Testing your Email Security

It's also a good idea to test the security of your email client. The GFI Email Security Testing Zone is a place where you can do just that. Enter your email address and the service will perform a vulnerability check on your email system. A series of emails will be sent to you that are designed to test the security of your system and inform you about any potential problems.

When you enter your email address to perform the tests, you will first receive an email that asks for confirmation. Once you confirm your request, a series of test emails will be sent. Each email will outline the results of the test. Naturally, none of the test emails contain any harmful code or viruses. The emails are designed to fool your security software into detecting a potential threat.

Although the company offering the tests is in the business of selling security software, I believe all the tests are legitimate and above board. When requesting the test, you are given the option of subscribing to the GIF Newsletter, but I have never received unsolicited email from the company.

To read more about the service and request the tests, click the link below.

GIF Email Security Test

Testing Your Online Security

Being a responsible, security conscious computer user, you have firewall software protecting your machine from unwanted intruders right? Well that's great, but how do you know if the firewall is actually doing its job? Some firewall software is not all that easy to set up. How can you be sure that you have the software configured to effectively protect your system?

A good way to find out if your system is really as secure as you'd like it to be is to request an online security test. A number of sites offer security tests free of charge. Three testing sites that I personally know and trust are listed below.

This site is run by Steve Gibson, a well-known and respected Internet personage. There is a lot of good security information available on the site as well as the testing procedures and how to use them. The site resonates with Mr Gibson's unique and flamboyant communication style

The scans on the site are labelled "Privacy" and "Security". They are simple to use and very fast. A good way to get a quick heads up on the state of your computer's security. The site also has a lot of information and links about security issues.

---

Another popular site that allows you to perform a port scan at the click of a button. After the scan is completed, a click of the "Results" button opens a page that reports on the health of your security setup.

---

All being well, these sites should generate a report that explains how secure your system is. If there are holes in your security, the reports will suggest ways of filling them. If I'm testing a computer's security, I usually take the time to request tests from at least two of the sites above. A second opinion is always good to have! The result to aim for is that your computer is operating in "stealth mode". That is, it is virtually invisible to intruders looking for an easy mark.

As I mentioned, there are a number of sites that offer security tests. However, some of these "tests" are completely bogus and are designed to scare users into purchasing software that they may not even need. One of the dirty little tricks that these sites employ is to make you think that the entire contents of your hard-drive is available for all to see. They do this by apparently displaying the contents of your hard-drive in your web browser. In reality, nobody but you can see your files. This trick is achieved by placing a script in the code of the website that simply opens your C drive in your browser. You can do this yourself by simply typing "C:" (without the quotes) in the address bar of your browser. Try it! It's actually a quite useful alternative method of manoeuvring through the files stored on your hard-drive.

Well, hopefully your computer manages to achieve a good report card. Of course, the scum who try to break into other peoples' computers are often very canny. No computer security system can claim to be totally foolproof. However, doing a little online testing can help you to ensure that your computer is as secure as possible.

Security Important for Firm's Web Operations

Some Security Considerations. Do you run a web site or control any security assets? If so, you should periodically run a basic security check on these assets. Some of the things to look for are actually basic issues from physical security. Consider:

• Human risks are probably still the most significant challenge a security manager has to consider. When you consider that threats can come from the inside or outside you should also consider that insiders have a head start.
• Further consider security training. Social engineering threats are common. You'd be surprised how many passwords are given out by employees just by someone saying they are from the computer shop and asking for the password over the phone.
• Web sites can provide information for attacks or social engineering. Contact information is often posted and sometimes system information is put into the headers on web pages; and, these headers can be read as part of the page source code.
• Make certain all software is properly installed and all security patches obtained and installed. Even with this, there are common errors that are often not caught. Look in copies of CK Now for "buffer overflow" for the most obvious example.
• Completely test, particularly for security problems, all software written in-house. Make certain you understand everything it does; particularly when data is input in the wrong locations and/or in the wrong form. For example, if you truncate long IDs you might allow the wrong user to access data (SmithJohn might also be allowed for SmithJohnathan).
• If you update underlying software, consider retesting everything. It's not uncommon for operating system changes to introduce new holes that might now become available for exploitation.
• Know what others are doing with your site. There are many services that exchange links and/or place ads on your site. While not necessarily a direct threat you might not want some of the advertisers your site is being served. Check to see if you can limit the type of advertising fed to your web site.
• Consider having backup sites customers can use if you have a business-intensive site. Down time is noticed and customers don't care if it's caused by systems being down or denial-of-service attacks. On a similar line make certain your provider has the bandwidth and machine capability to serve your needs; particularly directly after an advertising campaign.
• Privacy is important to users. Keep that in mind. Consider not just having an enforced policy but helping the users by not allowing them to have easy-to-guess passwords, as one example. This will also help stem the tide of identity theft.
• Be aware of who is looking at your web site(s). Get a good log analysis program and use it. Maybe you can spot trends before they become problems.

MS Word Macro Virus Strikes VAFB

Computer security officials from 30th Communication Squadron and local contractors are scurrying to cope with an onslaught of the Microsoft Word Macro computer virus. Because it operates in a new way, computer virus software written before last winter is completely ineffective against it.

Several calls a week have been received since November 1995; most involving multiple systems. A technician responding to one such call discovered that 47 computers had been compromised by that one outbreak alone! In each case, the technician must install anti-virus software and repair all of the effected systems.

The virus is not showing any partiality. Computers being used by active duty military, government civilians, and contractor employees are all being struck. The activities involved include space launch, base support, and research and development. One official estimated that as many as 60% of Vandenberg’s computers which are connected to networks may have been attacked, and that all are at risk. A quick check at other locations, including Los Angeles AFB, CA, disclosed that the virus is widespread there also.

Unlike previous viruses, this new type infects data and document files, not just “executables” like “.EXE,” “.COM” and “.BAT”. It does this by using the WordBasic macro language to infect and replicate in Microsoft Word documents and templates. Unlike older viruses which were usually confined to a single computer platform, the new virus attacks documents and templates on DOS, Mac, Windows 3.x, Windows 95, and Windows NT operating systems. Variations of the virus, called DMV, Concept, and Nuclear, appeared shortly after the initial virus.

