N E T S U R F E R F O C U S
C O M P U T E R A N D N E T W O R K S E C U R I T Y
Monday, July 15, 1996 Volume 02, Issue 02
TABLE OF CONTENTS
The Network is a Dog
Where Angels Fear to Click
Fire Burn, Cauldron Bubble
Attack of the Killer Data
Oh, What a Tangled Web We Weave
All Creatures Great and Small
Snow White, Archimedes, and Tylenol
Private Parties on the Party Line
Shootout at the E-COM Corral
Famous Last Words
THE NETWORK IS A DOG
What a difference a year makes, and certainly a year on the
Internet. It's been said that an Internet-year is like a dog-year,
having within it the development of seven normal human years. When
we published our first issue on computer and network security, the
Internet was an interesting frontier and those splashy IPOs of
Internet companies had not yet begun. Now here midway through 1996,
it has become a ubiquitous communication channel. In the US, for
example, a URL is as essential for many businesses as a toll-free
800 phone number. In the last twelve months, the first wave of
businesses, entrepreneurs, professionals, and consumers has adopted
the networked desktop computer as an information appliance.
Computer and network security used to be problems for large or
specialized organizations and the provenance of technical
professionals steeped in lore and arcana. Now there are many network
users who do not have the advantage of these resources and must
practise safe networking and know how to protect themselves.
Likewise, our first issue of Netsurfer Focus on computer and network
security largely addressed the concerns of system administrators. In
this issue, we will continue to bring you new developments in these
areas. In addition, we will touch upon problems of concern to small
business and home users alike. For new readers who are interested in
the topic, we highly recommend you also visit the revised edition of
our first annual issue on Computer and Network Security.
Netsurfer Focus on Computer and Network Security
The original network and the dog
WHERE ANGELS FEAR TO CLICK
Coming full circle
You are connected to a network. Every click of your mouse can take
you to into the unknown. Do you know where you are going? Do you
know what will happen there?
The original application of the World Wide Web was perfectly safe.
You download text and graphics, the browser interprets and displays
them, and you can always view the source code the browser
interpreted. There is no hiding behind secret files or obscure
binary code that only a trained programmer or a computer can read.
Although you may not know much about the web site you are visiting
and whether you can trust it or not, the content you get does not do
anything to your computer system.
scripts, and ActiveX controls. Each is a piece of software that runs
on your system and has varying capabilities to modify the local
software and hardware. Clicking on a hotlink to a file of a special
mime-type can cause a plug-in to run, but at least you have to have
insidious because support comes with popular browsers, and applets
and scripts run immediately when the page has been downloaded.
Although the language designers have taken pains to make Java and
controls, on the other hand, have much greater access to your PC
system, and being newer to the Net, has had less time for its
potential flaws to be discovered.
The trick is to not let any unknown code, no matter where it is
from, run on your computer without strong precautions. If you have
not disabled these features in your browser, every time you click on
the URL of a web page, you are potentially allowing code that you
might not even know is on the page run on your computer. Unlike a
BBS download or even an e-mail attachment, there is no separate and
conscious step to run an executable. The first click of your mouse
is the crucial one.
When the Web first started, those who had heard about viruses were
wary, and we were able to reassure them that it was perfectly safe
to point and click. Now that we have trained the world to think that
it is safe to point and click and surf the Net, we need to bring the
FIRE BURN, CAULDRON BUBBLE
Judging by the industry response, Java is proving to be a potent
brew. Its strength comes from being a programming language that does
most of the "right" things by modern programming standards; or as Sun
Microsystems itself describes it, Java is fully buzzword-compliant.
The security challenge comes when we rely on it to run, sight
unseen, applets from the four corners of the earth.
To keep applets from running amok in the system, a browser that
supports Java constrains them to a "sandbox". By definition, this
sandbox includes only access to the screen and computing power of
the client computer, and connection to the host computer from which
the applet came. It usually cannot get to your local file system,
and it cannot get to other computers on the network.
But as we gain experience with Java, we are finding sins of both
commission and omission. A number of design and implementation bugs
have been reported and quickly fixed. Among other things, these
allowed attacks on computers behind firewalls, and also attacks that
seem to come from an unwary and innocuous third party. More bugs
will doubtlessly be discovered and remedied with new releases and
continued scrutiny. Other problems that come up are part of the
nature of the beast. For example, while applets may stay in the
sandbox, they can raise quite a ruckus and do each other harm in the
process. These "hostile applets" are able to lock up your screen,
crash the browser, sabotage or kill other applets, try and steal
your password by putting up a login screen and asking you to enter
your password, or simply siphon off system resources to work on
computational problems and report the results to the originating
server. There are currently no way to control these types of applets
except to restart the browser or the computer.
The Internet is not always a safe place, but there is no point in
throwing out the Java with the grounds. Turn off Java support in
your browser while visiting sites you do not trust, and use
up-to-date versions of browsers and Java development kits to get the
latest fixes. With the prevalence of applet-sharing on the Net, the
possibility of popular applets (such as the ticker tape) being
turned into Trojan horses is also very real. So it is equally
important not to use or post any applets to your web site unless you
know exactly what it does.
Two easy pieces
The Princeton paper on Java security
History of Java Security Bugs
On hostile java applets
Netscape Navigator update
supported by the Netscape browsers to improve the interactivity of
code has access to your computer and what you do within the browser.
