Date: 28 Jan 1994 07:50:12 -0700 (MST) From: Chris McDonald IM-CM-S Subject: Information Systems Security Update, # 94-02 To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov # 94-02 Contents: USENIX & Firewalls Mayo Clinic Trivia ASIMOV'S Laws of Robotics (Part 2) Virus Bulletin Rates Anti-Viral Tools 1. The Rob Kolstad/Tina Darmohray USENIX tutorial on "Internet Security With Firewalls" rated a "3" on a scale of "5" in my opinion at the recent Winter USENIX Conference in San Francisco. If you knew absolutely nothing about firewalls prior to the tutorial, you probably were in trouble. Since I knew just enough to be dangerous, the tutorial left me in a position to reevaluate what I already new and then to integrate what for me was new in the presented material. If I had to offer any ideas on pursuing the subject, these would come to mind: a. Get a copy of Marcus Ranum's "Thinking About Firewalls" paper for a basic understanding of the concept and the terminology. The paper has been available for anonymous ftp on several Internet sites. b. Attend a USENIX, CERT, or Brent Chapman seminar on the subject. c. Subscribe to the Firewalls-Digest. d. Unless there is some overwhelming reason to do otherwise, proceed in phases. Experiment with screening routers. Give the tcp_ wrapper programs a try. When you feel comfortable, start to explore the architecture of "bastion hosts", "screened host gateways", "screened subnets", etc. Ranum's paper and the tutorial material provide definitions and possible implementations for these configurations. 2. The March 1994 edition of "MacWorld" had a letter from Joel Gray, Professor of Radiologic Physics at the Mayo Clinic. Dr. Gray answer the question: "Have you ever wondered whether you can send your floppy disks through the X-ray unit or the metal detector at the airport without having your data scrambled?" Gray "subjected disks to extremely high doses of X-rays and magnetic fields". His letter states that the exposure levels were "hundreds to thousands" of time higher than one would encounter at the airport. Dr. Gray concluded, based on the experimental results and on the physics of magnetic media, that X-ray scanners have no effect on data stored on floppy disks. 3. Roger Clarke in the January 1994 IEEE "Computer" concludes Part 2 of his "Asimov's Laws of Robotics: Implications for Information Technology". One implication in particular, the "blind acceptance of technological and other imperatives", would appear relevant to the discussion of information systems security in general. Clarke writes: "Contemporary utilitarian society seldom challenges the presumption that what can be done should be done. Although this technological imperative is less pervasive than people generally think, societies nevertheless tend to follow where their technological capabilities lead." The Clipper Chip controversy as well as the DISA proposed NT-Architecture Plan might be reconsidered with this point in mind. 4. The January 1994 edition of "Virus Bulletin" presents its annual comparative review of MS-DOS anti-viral scanners. 19 products receive a rating against three different test suites: (a) in the wild; (b) Mutation Engine; and (c) standard. The samples within suites (a) and (c) are identified. Six products, five of which I have reviewed, scored 100% detection against all samples: Dr. Solomon's AVTK, F-PROT, IBM AntiVirus, Sophos' Sweep, Thunderbyte AV, and Vi-Spy. Norton Anti-Virus improved from last year. CPAV appeared to have fallen even further in the estimation of the reviewers. The funniest comment was reserved for MSAV which had a 75% detection of in the wild samples, a 94.1% detection of standard samples, and a "failed to complete test" in the MtE suite. The verdict statement read "a useful prophylactic, but inaccurate". VIRUSCAN dropped a notch in the reviewers' opinion. Finally, although TPE samples were not included in any of the test suites, my own tests indicated that the IBM AntiVirus and VI-Spy do not at the versions tested identify TPE creations.