Computers & Security, Vol. 16, No. 2

The certificates available at domain name registration are not client certificates for end users but server certificates intended to establish a business as a trusted entity on the Web. A server using a certificate can securely authenticate itself to customers, trading part- ners and other users on the Internet. LAN Times, March 31, 1997, p. 14.

E-mail attacks can clog systems, Sharon Machlis. An ‘E-mail bomb’ attack on Congress that sent hun- dreds of threatening messages around Capitol Hill turned out to be little more than a nuisance. However, Winn Schwartau warned that the Internet is inher- ently vulnerable to hackers who bring down systems by bombarding them with so much data that legiti- mate transactions grind to a halt. Surviving denial of service on the Internet is becoming increasingly cru- cial. Schwartau outlined a potential defence that combines detection modules, dynamic reaction tools and an ‘alternative control channel’ to go around a clogged TCP/IP connection that is under attack. Meanwhile, hacker sites on the Web offer anonymous mail bombing services. The Internet is susceptible to various data-flood attacks because information and control are on the same channel. Schwartau suggest using ‘smart’ detection modules that recognize if too many electronic mail messages or pings are coming in, reaction modules that set filtering based on activity being detected and an alternative channel between customers and their service providers to deal with an attack. The recent E-mail threats in Washington, DC claimed that a group of cyberpunks would wipe out all files on the congressional computer systems. Com- putetworld, February 24, 1997, p. 6.

Anti-virus software gets shot in the arm, Sharon Machlis. Hackers are creating so many macro viruses these days, it’s getting tough for screening software to keep up. So after years of touting ‘signature screening’ as protection against malicious code, Symantec Corp. is raising the ante. The company will ship software that lets information systems managers block access to files that contain any macro viruses that aren’t on a company’s approved macro list. The Macro Protec- tion system will prevent users from opening a document or spreadsheet that contains non-approved macros. This means users could be barred from open- ing documents that are electronically mailed from their customers, even if they include benign viruses. The Macro Virus Protection system seeks to let in

only approved macros instead of simply screening out known viruses. Such a system offers substantially more protection because it allows IS professionals to check each macro virus before they allow it on the system. Symantec may develop software that allows access to files in non-approved macros by disabling the macros. Computer-world, February 24, 1997, p. 24.

Do you know the security code? Mike Quinn. With the problems like computer and chip theft, viruses and fraud constantly making headlines, it is vital that we address the issues affecting the security of our information. Computacenter recently produced a survey of hackers and their views. It showed that one in four thinks the system operator is at fault for leaving gaping holes in IT systems through which they can enter. Company safeguards are regarded as inadequate by 75% of hackers. Common criticisms include bad system design, use of default settings, out-of-date security systems and lack of encryption techniques and firewalls. On 3 January 1997 the UK’s Department of Trade and Industry introduced BS 7799, the Code of Practice for Information Security Management which will come into force at the end of this year. BS 7799 provides a common basis for companies to develop, implement and measure effec- tive security management practice, and aims to provide confidence in inter-company trading. A key recommendation of the standard is the development and upkeep of a business continuity plan. Companies often underestimate the importance of securing both hardware and software and totally undervalue the data stored on them until it is too late. Unfortunately, it usually takes extreme situations to make people pay attention. Computer Weekly, May 8, 1997, p. 34.

Plan ahead for firewalls, A Berg. Installing an applications-proxy firewall on your IAN can be a tricky business, especially if your network is already connected to the Internet. It is important to configure the firewall to allow inbound and outbound access to users who need it. The key to successful implemen- tation of this type is planning. Before installing the gateway, you need to make several decisions such as whether to change your IP addressing scheme and use a dual Domain Name Service (DNS) server system. You also need to get your desktop systems in order and implement added security policies. Because ap- plications proxies make all traffic leaving your network appear to be originating from a single IP

