From: Chris McDonald (7/20/93) To: securitylist:;@WSMR-SIMTEL20.AR, CC: krvw@agarne.ims.disa.MIL Mail*Link¨ SMTP Information Systems Securit #93-19 1. The July 1993 edition of the IEEE "Computer" magazine has an excellent article by Nancy Leveson and Clark Turner on "An Investigation of the Therac- 25 Accidents". While there was a brief reference to the paper in a recent Risks-Forum article, the citation was low key. I quote from the summary: "The authors demonstrate (1) the complex nature of accidents and (2) the need to investigate all aspects of system development and operation in order to prevent future accidents." 2. The General Accounting Office has issued a report "Telecommunications: Interruptions of Telephone Service", March 1993 (GAO/RCED-93-79FS). The report presents the frequency and the causes of outages which occurred during calendar years 1990 and 1991. GAO contacted 15 holding companies that control over 93 percent of local telephone access lines, and three major long-distance companies that represent nearly 89 percent of the long- distance market. While one might always challenge the numbers, I found the summary tables fascinating in terms of the number of outages as well as the estimated number of customers affected during each outage. The identification of risk factors and the attempt to quantify the consequences might assist those involved in vulnerability assessments. 3. Product testing on F-PROT Professional and on StopLight are complete. F-PROT Professional adds an integrity checker component to the shareware version of F-PROT. StopLight combines F-PROT with an access control program for the MS-DOS environment. Reductions within my organization dictate that I conduct all product testing at home on my own time. It is my intention to finalize everything that has been entered in some fashion into the evaluation process, and then to reassess whether I can continue this task. Distribution of the above mentioned tests should be completed by 27 Jul 93. 4. I would appreciate any feedback on the network security checklist which I put together within the last year and sent to many of you. I am interested in knowing was it of any value, did you modify it, did you decide to develop your own, etc. If you have your own, please send me a copy. ------- ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;20 Jul 1993 21:52:30 -0800 Return-path: CMCDONALD@WSMR-SIMTEL20.ARMY.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H0S4310HW0AKTUE6@icdc.llnl.gov>; Tue, 20 Jul 1993 21:50:27 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H0S4279FTSAKTUJH@icdc.llnl.gov>; Tue, 20 Jul 1993 21:49:53 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA25103; Tue, 20 Jul 93 21:50:39 PDT Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA25094; Tue, 20 Jul 93 21:50:33 PDT Date: 20 Jul 1993 22:39:54 -0700 (MDT) From: Chris McDonald Subject: Information Systems Security Update, # 93-19 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: securitylist:;@WSMR-SIMTEL20.ARMY.MIL Cc: krvw@agarne.ims.disa.MIL Resent-message-id: <01H0S431BHC2AKTUE6@icdc.llnl.gov> Message-id: <12894652171.20.CMCDONALD@WSMR-SIMTEL20.ARMY.MIL> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"securitylist:;@WSMR-SIMTEL20.ARMY.MIL" X-VMS-Cc: IN%"krvw@agarne.ims.disa.MIL" Content-transfer-encoding: 7BIT ======================================================================