Date: 18 Feb 1994 07:49:02 -0700 (MST) From: Chris McDonald Subject: Information Systems Security Update, # 94-03 To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil Apparently-To: orvis@icdc.llnl.gov # 94-03 Contents OpenVision Free Offer Denning/CLIPPER/Emphatic Assertion Tessera Definition--A Different Perspective SANS III What might happen ... 1. OpenVision offers a free White Paper entitled "Integrating Security into Open Systems Environments". One can send an electronic message to security@ov.com to request a copy. Earlier OpenVision material had similar offers for documents. While I placed an electronic order, I never received anything. I would appreciate knowing if anyone else has had a response to an order. 2. Dr. Dorothy Denning, who appears to have assumed a key role in the support of digital telephony proposals by the FBI as well as the CLIPPER/ CAPSTONE effort, went public earlier this week in Risks Forum. The subject was once again support of CLIPPER/CAPSTONE. To his credit the Risks moderator did an excellent job of allowing dissenting opinions equal time. Since I consciously refrain from injecting my personal opinions on matters which affect we Federal employees in this mailing, I would rather offer this observation. At the Sixth Annual Computer Security Applications Conference held in Tucson, AZ, December 3-7, 1990, I was in the audience when Dr. Denning gave a Distinguished Lecturer presentation entitled "The Data Encryption Standard Fifteen Years of Public Scrutiny". It was one of the most technically competent overviews that I have ever heard. To those who by "emphatic assertion" argue that DES is somehow terribly inadequate for authentication and data security, I quote from Dr. Denning's closing remarks: "DES has been in active field use for over a decade. No instances of successful attack, brute force or otherwise, have yet been published. This is a remarkable pragmatic validation. Although the DES is potentially vulnerable to attack by exhaustive search, the public literature suggests that such attacks can be successfully avoided with triple encryption, especially if three independent keys are used. Thus, the DES with triple encryption may provide adequate protection for its intended application for many years to come." 3. CPSR has been very active on the CLIPPER/CAPSTONE matter. If you missed their recent alerts, here was one interesting definition--the accuracy of which I leave to people more clever than I. Published by Computer Professionals for Social Responsibility Washington Office (Alert@washofc.cpsr.org) SPECIAL EDITION --- CLIPPER UPDATE ------------------------------------------------------------- The Defense Department reportedly plans to employ the Clipper technology in a device known as a "Tessera Card." We checked the dictionary and found the results to be kind of frightening: Terrerea n. Lat. (pl. tessereae). Literally, "four-cornered". Used to refer to four-legged tables, chairs, stools, etc. Also, a single piece of mosaic tile; a single piece of a mosaic. _Pol._: An identity chit or marker. Tessereae were forced on conquered peoples and domestic slaves by their Roman occupiers or owners. Slaves or Gauls who refused to accept a tesserea were branded or maimed as a form of identification. >From Starr's History of the Classical World and the Oxford Unabridged. (thanks to Clark Matthews) 4. The program for the 1994 System Administration, Networking, and Security Conference or SANS III looks very impressive. Courses on Unix security and firewalls are available. The security papers in the Technical Conference include: "Experiences with Tripwire: Using Integrity Checkers for Intrusion Detection" - - Gene Kim and Gene Spafford, COAST Laboratory, Purdue "How to Identify the Most Common Security Holes" - - Matt Bishop, UC Davis "A Network Perimeter with Secure External Access" - - Frederick Avolio and Marcus Ranum, TIS One can obtain conference details by calling 719-599-4303 or by sending electronic mail to sans@fedunix.org. The Conference will be in Washington, DC, April 4-8. 5. Many of us have by now received 10-15 different advisories on the ongoing Internet attacks employing "sniffers". Each CERT team adds its own unique flavor to the discussion. On the subject of changing ALL user passwords I was reminded of an interesting paper by Miller, Fredriksen and So entitled "An Empirical Study of the Reliability of UNIX Utilities". The paper appeared in the December 1990 edition of the "Communications of the ACM". My thought was of that system administrator who may have decided to fail all user passwords at one time in order to force users to change their authentication mechanism. I have this image of 500 users attempting to write to a UNIX password file at about the same time. I know what would happen, but I wonder how many others do.