Once an infected document is opened, the virus launches itself. Generally it will infect the user’s NORMAL.DOT template. This template is the basis for most other documents and quickly spreads to all other documents and templates as they are opened. It forces the users’ computers to save documents as templates instead of documents, since only templates can contain the macro language which contains the virus.

The virus has spread so quickly because many sophisticated users employ e-mail to share documents, instead of printing them and sending the resulting paperwork via “snail mail.” Several of the original infections came in documents titled “FURLOUGH.DOC” (about the furlough of government civilians) and “CONNESTOGA.DOC” (about the failure of the Connestoga commercial space vehicle launched last year at Wallops Island, VA).

The Microsoft Word Macro Virus, unlike most others, will warn you immediately when it infects your computer. It will bring up a dialog box with the title “Microsoft Word,” the numeral “1,” and an “OK” button. If you see the dialog box right after you open a document, stop what you are doing, and notify your help desk IMMEDIATELY.

The Nuclear strain of the virus is the only macro virus currently known to cause damage to your print outs and DOS system files. If you open the document between 55 seconds and the next minute, any print job will have the text STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! appended to it. If you open the document between 5 and 6 PM, it will attempt to infect your machine with the ph33r virus. This part is not damaging however, because it installs a Terminate and Stay Resident (TSR) program in a DOS session that ceases to exist when the macro finishes. On April 5 of any year, IO.SYS and MSDOS.SYS are zeroed out, and COMMAND.COM is deleted from your root directory. DOS can no longer boot, and presumably, by zeroing out the crucial files, won't notify you that DOS is gone at boot time.

In October 1995, Microsoft released its Macro Virus Protection Tool, SCANPROT.DOT. If you already have it loaded, exiting Word will automatically clean up the document and your Microsoft Word program templates. The macro virus protection tool alerts users anytime a document containing macros is opened. Since the virus is spread through macros, users will be alerted when they try and open a document containing the virus. Users can protect themselves from the virus by choosing to open the file without macros.

Computer security and help desk people, including 30th Communications Squadron and B D Systems, Inc., have the new anti-virus software available. If you think your system may have been effected, call them immediately.

Virus Infections Increasing

A recent study of 300 companies is reported to have shown that the rate of virus infection increased some 48% over a one year period, despite the fact that the companies regularly used anti-virus software. The problem? While anti-virus (AV) software was installed, it was not kept up to date regularly.

On average, the survey showed more than 86 viruses per 1,000 computers with disks brought from home as being the most popular vector. (Computer Knowledge strongly recommends that any company AV contract allow installation on both company and home computers.) Second most common vector was the e-mail attachment. Macro viruses were the most common virus type.

So, again, keep your anti-virus software updated!

Computer Security with a Sense of Humor

Tired of the same boring, hard to understand advice on protecting your computer from viruses, hackers, and other cyberpunk pests? Then you’ll love Michael Alexander’s Underground Guide to Computer Security.

Alexander (Managing Editor at Datamation and until recently Editor-in-Chief of InfoSecurity News) promises “slightly askew” advice on ways to protect your computer. Actually, it is off-center only in its delightful sense of humor.

The book covers everything from email—it’s not that private; many people along the electronic pathway can read what you write—to the “1,000 points of fright” you must brave on the Internet. Many of his security tips are common sense reminders, but a little refresher course cannot hurt.

He reminds us that most people leave the network doors to their data unprotected by choosing passwords which are easily guessed or broken. Alexander recommends longer (six to eight) and more complex ones (including upper and lower case, numerals, and symbols). He warns against sharing your password and disdains the Windows 3.1 screen saver password feature. “It doesn’t do squat. Simply rebooting the computer and restarting Windows is all anyone needs to go to get a peek at that résumé you’ve been working on when no one was looking.”

“Using a cell phone is not much different than yodeling to convey your private affairs from one mountaintop to another,” Alexander cautions in another chapter. He explains snoops can use a $99 radio scanner to eavesdrop on conversations. O. J. Simpson defense attorney Alan Dershowitz was overheard discussing the case while kicking back at his summer home on Martha’s Vineyard. Fortunately for him, the employees of the ambulance company who overheard him called to warn him.

For me, one of the best features of the book is the concise checklists which challenge the readers’ knowledge and whether they practice what Alexander champions. Try answering (honestly, now) the Risk Assessment Test. See if you follow the tips on his Computer Security Tipsheet.

Underground Guide provides an easy to read introduction for those who don’t understand computer security. Alternatively, it’s a great book to have on your bookshelf to lend to friends who don’t have a clue about it. You will smile as you read this book, despite the seriousness of its message.

Reviewed: The Underground Guide to Computer Security: Slightly Askew Advice on Protecting Your PC and What’s On It by Michael Alexander, Reading, MA: Addison-Wesley Publishing Company, Paperback, 218 pages, $19.95, 1996.

Software Piracy: Let the Buyer Beware

Usually people think about software piracy as an intentional act. Someone “borrows” disks from a friend or work place and copies them for personal use. However, computer buyers may be unknowingly buying their new Macs, 486s, and Pentiums with illegal software!

As a way to compete with direct mail and computer superstores, some small computer stores are loading illegal copies of software onto computers they sell. They do no furnish publishers’ manuals, and the program disks--if any are provided--are locally produced duplicates. The added software provides an incentive for the buyers, who may not be aware they do not legally own the software.

Until recently, commercial software always came with a printed manual and usually came with a registration card. A few programs on CD-ROM are experimenting with on-line documentation. However, since the CD-ROM cannot be copies easily like programs sold on 5.25” and 3.5” disks, it is easy to prove legitimate ownership of the software.

What should you, the computer buyers, do? Exercise caution. Do not accept a computer without manuals and disks (CD-ROM or floppy) from the manufacturer. If the seller does not offer them to you, either demand them or buy some place more reputable.

Information Warfare Primer

Computer science Professor Dorothy E. Denning’s Information Warfare and Security isn’t just the usual fare. It provides a lot of practical information written so laymen can understand it. Instead of zeroing in on just computers and hackers, she explains on the value of information, no matter where or how it is stored. Information warfare is a confrontation in which the offense tries to steal information—not physical goods—to the detriment of the other side.

