# 95-12


Contents


     Finite or Infinite WWW Connections?
     MISSI Redefined?
     Windows95 Vulnerabilities--What Took So Long?
     Is Your Browser Secure?
     Cyberporn or Cyberfraud?
     Holy Macro--What Next?   
     

1.  The November 1995 edition of the IEEE "Computer" contains an
article "NCSA'S World Wide Web Server:  Design and Performance" by
Thomas Kwan, Robert McGrath and Daniel Reed.  The article describes
the design of NCSA's WWW server and analyzes the access patterns to
it.  This is a real world instance of availability and performance
issues which oftentimes get lost in the discussion of information
systems security matters.  As of January 1995 the number of daily
requests to the NCSA server had reached 690,000.  While it is
unfortunate that the publication review process must take an
inordinate amount of time, there are interesting statistics
(admittedly aged) on requests by domain, and file type by rate and
by volume.  The article concludes that to improve performance both
clients and servers must exploit caching and prefetching on the
basis of knowledge of request patterns, data types, and hardware
capabilities.  

2.  A summary of the recent 2nd International Cryptography
Experiment (ICE) Workshop, Shape Technical Centre, The Hague,
September 18-19, 1995 is available at http://www.tis.com/crypto/
ice/summary.html.  David Balenson from Trusted Information Systems
(TIS) posted the draft summary.  Unless there are any corrections
made at a later date, I found the synopsis of Mr. Edward Hart's
presentation, the Deputy Director for Information Systems Security,
National Security Agency, extremely fascinating.  I quote from the
summary:

     "The Multilevel Information Systems Security Initiative
(MISSI) was initiated for the U.S. Department of Defense in
providing security for unclassified information in Internet and the
unclassified computer systems."

My last pony express service delivered color MISSI brochures which
had blocks filled with acronyms like DISNET 1, DISNET 2, DISNET 3,
WMMCCS, TS, S, TS/SCI.  Maybe the updates are in USPS channels.

3.  The IEEE CIPHER continues to be an excellent source of
information systems security material.  In the November 1, 1995,
Electronic Edition 10, appear these items.

    a.  Microsoft has acknowledged two potential security problems
with file and printer sharing in Windows 95, and has made
upgrades available to remove the vulnerabilities.  Per 
Microsoft's report, if file and printer sharing are enabled in
certain configurations, and if the use is running Netware Networks,
it is possible for another user to gain read-only access to the
first user's system after the administrator has logged off and
before the first user's machine is restarted.  A second problem
involves file and printer sharing for Microsoft Networks running
with Samba, a UNIX shareware network client.

Descriptions of the problems and downloads to deal with them
are available at the Microsoft Web site http://www.microsoft.
com/windows/software/w95fpup.htm.

    b.  Open Market offers a free "security checker" that will
identify the known security problems associated with a particular
WWW browser.  Although Open Market does not sell browsers at this
time, one simply establishes a WWW connection and chooses the
security check button.  The Open Market Web site is http://www.
openmarket.com.  Open Market states that their security checker
does not exploit any vulnerability.  But those of us who saw the
movie "The Net" may worry about another Gatekeeper program.  

4.  The December 1995 edition of "MacWorld" has a viewpoint column
by Mike Godwin, the staff counsel for the Electronic Frontier
Foundation, entitled "The Marty Method".  Mr. Godwin examines the
article written by Marty Rimm which appeared in the June 1995
edition of the "Georgetown Law Journal" which described a Carnegie-
Mellon study claiming that "computer porn marketers were
cultivating a public taste for extreme and degrading imagery".  The
study apparently was one factor influencing "Time" magazine's July
3 cover study on "cyberporn".

5.  The November 1995 edition of "Scientific American" has a column
by Paul Wallich on "Meta-Virus:  Breaking the hardware species
barrier".  Mr. Wallich looks at macro code in light of the
Microsoft Word virus, Sun Microsystems' scripting tool Hot Java,
and other examples of macro programming capabilities.  Wallich
quotes William Cheswick of AT&T Bell Laboratories as referring to
Hot Java as a "Virus Implementation Language".

    
[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author, not his employer.  Recipients
are free to quote all/parts of the ISSU with credit/blame to the
author.]