paul Robinson of Secure Computing magazine who performed the survey said, “Viruses have continued to be the main source of security breaches, but connectivity
to the Internet means that pornography and confidentiality are becoming greater problems, a trend which I predict will continue.”
Multinational report The report, E-security: The Guardian angel of E-business, by Arthur D. Little’s Thijs van Tuyll seems to provide an overview of all of the issues concerning networking professionals — it is based on discourse with senior staff at 50 multinational companies. Van Tuyll calls the Internet “a medium that was never designed with security in mind,” and criticizes current systems saying, “when something that has gone wrong is noticed, the damage has already been done”.
Carnivore’s voracious appetite Wayne Madsen Testifying before the House of Representatives Judiciary Subcommittee, representatives of the Federal Bureau of Investigation (FBI) defended the Internet surveillance system code-named Carnivore as a rarely used but necessary law enforcement ‘surgical’ tool. Members of the subcommittee, however, were not convinced that Carnivore has the necessary checks and controls in place to prevent abuses of privacy of E-mail. Representative Mel Watt of North Carolina said, “I have a generalized concern about the government’s ability to invade the privacy of its citizens”, adding, “there is a growing level of ...concern about ‘Big Brotherism’ fed by the increasing electronic world.” Representative John Conyers of Michigan stressed, “Constitutional rights don’t end where cyberspace begins.” Donald Kerr, an Assistant Director of the FBI, stated, “The FBI does not use Carnivore to conduct broad searches or surveillance.” He stated that Carnivore, which is essentially a packet sniffer, uses a pre-programmed ‘filter mask’ to target IP addresses specified in a court order. The sniffer software, according to Kerr, runs as an application program on a personal computer under Windows. Kerr stressed that Carnivore does not search the contents of every message for key words like ‘bomb’ or ‘drugs’, but selects messages based solely on criteria specified in court
6
orders. This procedure, Kerr stated, is known as ‘minimization’. However, Representative Spencer Bachus of Alabama claimed he had previously been briefed by the FBI that Carnivore was capable of sniffing Internet messages for keywords like ‘bomb’. Kerr stressed that Carnivore is safe to operate on Internet Service Provider (ISP) computers. Peter Sachs, the President of ICONN, a small ISP in New Haven, Connecticut, disagreed, pointing out that Carnivore “presents a performance hit for an ISP”. Sachs said that
The way forward is through three methods: “data privacy and integrity, access control, user identification and authentication”. He forecasts a move away from authentication through traditional password protection towards digital certificates and smart cards despite the fact that these technologies are considered to be expensive. Biometrics is considered to be “a high-tech gadget, seen only in spy movies”. The report concludes with a warning that security infrastructures were not designed for the current pace of E-commerce and that firms must have a “new approach to security, not weighed down by legacy mechanisms”. Businesses face “increased chances of theft and loss of trust”.
because Carnivore intercepts all Internet traffic, performance is impeded. Subcommittee Chairman, Representative Charles Canady of Florida, also pointed out reports that another ISP, Earthlink, experienced a system crash when it was forced under court order to install Carnivore. Kerr testified that in most cases ISPs do not have the technical capabilities to conduct Carnivore-type surveillance. Sachs countered that argument by stating that any ISP, including his, can provide the FBI with the same information obtained by Carnivore. He cautioned, however, that the preponderance of systems like Carnivore will have a “chilling effect” on users sending certain sensitive information via the Internet. Several House members and witnesses pointed out that the FBI only requires a simple ‘trap and trace’ or ‘pen register’ court order to obtain access to E-mail ‘From’ and ‘To’ lines. Unlike similar orders used to obtain both called and calling phone numbers for a traditional wiretap, civil liberties advocates and Internet experts demonstrated that such wiretap orders for E-mail could also intercept content, something that requires a higher ‘Title III’ court order. Several witnesses explained that E-mail headers intercepted pursuant to a ‘trap and trace’ order could