Her book points out what security professionals already know—that much of the danger comes from insiders. She breaks that group into six different classes, from traitors (“traditional” spies like Aldrich H. Ames and John A. Walker, Jr.) to untrustworthy subcontractors (a supervisor of a janitorial crew who tried to sell Pittsburgh Plate Glass’s plans) to people who con their way past security guards (Kevin Mittnick during his early escapades against Pacific Bell).

Of course, not all threats come from insiders. Thanks to computer networks, information can now be accessed – and stolen – from great distances. She gives brief case studies of hackers and their attacks, and how weak laws made investigation and prosecution difficult. She explains in layman’s terms how many of the denial of service attacks against computer systems (like the “ping of death” and “syn flood”) work.

Unlike some other books on the topic, hers is rich in details (like names, places, dates and footnotes). For example, she relates the stories of how several celebrities, including unlikely bedfellows Rush Limbaugh and President Bill Clinton were victims of an e-mail flood attack.

As she points out, infowar is not a zero sum game. The writer of a new computer virus or a hacker who breaks into a site and steals some files gains ego satisfaction and some (largely anonymous) acclaim. The company whose computers are struck may loose much more: the cost of repairs and lost productivity, perhaps lost investor confidence or business opportunities. Compromised business plans and data, which may be of no value to the hacker, may now be suspect.

Denning also explains the most effective defenses against both high tech and low tech attacks. Her sections on encryption, steganography, and authentication techniques are written in simple English and are easy enough for even a neophyte to follow.

Not surprisingly, she concludes with tried and true cautions to security managers. Security education is the most cost-effective measure a company can take. Other steps include building secure systems, monitoring vulnerabilities, managing risks, and following up aggressively when incidents do that place.

I’m glad to add this readable and interesting book to my security library, and recommend you do the same.

Reviewed: Information Warfare & Security by Dorothy E. Denning, Reading, MA: Addison-Wesley, 1999, paperback, $34.95.

Cyberattacks Spur Approval of INFOCON Structure

TooShort. Makaveli. The Analyzer.

These three teenagers—the first two from northern California, the other from Israel—set off alarms within DOD early this year with their successful attempts to hack into unclassified DOD computers. Because the attacks came during the build-up for possible military actions against Iraq, DOD officials were initially concerned that the US was being targeted in a preemptive information warfare strike. At risk were unclassified systems containing data on Persian Gulf related logistics, personnel, etc.

In part in response to them and in part in response to other hackers, the Defense Department has created a new alert system designed to rate the level of threats to its information system. The new Information Conditions (INFOCONs) are structured similarly to the Threat Conditions (THREATCONs) used to rate terrorist threats.

Each level indicates an increase in the threat to DOD information technology systems. Structured, systematic attacks to penetrate multiple systems will result in a higher INFOCON rating than when individual, isolated attempts are made. Since DOD will use them in response to different conditions, raised INFOCON and THREATCON levels will not necessarily to hand in hand.

The INFOCON levels include:

• INFOCON NORMAL indicates normal threat environment and precautions apply.
• INFOCON ALPHA indicates a heightened threat of possible information attack, to include an increased number of problems which might indicate patterned surveillance/reconnaissance.
• INFOCON BRAVO indicated a demonstrated, increased, and patterned set of intrusion activities exists, to include a compromise of systems resources. Examples included dedicated computer sweeps, scans, or probes and a significant increase of detected viruses, nuisances, phreaking, pinging, and spamming.
• INFOCON CHARLIE indicated an actual information attack has occurred, or intelligence indicates an imminent information warfare attack. This includes the response to any collection efforts targeted against classified systems.
• INFOCON DELTA indicates the severity of an information attack has significantly degraded mission capability. Primary efforts at INFOCON DELTA are recovery and reconstitution.

As the threat level increases, officials will employ more stringent protective procedures and policies. For example, at INFOCON ALPHA, system administrators would advise all people to increase to back-up of key files to weekly and close all remote maintenance ports on routers, firewalls, servers, and electronic telephone switches. At higher levels, unprotected local area networks would be disconnected from commercial Internet access and require use of encrypted media to exchange sensitive information.

Last fall, the Presidential Commission on Critical Infrastructure Protection issued a report entitled “Critical Foundations: Protecting America’s Infrastructures.” Part one focused on how America’s vulnerabilities have changed because of our increasing dependence of computers and networks. Part two talked about steps that should be taken to protect our infrastructures and minimize future vulnerabilities. The report, in Adobe Acrobat format, can be viewed or downloaded from http://www.pccip.gov/report_index.html.

Win Schwartau, an author and consultant on information warfare, has recommended the Departments of Justice and Defense cooperate with large organizations and enterprises in the civilian sector to develop a stronger information protection program. This is because commercial organizations, including the communications, financial, power, and transportation infrastructures are under their control. Schwartau has written “The contention is that the Pentagon is in the physical war business. . . .That contention, too, is a matter of healthy debate when we ask ‘Who protects the private sector from international assaults that do not involve bombs, airplanes and submarines?’” Schwartau’s web site is at http://www.infowar.com/.

TooShort, Makaveli, and The Analyzer were part of a hacker group called “The Enforcers.” After the trio’s arrests, other Enforcers— including Paralyze, Immunity, and DooM—launched a brief campaign of retaliatory hacks against commercial and government web pages. More information on the group, their successful hacks, and their announcement of a truce can be found at http://www.antionline.com/.

Hacker Attacks Against Home Computers

Attacks against computers are fairly well endemic on the Internet these days. It’s important, for that reason, that you be protected by both anti-virus software and some sort of personal firewall.

I use BlackIce Defender (protects incoming only) but others are available; some free.

Let’s look at my system as just one example. I’m on the Internet via a dial-up link so the IP address changes each time I’m logged on. I’m connected various times that total maybe two hours on an average day (give or take a few minutes and assuming no major downloads or uploads).

Looking at my BlackIce logs for the period between 1 September 2000 and 30 November 2000 (three months) if find:

36 identifiable attacks divided up as follows—
19 NetBIOS probes (a well-known attack vehicle)
5 SubSeven probes (looks for SubSeven Trojan)
5 UDP probes (looking for a particular open port)
3 TCP fingerprint probes (looking for ways in)
1 IRC probe (looking for this service)
1 NetBus probe (looks for NetBus Trojan)
1 RPC probe (looking for this known service)
1 SNMP probe (looking for this service)

Remember, this is for a dial-up account that changes IP addresses and is only connected on average a couple of cumulative hours a day. If you have an “always on” broadband link of some kind (e.g., cable modem or DSL connection) you are considerably more at risk.

