- Email: [email protected]
Technology and trust: the final analysis
Abstracts of Recent Articles and Literature
Singla pleaded guilty in US District Court in Washington to accessing a federal computer without authorization and intentionally causing damage when she hacked into the Coast Guard’s personnel database last July. Singla is a former employee of the Coast Guard who had helped to build the database she later hacked. Her crime was motivated through her frustration that the Coast Guard wasn’t responsive to her complaints of improper conduct by an agency contractor. She was able to dial in to the network unimpeded by using the password of an unsuspecting end user, who had given it to her before Singla left her job.The Coast Guard has since closed down the pathway Singla used to access the database and shut off dial-up access to the database. Cor~1~utenuorld,Jllrly20, 1998, p. 35, 36. A false sense of security, Jtilic Bert. Frame relay qualifies as a public technology because data from one company travels alongside data from others - and it comes with its own set of security risks. Frame relay uses switches where information is shared across a series of leased lines. Sometimes these lines are not even controlled by the service provider. And any place where traffic is monitored for such reasons as congestion, it is very easy for people to monitor for content. Compared with the Internet, which is open and insecure by design, it’s easy to see why network managers feel that their data is safe on another public network. Most private-line alternatives, such as frame relay, are safer than TCP, but “more secure” than the Internet, although this does not necessarily equal “adequately secure”. Experts say that areas of vulnerability include physical security breaches, the ease of internal attacks, carrier error and internal connections. Routers, switches and security devices, such asVPN encryption boxes, should be contained in a locked room. In the event that unauthorized access to a locked room occurs, all equipment should be password protected. No security action should be taken without a proper risk analysis.This should include a look at the value of the data being passed and the security of the company’s LAN technology. If most frame relay data is not Tensitive, widespread security precautions are unnecessary. In cases where sensitive data is passed, application-level encryption may be applied. LAN Times,J~lly 20, 1998, pp. 23-24.
520
‘Net security best policy for insurer, La14ruDiDio. With more than 78 000 employees on four continents and 50 million customers, Prudential Insurance Company had a security challenge. It needed a common security mechanism to safeguard its data and Internet-based transmissions worldwide. And it was crucial that the new security architecture be easy for employees to use and network managers to administer.The company chose GetAccess, a World Wide Web security package from EnCommerce Inc. GetAccess enables organizations to authenticate and manage thousands of users regardless of their location. Users sign on using a password and ID, view a personalized menu that shows what they have access to, then access any resource for which the have authorization. Cornprrterwor.ld,Aq14st 10, 1998, pp. 3 7-38. Technology
and trust: the final analysis, Robert Despite your best efforts to contain user 111s and access issues, the user community is bent on complicating your life by requiring support for more external users than internal and you have no real control over external users. X.509 attribute certificates coupled with enterprise object identifiers (0111s) directly address distributed identities and functional roles. With attribute delegation certificates, a unique place in the PKI is established to define users’ roles and access rights, which are independent of the users’ identities and their systems. These certificates are linked to the user authentication certificates. The benefit of this approach is that it lets the authentication certificates be stable; all they do is identify the party. This model represents a major enhancement over traditional user-group access-control databases. PKI has always been a chicken-and-egg situation. No one wanted to build anything relying on digital certificates until a PKI existed, but no one wanted to build a PKI until applications demanded it.The next phase is to choose a high-maintenance, less-critical application and make it use attribute certificates. Attribute certificates may well be the killer application for your contribution to industry-wide PKI. They offer the potential to move the administration workload closer to the user, without creating an excessive workload burden at that end. Network
Moskowitz.
Computing, July 15, 1998, pp. 29-30.
Singla pleaded guilty in US District Court in Washington to accessing a federal computer without authorization and intentionally causing damage when she hacked into the Coast Guard’s personnel database last July. Singla is a former employee of the Coast Guard who had helped to build the database she later hacked. Her crime was motivated through her frustration that the Coast Guard wasn’t responsive to her complaints of improper conduct by an agency contractor. She was able to dial in to the network unimpeded by using the password of an unsuspecting end user, who had given it to her before Singla left her job.The Coast Guard has since closed down the pathway Singla used to access the database and shut off dial-up access to the database. Cor~1~utenuorld,Jllrly20, 1998, p. 35, 36. A false sense of security, Jtilic Bert. Frame relay qualifies as a public technology because data from one company travels alongside data from others - and it comes with its own set of security risks. Frame relay uses switches where information is shared across a series of leased lines. Sometimes these lines are not even controlled by the service provider. And any place where traffic is monitored for such reasons as congestion, it is very easy for people to monitor for content. Compared with the Internet, which is open and insecure by design, it’s easy to see why network managers feel that their data is safe on another public network. Most private-line alternatives, such as frame relay, are safer than TCP, but “more secure” than the Internet, although this does not necessarily equal “adequately secure”. Experts say that areas of vulnerability include physical security breaches, the ease of internal attacks, carrier error and internal connections. Routers, switches and security devices, such asVPN encryption boxes, should be contained in a locked room. In the event that unauthorized access to a locked room occurs, all equipment should be password protected. No security action should be taken without a proper risk analysis.This should include a look at the value of the data being passed and the security of the company’s LAN technology. If most frame relay data is not Tensitive, widespread security precautions are unnecessary. In cases where sensitive data is passed, application-level encryption may be applied. LAN Times,J~lly 20, 1998, pp. 23-24.
520
‘Net security best policy for insurer, La14ruDiDio. With more than 78 000 employees on four continents and 50 million customers, Prudential Insurance Company had a security challenge. It needed a common security mechanism to safeguard its data and Internet-based transmissions worldwide. And it was crucial that the new security architecture be easy for employees to use and network managers to administer.The company chose GetAccess, a World Wide Web security package from EnCommerce Inc. GetAccess enables organizations to authenticate and manage thousands of users regardless of their location. Users sign on using a password and ID, view a personalized menu that shows what they have access to, then access any resource for which the have authorization. Cornprrterwor.ld,Aq14st 10, 1998, pp. 3 7-38. Technology
and trust: the final analysis, Robert Despite your best efforts to contain user 111s and access issues, the user community is bent on complicating your life by requiring support for more external users than internal and you have no real control over external users. X.509 attribute certificates coupled with enterprise object identifiers (0111s) directly address distributed identities and functional roles. With attribute delegation certificates, a unique place in the PKI is established to define users’ roles and access rights, which are independent of the users’ identities and their systems. These certificates are linked to the user authentication certificates. The benefit of this approach is that it lets the authentication certificates be stable; all they do is identify the party. This model represents a major enhancement over traditional user-group access-control databases. PKI has always been a chicken-and-egg situation. No one wanted to build anything relying on digital certificates until a PKI existed, but no one wanted to build a PKI until applications demanded it.The next phase is to choose a high-maintenance, less-critical application and make it use attribute certificates. Attribute certificates may well be the killer application for your contribution to industry-wide PKI. They offer the potential to move the administration workload closer to the user, without creating an excessive workload burden at that end. Network
Moskowitz.
Computing, July 15, 1998, pp. 29-30.