129

Abstracts of Recent Articles and Literature

address - that of the firewall’s external interface - you have the option of increasing security and easing IP addressing problems by using ‘illegal’ addresses internally Illegal addresses, or numerical addresses you assign to your internal network that have not been assigned by the InterNIC, add security to your net- work because an attacker can’t route packets to nodes on your inner, protected LAN. The next thing you need to do before installing the firewall is decide whether to use a dual DNS system. The downside of DNS is that the network’s DNS records can provide clues about the network’s structure or the names of machines, which an attacker can use to mount spoof- ing attacks. A dual DNS system, in which you use internal and external DNS servers, can prevent such attacks. The third item on the list should be getting the desktop systems in order. Make sure all users’ systems have the latest version of the TCP/IP stack. Then try to implement a centralized IP address-man- agement scheme such as Dynamic Host Configuration Protocol. Each of the users’ TCP/IP stacks also need to have the default gateway reset. The default gateway is the IP address of the router that is used when the desktop system has no routing infor- mation for the destination address of a given packet. On an unprotected network, the default gateway is usually the inside port of the router that connects the LAN to the Internet. On a protected network, the default gateway address must be changed to the inside port of the firewall. LAN Times, March 32, 1997, pp. 79-80.

Virus strategies get closer look, Salvatore Salamone. There are more viruses, and they are becoming in- creasingly difficult to detect as their creators push the envelopes of stealth, misdirection and destruction. Virus writers are becoming more prolific with be- tween four and six new viruses introduced every day This means virus scanners, which detect viruses by looking for a characteristic string of code known as a signature, must be more frequently updated. A six- month-old collection of virus signatures can miss over 1000 new viruses. Virus writers are also trying to make their viruses harder to detect. Some newer viruses try to hide the virus string from a scanner’s detection either by encrypting the signature or by changing the signature each time a program infected by a virus runs. Such viruses are known as polymor- phic viruses. Viruses are now more likely to come from sources other than floppy disks. The main virus

threat today comes from macro viruses that are em- bedded in Microsoft Word documents and Microsoft Excel spreadsheet files. Such files can quickly be distributed to many people in a company by a user who copies a message with the attachment to a mail- ing list. An additional virus threat occurs in groupware systems when an infected file is stored as part of groupware database and is then passed to other servers thanks to groupware’s built-in data-replica- tion technology This year, network managers should see several interesting twists to fighting viruses in- cluding more reliance on heuristic approaches. But experts agree that even as new approaches emerge for fighting viruses, scanning will remain the best bet for most situations. Because of the importance of scan- ning, managers should look for anti-virus software that is updated regularly For some particularly trou- blesome new viruses, many vendors post a new signature as soon as it is identified. L/IN Times, Feb- ruary 3, 1997, pp. 73-74.

Hacker FAQ exposes attack strategies, Al Berg. The Unofficial Novell Inc. NetWare Hack FAQ downloadable from the Internet (ftp://ftp.fast- lane.netlpub/nomad/nw/faq.zip), is at the same time a blessing and a curse. Compiled by ‘Simple Nomad’, an anonymous computer security professional for a Fortune 500 company in the States who does security consulting in his spare time, the FAQ contains 49 pages of detailed instructions for penetrating the se- curity of NetWare 3.x and 4.x LANS. The document also provides systems administration with in-depth instruction on how to thwart hack attacks. Some of the tools and techniques described such as the brute- force method of removing the NetWare bindery from the server to fool it into thinking it was just installed or the various NLMs that can be loaded at a server console to change passwords, will be familiar to the some security administrators. The new nw-hack.exe program, which hijacks a 3.11 Supervisor connection and lets anyone on the server gain Supervisor access, is not new. But Simple Nomad and his contributors have found many other ways to compromise the security of a NetWare server. Although most of the attacks on the FAQ are better suited for inside jobs than external hacker attacks, you should not consider the document irrelevant to your organization. LAN Times, April 14, 1997, pp. 80-81.

Lock IT up. It has always been difficult to quantify

130