Hackers Attack USAF Computers

The summer 1996 hearings by the Senate Governmental Affairs Permanent Investigations Subcommittee is focusing on the vulnerability of DOD computers. This highlighted the recently declassified story of the March-May 1994 assault by a pair of hackers against AF computers.

According to press accounts, on March 28, 1994, network administrators at Rome Air Development Center, Griffiss AFB, NY, discovered that their system had been broken into five days earlier. The Defense Information Systems Agency (DISA) sent a Computer Emer-gency Response Team (CERT) of experts to kick off an investigation that quickly spiraled. Other agencies involved in the month and a half investigation included the AFOSI, the AF Information Warfare Center, and New Scotland Yard.

The two hackers, “Datastream” and “Kuji”
* Downloaded sensitive unclassified battle-field simulation program data from RADC (the USAF’s command and control research facility);
* Compromised 100 user accounts; read, copied, and deleted e-mail from 30 different RADC systems.
* Stole all the data from the Korean Atomic Research Institute and stored it on the RADC computer, leading to fears the Koreans would think the USAF was conducting electronic espionage against them; and
* Stole a 3-4 megabyte artificial intelligence program dealing with the Air Order of Battle from Wright-Patterson AFB, OH.

Allegedly the hackers successfully compromised other systems included:
* the National Aero-Space Plane Joint Program Office at Wright-Patterson AFB, OH;
* NASA’s Goddard Space Flight Center in Greenbelt, MD, and Jet Propulsion Laboratory in Pasadena, CA;
* the Department of Energy’s Brookhaven National Laboratories in New York;
* four California and one Texas network of an aerospace industry firm; and
* SHAPE at The Hague, Netherlands.

The investigative team monitored the hackers’ activities and turned to informants to “surf the Net” for clues. The sources on the Net provided a lead on a United Kingdom hacker known as the Datastream Cowboy who liked to hack into American military systems because they were so insecure. On May 12, 1994, New Scotland Yard entered the home of Datastream, a 16 year old British boy with a 486SX-25 desktop, and arrested him. He had been making free calls by “phone phreaking,” and paid for his Internet time with a credit card number generated by a program he had downloaded from the Internet.

Datastream, the less skillful of the two hackers, had been mentored by Kuji, whom he had met only on-line. He provided many of the stolen files to Kuji, who has not yet been identified. Since Kuji has not been apprehended, authorities do not know where the stolen files were sent or how much damage was done to national security. The GAO estimated the cost to the government was over $500K, not counting the value of the stolen research data.

There is even more bad news. During 1995, DISA launched 38,000 on-line attacks to probe the defenses of DOD computers. Only 4% of the at-tacks were detected and only 27% of those were reported to the proper offices. DISA has estimated that hackers attacked Pentagon computers about 250,000 times in 1995. As many as 65% of these were successful! The National Security Agency reports that almost 120 countries can program computer attacks against the US.

More and more of our valuable information is stored on computers linked to networks. The threat against them is different from the traditional espionage case government and contractor professionals have studied for years. If a 16-year old with an old computer can do such damage, imag-ine what an industrial or international spy with years of training could do! In the future, the measures we take to understand and defend these systems may mean the difference between success and failure.

Corporate Security Must Become Computer Smart

Businesses and their security staffs must increasingly become computer-smart. This is the message that Detective Sergeant Bruce Pixley, Supervisor of the High Tech Crimes Unit of the Santa Barbara County Sheriff’s Department , told a joint NCMS/ASIS dinner meeting on November 9, 2000.

“Too often corporate security people do not understand computers thoroughly enough, and they make blunders when investigating suspects’ computers. When they go to the IT or MIS departments for technical assistance, they find experts who do not understand evidentiary chain of custody or the special software needed if cases are to end up in successful criminal prosecution,” he said.

Like most law enforcement agencies, the Sheriff's Department goes not get involved in forensic examination of computers for purely internal matters, like downloading sexually explicit photographs or wasting time on the Internet. However, law enforcement will be glad to assist firms if they expect crimes like fraud, theft, child pornography, etc.

Pixley began his law enforcement career as an Army K-9 unit military policeman. After separating, he joined an area police department, and transitioned to the Sheriff’s Department when his city contracted law enforcement services.

He always enjoyed both computers and law enforcement. He had his first computer 22 years ago with 48 kilobytes of memory (as opposed to 64 or 128 megabytes of memory, which are common today) and a slow acoustic modem. Before the Internet became popular, he ran a Bulletin Board Service from his home.

As computers have become more integral in the everyday lives of people, Pixley’s agency has realized an increasing need for a specialized unit. Cases fall into several broad categories. In some, such as pedophiles that share child pornography images or search for victims on-line, the computer is central to the offense. In other cases, the computer is only peripheral to the crime itself, but helps in building the case. For example, thieves may record their exploits or write e-mail to friends.

The popularity of high speed internet access, such as through cable modems and DSL lines, exposes individuals to risks they had not expected. If a home firewall isn’t used to protect a PC connected to these “always on” services, hackers from anywhere in the world can look through a person’s private affairs. “Have Turbo Tax on your PC?” asked Pixley. “That gives your social security number and tells about your income and taxes. Have Quicken or Microsoft Money? That’s good too. And the hackers take spreadsheets and word processing documents just to see what they can find.”

It is critical that parents become closely involved with their children’s web habits. Pedophiles often seek out children in chat rooms, befriend them, and try to lure them for a visit. Pixley, who taught DARE classes in the schools for three years, often poses as a teenager in an effort to track down suspects.

Getting a high speed connection may pose a temptation for the young, would be hacker. “It takes forever to hack web sites using a 28.8 or 56.6 modem,” Pixley commented. “It’s much more doable with DSL speed.”

Typically a forensic examination begins by making an image of the hard drive in a suspect’s computer. That allows the files to be examined without disturbing the original drive – the evidence. Special software makes searching the drive easy. Graphic images, like JPEGs and GIFs, all begin with standardized headers. The software finds and recovers these images from anywhere on the hard drive – even from “slack space” and unallocated space after they have been deleted – as long as they have not been overwritten.

