Computers & Securify, Vol. 16, No. 7

cation, extranets for inter-company communications, and electronic commerce applications. PKIs will possi- bly be the foundation for a new generation of remote access,Virtual Private Networking (VPN), and business- critical applications. A PKI is a dynamic system, the underlying framework that makes security technologies work together. In most cases, it will include digital cer- tificates and public-key algorithms, integrating them with access-control policies and directories and allow- ing someone within the company or at a third party service to manage, control and modify policies on an as- needed basis. PKI may prove to be the wedge that breaks the Internet commerce logjam. It could be a powerful tool for enabling secure communications and data processing into the next century. But right now network managers and their organizations must forge strategies and educate themselves about their goals for the PKI, products they will use to build it, and how to use and deploy PKI-enabled applications. IANTimes, October 13, 1997, p. 50.

Low-overhead cryptographyJoe Puone. For a num- ber of years independent software vendors have looked to RSA Data Security Inc. to supply the basis for cryptography in their applications. One of RSAS primary messages is that the longer the bit length of the keys, the higher the security. But there’s a problem with longer bit lengths, say many industry observers. Although they provide greater security, they put a heavier processing load on a server. This burden has ramifications for electronic commerce sites. Companies such as IBM and nCipher are so con- vinced that encrypting and decrypting keys will put an unwieldy strain on servers that they have developed cryptographic coprocessors, also known as encryption accelerators, to take the strain from servers. The out- come is that network managers planning to imple- ment security on Internet and intranet applications may need more processing power to accommodate high volumes of encrypted traffic. RSA now has a competitor in the form of Certicom Corp: a compa- ny which is gaining attention with an approach called elliptic curve cryptography. The company claims it provides security equivalent to RSA in smaller bit- lengths, resulting in less processing overhead on servers. Certicom says elliptic curve provides the same level of security at 160-bit key lengths that RSA pro-

vides at 1024-bit key lengths. Z..ANTimes, September 29, 1997, p. 72.

Software could spoof-proof domain names, Sharon Machlis. In an effort to cut down on spoofing and spam attacks, a group that oversees part of the Internet infrastructure soon will release free software designed to make domain names more tamper-resis- tant. DNSsafe uses RSAS digital signature technology to verify Internet domain names. The idea is to pre- vent hackers from messing with domain databases that match names, such as bankcorn, with specific IP addresses. By inserting false information into a domain name database, hackers can divert World Wide Web surfers from legitimate sites to their pseudo sites, where the hackers collect credit card numbers by pos- ing as a store, for example. Proponents of the software hope it will eventually boost electronic mail integrity by allowing new E-mail software that can demand that incoming addresses be properly verified before a mes- sage is accepted. DNSsafe was designed for use with the Domain Name System Security Extensions (DNSSEC) protocol proposed by the Internet Engineering Task Force. Computerworld, October 13, 1997,p. 1, 14.

User authentication,VPN in an appliance, Rutrell Yasin. A new class of network security tools that reside between the router and the trusted network - described as ‘firewall appliances’ - is making it possible for corporations to buy low-priced, plug-and-play secu- rity systems with core firewall fimctions. WatchGuard Technologies has introduced a ‘firebox’ that bundles user authentication and virtual private network functions in a single product. Firewall appliances, such as Firebox, offer a high level of security for much less money than traditional lirewalls.The User Authentication feature lets administrators assign user names to IP addresses to give only authorized users the ability to access their corpo- rate network over the Internet. Network managers can associate users with groups and create security policies based on user name or group name. Internet Week, September 29, 1997, p. 47, 50.

Self-mutating Word viruses create strain, Sharon Machlis. Many new virus strains aren’t the handiwork of malicious virus writers, but the result of a glitch in

621

Abstracts of Recent Articles and Literature

Microsoft Word. That means there are more ways for destructive code to get into Word documents poten- tially undetected. When Word documents are stored, macros occasionally are corrupted, according to anti- virus researchers. If the macro includes a virus planted by a hacker, that virus is slightly altered. Sometimes, the inadvertent change launches a new virus strain. John Wheat from the NCSA’s anti-virus laboratory said that when the NCSA lab replicates a virus 500 or 600 times for study, each copy should be identical, but when you look they are not. He believes that the viruses are caused by something “deep down in the core of Microsoft Word - how it handles macros”. A Microsoft spokesman said that the company has never received complaints about ‘good’ macros being cor- rupted. He said that Microsoft believes virus authors create code that periodically mutates. The Symantec AntiVirus Research Center estimates that 70% of mew macro viruses are created by inadvertent file cor- ruption that is caused by a glitch in the Microsoft environment. IBM’s anti-virus research centre doesn’t believe inadvertent mutation is the major cause of new viruses. Computerworld, September 29, 1997, p. 1, 16.

Detecting network intruders, Richard Power. Intrusion detection for computers began with research performed in the 1970s.The focus then was on trying to determine whether the behaviour of a user on a single computer represented normal activity or an attack. As a result, companies developed various sys- tems that follow audit trails, attempting to distinguish between the signature of everyday activities and the signs of system abuse. Nowadays, it seems natural that we should have network-based intrusion detection systems. These systems don’t monitor individual hosts, but instead eavesdrop on network communications, trying to identify patterns of abuse or actual attacks. What distinguishes the activity of a legitimate user from an attacker? Truth be known, in many cases, very little. Early intrusion detection systems focused on anomaly detection, in which systems looked for signs of an event or activity that shouldn’t have happened, but did. For host security, this might mean many failed login attempts, indicating password guessing. With networks, a packet found behind a firewall with an external source address could be a significant anoma-

ly. In other words, anomaly detection focuses on spot- ting events that have occurred that shouldn’t have if everything was working properly and no one was mis- behaving. Intrusion detection systems must recognize an exhaustive set of attack signatures, so as to avoid missing any abusive activities.The paradox here is that by being alert to a large variety of ‘strange’ events, these systems may report many false alarms.To address the situation, the earliest systems offered administra- tors a threshold feature. For example, a failed login attempt would need to be repeated several times before an alarm would sound. Setting the threshold too low meant too many false alarms; too high a threshold could mean that attacks were missed. Network intrusion detection and response products do not replace firewalls. Rather, they watch network traffic with the aim of detecting attacks within intranet boundaries - attacks that might have slipped past a firewall or originated within an organization. If you have networks that contain very sensitive systems, or if you just want to be certain that your firewall is working correctly, you need to have a network intru- sion detection product that can hear every snap and rustle emanating from your networks. Network Magazine, October 1997, pp. 13 7- 138.

A new and nasty way to flood networks with spam, Grant Faulkner. A single spam E-mail message can have thousands of addresses that are bound for dif- ferent domains. In the past ISPs have tried to prevent these mass mailings through filters that reject messages addressed to 10 or 20 addresses or by blocking specif- ic IP addresses known to host spamming forays. But spammers have swerved around that obstacle by ‘spoofing’ their spam. Spoofing takes advantage of the open relay capabilities in SMTP which were never set up to authenticate users. By changing the sending address, spoofers bounce their mailings off an SMTP server that relays the messages onto other systemsThe larger technical problem is that a spam attack can overload a server and degrade a company’s mail ser- vice. To ward off relay spammers their are products available which enable administrators to configure the software to accept only mail that originates from local users or that is destined for local users. However, sys- tems administrators should not become complacent with new anti-spamming features. They know from

622