Pixley recounted one case that began when a woman in Hemet, CA, discovered over $3,000 in fraudulent purchases had been made on a credit card she had recently received. One of the on-line businesses told her the goods had been shipped to Goleta, CA. “Where?” she asked. She did not know anyone there, so she filed a police report, which wound up on Pixley’s desk.

Pixley eventually determined that as many as eight credit cards were being used to order computers and high tech gadgets for the same address. A check with the local high school confirmed that a student lived there. And United Parcel Service had another delivery to be made. A Sheriff's detective, wearing a UPS uniform, made a controlled delivery. As soon as the suspect signed for the items, he was arrested and other deputies with a search warrant began going through his home.

Detectives learned that the suspect had used his computer during several phases of his crimes. First, he downloaded a program that would calculate mathematically correct credit card numbers. Second, he used it to generate the numbers, extrapolating them based on his own valid card. Third, he used the Internet to make purchase of – you guessed it – more computer hardware.

As a juvenile and a first time offender, the hacker got off with restitution and probation.

In another jurisdiction, the parents of a juvenile counterfeiter received an extra financial jolt to their son's criminal sentence. During the search of the juvenile's home, detectives recovered 5 illegal cable television descramble boxes connected to the home televisions. “The cable companies love these cases,” Pixley concluded. “They bring civil suits for $5,000 per box. So while this young man is paying his debt, his family is paying an extra $25,000.”

Internet Hoax Strikes Vandenberg

The engineer raised his eyebrows when he saw a message in his e-mail inbox on February 20, 1997. It seemed to be an e-mail from him to himself.

It was ominously entitled “security breached by NaughtyRobot.” It announced “This message was sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.” It went on to warn it had “visited your host system to collect personal, private, and sensitive information. It has captured your Email and physical addresses, as well as your phone and credit card numbers.”

It was a hoax. This and other pranks prey on computer users’ realization that they are not experts and on their fear of what they do not understand. Especially in a security-conscious environment like a military base or a defense contractor, they also take advantage of people’s diligence.

The NaughtyRobot hoax surfaced in January 1997. It was detailed by Dave Beeler, who received his copy on February 6, 1997. His message and at least 1,000 others had been routed through a server in Germany. Others passed through Norway. The messages apparently were sent from a site in San Francisco, CA. Beeler could not tell if that was the original site or merely another stop along the route.

How were the NaughtyRobot victims picked? Many were webmasters, whose e-mail addresses are available on their WWW pages. Others left their e-mail addresses on guestbooks at websites, or in a public message in a USENET newsgroup.

The Vandenberg engineer who received the message immediately suspected something was not right. He did not keep personal information on his PC at work, and was certain it was not on his company’s network server. However, he has used e-mail, some USENET groups, and Listservers extensively in the past.

Several other Internet hoaxes plagued Vandenberg users recently. They included “Good Times,” which has been around since December 1994. That hoax warns that merely reading a message with Good Times as the subject would erase the reader’s hard drive. A similar scare came when the JCS released a message in January 1997 warning about the Wazzu strain of the Microsoft Word Macro Virus. It is not possible to infect a computer just by reading a message, though reading an attachment like a Microsoft Word document infected with a virus like “WM.Wazzu” will. You can safely read an e-mail, but you should scan any attachment for viruses before executing or reading it.

Copycats spring out of the woodwork after every successful Internet hoax. We can expect similar tricks to appear on April Fool's Day. How can you help stamp out the hoaxes? Charles Hymes, a senior human factors engineer for Hewlett-Packard, offers several suggestions. They include:

First, if you get a message “that seems like it should be shared with LOTS of people, ***DON’T SEND IT** unless you either KNOW the message is true, you can authenticate [the sender’s] identity. . .or you know the sender personally. . . .The more urgent it sounds, the more skeptical you should be.” If you must forward it to anyone, send it to your Computer Systems Security Officer (CSSO).

Second, try to check with the purported originator before sending it on. Pranks usually have forged headers and signatures. When you try to verify the validity of the message, you will discover the address is invalid.
Third, if the message tells you to do something, don’t. This is especially true if it involves changing your account information or sending a message to a stranger over the Internet.

The USAF has released a new instruction (AFI 33-129 Transmission of Information via the Internet). It specifically prohibits forwarding chain letters, etc. Most defense contractors have similar policies in place.
For more information on frauds, you can visit the Computer Virus Myths Home Page at http://www.kumite.com/myths. To read Dave Bealers account of “Stupid E-Mail Tricks - The NaughtyRobot Hoax,” point your browser to http://www.rah96.com/rah96/naughtyr.shtml.

E-Mail Abuse Ruins Employee Holidays

It wasn’t the much-hyped Y2K bug that ruined the holidays of computer users in industry and government. It was misuse of e-mail to send “inappropriate” and “offensive” messages.

Between Thanksgiving and Christmas 1999, two cases of employee discipline were widely publicized. In the first, the New York Times announced it had fired 23 employees and disciplined and undisclosed number of others at a Norfolk, VA, office. In the second, the US Navy announced that it had disciplined over 500 employees at a logistics base in Pennsylvania. Though none of them were fired, some did receive suspensions as the result of an extensive investigation.

In the Times case, a memo from Cynthia Augustine, senior vice president for human resources, stated that “While the company does not routinely monitor the e-mail communications of employees, we do investigate when a violation of the company's e-mail policy is reported." It went on that all the fired employees “all transmitted clearly inappropriate and offensive material, which left no doubt as to the discipline required.”

E-mail has become a part of the lives of the military, civil servants, and corporate employees. An increasing number have two accounts, one at home and one at work.

It is important to remember that the one at work is one a computer provided by the government or by your employer. Those computers are to be used for the employer’s purposes, not for recreation Generally the employer has the right to inspect the computer—including reading e-mail and other files—to insure abuses are not taking place. Prohibited activities include:

• Accessing pornography, which creates a hostile work environment for colleagues of the opposite sex;
• Accessing child pornography, which is illegal and can result in criminal prosecutions for civilians as well as military;
• Conducting a personal business;
• Committing theft or fraud;
• Intruding into unauthorized, whether or your own network or someone else’s (both are considered hacking);
• Engaging in political activity; and
• Forwarding chain letters.

If you have questions about computer security, contact the computer systems security officer for your organization.

International Computer Security Day November 30, 2001

November 30th is International Computer Security Day. This event, which was started by the Association of Computing Machines and has hundreds of official cosponsors, is always the last day of November. This year's theme is "Improving Awareness." With the many viruses and bugs that have plagued the Internet during the last year, that should be easy to do.

The Computer Security Day Committee maintains a web site at http://clubs.yahoo.com/clubs/computersecurityday. It has also sent out some suggestions on how folks can participate. This page consolidates some of the e-mails I sent to my colleagues.

* Change your password. (Even if the network log-in script at work requires that, your ISP at home may not. Don't forget that account.)

* Check your computer for viruses. (When is the last time you updated your virus signatures and did a complete scan -- at home as well as at work.)

* Once you've verified that your data is virus-free, make a back-up of your most important files. (With network storage and CD-RWs, this is much easier now that years ago. So you've got no excuse for not doing it. If your system ever fails, you'll be glad you did.)

* Protect your computers and peripherals against power spikes and static electricity.

* Write-protect any diskettes that shouldn't be written to. (Many viruses still happily infect your 1.4" floppies for infection via the "sneaker net.")

* Learn more about computer virus myths/hoaxes. A couple of outstanding web sites include http://vmyths.com/ and http://www.symantec.com/avcenter/hoax.html

* Once you have backed up your files (tip above), delete files that are no longer needed.

* Verify your inventory of computer applications. You should only be running software that it legally owned. No "pirated" copies.

* Register and pay for all shareware that you use regularly.

* Verify your inventory of computer hardware. (Do you still know where all the peripherals are, or have some been transferred/moved?)

* Clean up the work area around your computer. Make sure that cups and glasses containing liquids are well away from your computer. Clean up the loose papers, dust, etc.

* Take about ethical computer use with a friend or a coworker. (They might not know the penalties for unauthorized use of government/company computers.)

* Create a computer security poster. Send it to
Association for Computer Security Day
P O Box 39110
Washington, DC 20018
Note: members of the National Classification Management Society should also provide their work to their chapter for inclusion in the NCMS Poster Contest.

* Visit the official web site for International Computer Security Day at http://clubs.yahoo.com/clubs/computersecurityday

* If your organization isn't already signed up as a cosponsor for next year, go ahead and sign up at:
ACM Computer Security Day Committee
P O Box 39110
Washington, DC 20018
computer_security_day@acm.org

Computer Hacker World Views

On Saturday, August 17, 1996, hackers took control of the World Wide Web home page of the U. S. Department of Justice. The unknown perpetrators replaced it with swastikas, obscene pictures, criticism of the Communications Decency Act, and links to anti-politician sites on the Web. The name of the site was changed to “Department of Injustice” and said the department “serves to punish all who don’t agree with moral standards set forth by Clinton. Anything and anyone different must be jailed.”

As security professionals, we already understand many of the motives involved in traditional espionage—greed, ideology, revenge, coercion, intrigue. These also motivate individuals in the newly burgeoning ares of industrial espionage. It’s not as easy to understand the motives of those who hack into WWW sites or write computer viruses.

One good source of information is a “cyberpunk” literature. William Gibson’s Neuromancer, published in 1984, is usually credited as defining the genre. The “hero,” a young man named Case, is a hacker who earns a living via industrial espionage. His life includes drug abuse, black marketeering, theft, surgical implantation of electronics, danger, and violence.

Computer security expert Paul Saffo wrote several years ago “I am particularly struck by the ‘generation gap’ in the computer community when it comes to Neuromancer: virtually every teenager hacker I spoke with has the book, but almost none of my friends over 30 have picked it up.”

Although it is difficult to define the movement, there are three main classifications of cyberpunks. Hackers are skilled or talented with most aspects of computers, electronics, and technology. For them, technology is not just a hobby but a way of life. Cypherpunks believe the government is out to invade the privacy of everybody on the planet. Their central goal is to out-smart the system. Ravers use synthesized and sampled music, computer-generated psychedelic art, and designer drugs to create massive all-night dance parties and love-fests in empty warehouses or remote locations.

Many cyberpunks believe that information and computing resources should be freely accessible to everyone. They do not believe it is wrong to break into someone’s computer, read files, or copy them. If anyone is at fault, it is the victim for failing to secure (or adequately secure) his or her system.

Here is a short list books and films, in case you would like to learn more about this world view:

William Gibson’s Neuromancer (1984), Count Zero (1986), Mona Lisa Overdrive (1988), and Virtual Light (1994).
John Brunner’s Shockwave Rider (1975), a favorite of Robert Tappan Morris, Jr., author of the Worm which invaded two or three thousand Internet sites in 1988.
Bruce Sterling’s Mirrorshades: The Cyberpunk Anthology (1986), The Artificial Kid (1980), Islands in the Net (1988), and Crystal Express (1990).
Philip K. Dick’s Do Androids Dream of Electric Sheep? (1968) and the movie based on it, Blade Runner (1982) directed by Ridley Scott and starring Harrison Ford and Sean Young.

For those of you trapped in cars during long communtes, look for these titles on audiocassette. My local library had several of these titles on their shelves.

The Internet has several interesting WWW pages about cyberpunk literature They contain more extensive discussions of the genre, as well as more extensive lists of books, films, and analytical articles. For one put together by a Purdue University doctoral candidate in English Literature, point your browser to http://omni.cc.purdue.edu/~stein/stein.htm.

What to do Before Computer Crime Strikes

One in five companies suffered network break-ins during the last year!

That is the startling conclusion of the Third Annual InformationWeek/Ernst & Young Security Survey. Nearly 70% said that security risks have worsened in the last five years; nearly 80% have hired a full-time information-security director.

If 20% of the nation’s companies with networks are successfully attacked every year, you would expect Vandenberg AFB firms would be among the victims. You would be right, too. A hacker used the Intnet to break into a contractor-owned 486 PC in March 1995 and left the message “You really shouldn’t leave your computer open to the whole planet!!!!” on it.

The FBI’s National Computer Crime Squad (NCCS) investigates a wide array of computer crime, including: major computer network intrusions, network integrity violations, privacy violations, industrial espionage, pirated computer software, and other crimes where the computer is a major factor in committing the criminal offense

What steps can we take beforehand to protect ourselves? Here are some tips from the NCCS:

• Place a login banner to ensure that unauthorized users are warned that they may be subject to monitoring.
• Turn audit trails on.
• Consider keystroke level monitoring if adequate banner is displayed.
• Request trap and tracing from your local telephone company.
• Consider installing caller identification.
• Make backups of damaged or altered files.
• Maintain old backups to show the status of the original.
• Designate one person to secure potential evidence.
• Evidence can consist of tape backups and printouts. These should be initialed by the person obtaining the evidence. Evidence should be retained in a locked cabinet with access limited to one person.
• Keep a record of resources used to reestablish the system and locate the perpetrator.
• Notices to alert users to potential security problems and information on related subjects are available from the Computer Emergency Response Team (CERT) at cert@cert.org or the Forum of Incident Response and Security Teams (FIRST) at first-sec@first.org, or call (202) 324-9164.

Employees who suspect any type of computer crime should contact their company’s computer or industrial security office immediately.

DOD Anti-Virus Software Packages Earn High Usability Ratings

Both of the anti-virus software packages licensed for DOD computers recently won high marks from a major industry magazine. SC Information Security News recently named Norton AntiVirus 5.0 and Network Associate’s VirusScan 4.01 as its two “Best Buys” from 15 programs in the category.

The magazine surveyed the field, rating each program on features, ease of use, performance, documentation, support, value for money, and overall rating. All of the programs earned at least four out of possible five stars for overall ratings. Both Norton AntiVirus and VirusScan earned perfect overall ratings, as well as marks of four or five on the other categories.

The magazine’s comments on Norton AntiVirus version 5.0 stated “In the arena of in-the-wild virus detection, it is one of just a handful of products that can sweep the board clean with both its on-demand and its on-access scanners . . . In the area of overall virus detection, Norton AntiVirus is one of the top two products we tested -- at 99.95 per cent . . .One of the things that impressed our review team as much as its performance was its ability to ease the pain of updating – updates and improvements to the product are easier than other products we looked [at] . . .

“This technology significantly reduces the time and bandwidth needed to keep the product up-to-date with the latest virus threats. . .Across the board this product has improved – with the IBM and Intel technology coming down the line, this product is in its ascendancy.”

The magazine also announced that NAV had become the first product to win its “Trojan Checkmark” award. In a test, NAV detected 500+ Trojan Horse programs without generating any false alarms. Although Trojans are not true computer viruses, they can damage passwords, steal ID’s, or corrupt a computer’s data.

In reviewing VirusScan, the magazine wrote “The product comprises of the Dr. Solomon virus detection engine with the interface, management and update technology from Network Associates. The combination gives you one of the best anti-virus products available on the market today.

In September 1998, the Defense Information Systems Agency (DISA) awarded the second of five landmark GSA Schedule annual buys to the two companies, protecting DOD's approximately 1.5 to 2 million users and PC’s globally. The order covers desktop and network anti-virus software on government owned computers—including those provided to contractors—and on the home computers of DOD military and civilian personnel.

DOD users and network administrators (with ".mil" IP addresses) can get more information and software downloads from DISA’s Automated System Security Incident Support Team (ASSIST) website: http://199.211.123.12/virus/avirus.htm.

More information about the ratings can be found at two web sites run by the magazine’s publisher: http://www.westcoast.com and http://www.infosecnews.com.

DOD Switches to McAffee & Symantec for Anti-Virus Software

With the new fiscal year beginning October 1 [1997], the Department of Defense has switched vendors for anti-virus software. All of DOD is switching from products by IBM and Norman Data Defense Systems to products from McAfee Associates Inc. and Symantec Corporation.

In what promises to be a benefit for military and civil service employees, the license includes home as well as office use. According to DISA, this was done to reduce incidents of virus infiltration from home computers owned by DOD employees.

McAfee produces VirusScan (used by the USAF several years ago) for Windows 3.x and 95 and NT, NetShield, GroupShield, and WebShield products. Symantec offers Norton Anti-Virus for Windows 3.x and 95 and NT, Symantec Anti-Virus for Macintosh, and other products.

The new products provide coverage for Macs, Digital Equipment Corporation’s Alpha and UNIX, groupware products, Java, Active X, firewalls, and email. The previous software programs did not offer such a wide range of protection.

The license also allows contractors to use the anti-virus programs on DoD-owned computers. However, it does not cover contractors using company-owned computers at their workplace. Also, it does not cover DOD contractors at their homes.

The 30th Communications Squadron has reported that early implementers noted that McAfee’s VirusScan was not as user-friendly as the IBM program. Also, they recommend not using the "ScreenScan" option as it has caused a number of problems with computers on base.

The DOD site license for the IBMAV and Norman software expired on September 30, 1997. DOD users may continue to use the IBMAV software after the expiration date; however, virus signature updates will no longer be available. Since so many new viruses are written each month, it is critical that users keep their files up-to-date. For that reason, DISA has recommended all DOD users obtain, install, and begin using the new software as soon as possible.

The software has been posted on the DISA ASSIST homepage to facilitate downloading by authorized users. Point your browser to http://afcert.csap.af.mil or http://www.assist.mil/Virus/avirus.html.

If you have additional questions or need help, contact your unit’s Computer Systems Security Office (CSSO). Contractors with questions should contact their Administrative Contracting Officers (ACO) or Carol May, 30 CONS/LGCWI, 805-606-1190.

6 Good Practices of IT Security

1. Make a Self Assessment

This is quick and inexpensive. It means going through a check list to see if you have incorporated application and information security into your risk management framework and determine whether you have integrated security into each phase of the software development lifecycle.

It is a very simple meeting with your VP of Application Development to have him or her list the different phases of their specific software development process. Then ask how they handle security at each phase and determine whether or not the outputs of those activities are usable in your risk management process.

If the outputs aren’t useful, perhaps you should be measuring something different. In most cases, the answers you get will be something like, “Well, we’ve just started thinking about how to integrate security into our application development, so we don’t really have anything tangible for you at this time.”

That’s OK because that would be an ideal time to discuss your needs with that team. Bridging the gap between application development and risk management is a highly valuable activity and it can be jump-started by this simple self-assessment.

It’s a simple checklist that will give you a quick gap analysis as to where you stand on the information and application security maturity model (see figure 1 on Page 3).

Threat modeling is also an important and valuable step in a self-assessment. It is a more mature and sophisticated approach than the checklist mentioned in the previous paragraph, but the payoffs are substantially greater.

Threat modeling, at the business level and the application level, is part of a risk analysis and risk management that allows you to identify where the biggest threats are to your business. This is the Sun Tzu approach of “To know your Enemy, you must become your Enemy.” The basic idea is to define a set of attacks or negative scenarios and assess the probability, potential harm, priority, and business impact of each threat. This can be done at any stage, e.g., design-through-deployment and yields more valuable results the earlier it is applied. You may need help on your first couple of threat modeling exercises, but there are plenty of good information security consultancies that can provide this.

When you develop a threat model it becomes a tangible, persistent asset for your organization as well. If a new vulnerability or a threat is detected, you can reuse your threat model to determine whether or not you are at a risk increase, decrease or static. The threat model can help you avoid falling into the recency trap and will tell you whether or not a newly-identified threat is already mitigated in your system.

2. Believe the Application Security Hype

This is an unfortunately necessary action as there is a lot of hype and fear out there that vendors and media are spreading unnecessarily. However, the application security hype is very real and we have seen it from recent and past headlines: the Lexus-Nexus breach, the recent problems at TJX, and even the incidents at T-Mobile and CardSystems were all information security incidents caused by application security holes.

So how do filter through the chaff to determine what is real and what isn’t? One thing that can help is to focus on the application layer. The network and systems layers represent less than 30% of all security vulnerabilities (according to Gartner Group); this number is less than 10% according to NIST.

Also, consider that network security is much more mature than application security and the investments you have already made here are probably orders of magnitude higher than those you’ve made in application security.

Don’t ignore network security, but try this practical tip: Make a list of the investments and compensating controls you have in place on the network, e.g., anti-virus, IPS, firewalls, etc. and along with that list their costs (initial/purchase cost is fine). Now do the same for your information and application security investments and compare them.

If the application security investments aren’t at least two-to-three times that of network security you have an imbalance in the number of vulnerabilities you’re mitigating.

With that first filter applied, you can now consider where and when is it most costly to address application security. IDC and IBM conducted a study about two years ago that mapped the cost of fixing a problem through the software development lifecycle. The results were roughly exponential with respect to time and phase.

Said another way, if a defect found at the design phase costs 1X to repair, the same defect costs 6.5X to fix if found during the coding phase, 15X if it were found in the pre-deployment testing phase, and 100X if it’s found by your customers in the field after it is deployed.

Keep in mind that this only accounts for the time and effort it takes to fix the problem (internal costs). It doesn’t even factor in things like reputation loss, cost of patching and deploying, and other losses that usually come along with security defects—things like loss of market share and stock price.

3. Ask Tough Questions

Tough questions are great because they make you think. The challenge is usually determine what questions are the tough ones. I provide a short list here to get you started. You will see the pattern fairly quickly and can expand on them for your own environment.

These are questions that are useful to ask your vendors before making a software purchase. You should also ask the same questions of yourself as you build and maintain applications for your business to use.

Finally, use these questions to improve your service-level agreements with outsourced partners (especially software development partners). Since you are probably making a purchase or partner contract to automate or transfer some business function; shouldn’t you also consider how to mitigate or transfer your risk when you’re doing this?

•What is your vulnerability response process?

• What is your patch release strategy?

• What methods do you use to inform customers of vulnerabilities?

• What guidance do you provide for secure deployment/maintenance of your product?

• What security training does your development team receive?

• Do you patch all versions of your applications at the same time?

• What are the terms and period of your security support agreement?

• Do you practice security reviews at each phase of your software development lifecycle (requirements, design, coding, testing, and deployment)?

• Do you employ independent 3rd-parties to conduct security assessments on your products?

4. Create an Internal “Red Team” of Ethical Hackers

This is a term borrowed from the military. The concept here is that you dedicate a small team (usually three people or less) to act as attackers. This can be a permanent role if you can afford the resources, or you can take some nasty-minded testers and make this part of their job at various phases in the development process.

Their job is to attack your application systems and your networks as if they were evil. I don’t recommend constraining them to act just as "outsiders". The insider threat is often overlooked and you can learn a lot from creating attack scenarios from an inside user perspective.

If you don’t have the resources or skill set to create Red Teams, there are many third-party consulting shops that can do this for you. Start with your most critical applications and work your way down the risk rank stack.

By the way, you also need to be certain that any third-party assessments company you use is capable. So ask those same tough questions of them, focusing on things like: methodologies used, credentials, engineers they are going to use on your application, how/if they depend on the use of automated tools, etc.

5. Educate Your Teams

I cannot overstate the value and importance of this practice. Education is the first step toward awareness and, as you will see in the chart from Gartner below, you still have a long way to go after you have become “Aware!”

The challenge most organizations face here is two-fold: How to best educate their teams, who might be geographically disbursed and of different skill set; and, which team(s) to invest in for security training.

Deciding which team to train (or in what order) is a highly contextual decision that needs to be made based on your specific organization. However, having helped several companies successfully roll out security awareness programs recently, I have observed a few critical success factors that I will share here:

Management Buy-In - Security awareness will likely lead to behavior and policy changes at your organization. For that to happen effectively and efficiently, management must be on board. Even better make them part of the change by ensuring that your program has elements that appeal to management.

Ensure Policies Can Be Enforced - Write clear, understandable, current, and measurable policies. Naturally, the policies need to reflect the corporate, threat and regulatory environment. Awareness and training programs should address the importance of adhering to policies, as well as the potential financial and reputation impact to the organization from security events.

Measure and Report - Use both qualitative and quantitative metrics to obtain feedback, measure and benchmark the effectiveness of your security awareness and training program. Most importantly, communicate these metrics and results (good or bad) to your management team for their input, support, and insight.

If at all possible don’t limit education to only security awareness, but also provide technical security training for your engineers, auditors and others. This training is more difficult to find, but you can locate some excellent security specialists that provide training in scalable formats, e.g., eLearning, for both management and technical staff.