Instead of stealing resources a la applets, the bugs that have been
found tend to violate the privacy of your system. Malicious
files and file directory listings, and send all the information back
to the server from which it originated. Most of these problems have
been fixed as of this writing but continued scrutiny may reveal new
ones. So the same precautions that are used for Java applies to
ATTACK OF THE KILLER DATA
New tricks for old bugs
Programs such as Microsoft Word have a macro language that can
modify program behaviour and enable greater functionality. If macros
are carried along in the same file as the data, then the program is
susceptible to macro viruses. Whether you are downloading the file
through FTP or the Web, the data file is not as innocuous at it
seems. And actually, you don't even have to go to the trouble of
downloading the file containing a macro gone bad. E-mail will take
care of it for you just fine. Safely ensconced in the protective
sheath of a MIME attachment, the lethal payload is carried through
the firewall and only released when you open the file. Likewise,
someone can also send you an infected program as an e-mail
attachment. The old sneakernet viruses have turned into netsurfing
jetsetters, and their geographic spread has escalated through use of
In each case, the culprit comes through intervening firewalls
unscathed. But of course nothing stands still in the spy-versus-spy
world of computer security. In the last few months, a number of
firewall-based virus-scanners have been announced. These will
usually check e-mail attachments and Web and FTP downloads into your
organization for potential invaders.
Anti-viral products for e-mail, Web, and FTP access
List of common viruses on the Internet
Microsoft Word Macro Viruses
Some viruses aren't
OH, WHAT A TANGLED WEB WE WEAVE
The fly in the parlor ... with the chainsaw
As computers reach across the ether and interconnect to one another,
regardless of whether they are browser clients or servers, they take
on a certain amount of risk. In addition to the basic dangers of
being a computer on the Net and being hacked, the World Wide Web
brings them new and wonderful hazards.
content can cause problems. But they are not the sole villains in
the drama. As part of the http protocol, the browser gives out a
great deal of information about you to the server. The "cookie"
mechanism can be used to closely track and record your activities on
any given site - just like going into a store and having every
movement you make recorded filmed for use and analysis.
But the web server is not always the evil spider inviting the fly to
step into its parlor. Sometimes the fly comes in armed with a
chainsaw, and not always by the front door. The web server equally
faces all the hazards of connection, without many of the protections
of the underlying operating system. For example, you may restrict
access to members only, and use the web server's user ID and
password mechanism. First of all, an attacker can make repeated
attempts to guess the password - the server does not shut him down
after the third try as do many operating systems. In addition, the
password is not strongly encrypted as it traverses the Net, but
traverse the Net it does. To increase the odds of capture and
discovery, user name and password are sent not once but each time
any protected document is accessed.
CGI scripts, those solid workhorses of interactive web pages, are
programs running on your server computer, and therefore potentially
large security holes. How, you might ask; well myriad are the ways.
Suffice it be said that the first law is never to trust user input.
An innocent but unexpectedly large input that overwrites part of
system memory has been the downfall of many a program. And given the
fact that these scripts frequently work with system commands (such
as 'remove all files'), they are attractive targets that can cause
And last but not least, the friendly, helpful robots that scuttle
across the Web indexing all pages in their path do not discriminate
against files you did not plan for the world to see. Carelessly
managed sites have had their password and system configuration files
scooped into massive Web index databases, waving the red flag of a
vulnerable site under the nose of potential hackers. Exposure of
other files is a lesser risk, but do you really want to share all
your organization's secrets with all of cyberspace?
A good summary
What malicious web sites can do
What the server got out of the browser
WWW Security FAQ
Writing secure CGI scripts
Search engines and web server security
Securing Internet information servers
ALL CREATURES GREAT AND SMALL
Cybercritters in the night
In addition to the web page traps and viruses that snare unwary
netsurfers, the Net ecosystem is also home to a growing host of
robots, agents, spiders, worms, ants, and other creatures. Speaking
the language of HTTP and other network protocols, these are
basically small programs that traverse the Net for a variety of
purposes. The best known are the spiders that index Net resources
for public and private use. Alta Vista, Infoseek, and Lycos are a
few that come to mind. Others help webmasters manage their sites,
checking for and pruning away defunct hotlinks. Newer programs can
help you harvest Net resources, look for updated pages, download
entire sites while you sleep, or even shop for bargains. In the
brave new world, intelligent agents will not just bring you
information, but become active in coordinating schedules, executing
transactions, and performing other tasks at your behest.
These programs or robots can have intended and unintended effects on
the network and web sites they traverse. Overeager spiders have
overwhelmed web sites by requesting too many documents too rapidly.
As described elsewhere, they can also ferret out information that a
careless system administrator leaves accessible on his disk. Efforts
are under way to create formal Internet standards of behaviour for
web robots. The current version, the Robot Exclusion Standard,
allows site administrators to place a 'robot.txt' file on their web
indicating where robots should not go. For example, a large archive
of bitmap images would be useless to a robot that is trying to index
HTML pages. Serving these files to the robot is a needless use of
net resources; however, they need to remain accessible to a human
with a browser or FTP. The standard is a voluntary one for the
moment, and an etiquette is evolving for robot developers as
experience is gained with their deployment.
Web robots, wanderers, and spider information
http://apt.usa.globalnews.com/d3/agents.htm (overview article)
Harvesting web pages
General Magic's white paper on a common agent platform
Robot Exclusion Standard
SNOW WHITE, ARCHIMEDES, AND TYLENOL
The issue of trust
Things are not always what they seem. The case of cyanide-laced
Tylenol tablets, Snow White eating the beautiful apple from the Evil
Queen, and Archimedes's encounter with gold that had been
adulterated with base metals. How do you trust what you get? It's no
different in cyberspace. The applet that screams "download me" at
your favourite game site. The robot knocking at the door to your web
server. It's just often harder to verify the reliability of 1's and
We have few qualms about installing shrink-wrapped software packages
because we get it from a retailer we know, or because it carries a
brand name we trust. These days we extend trust to Net sites that we
visit. The momentum behind using digital signatures to show that a
message or a piece of software actually came from the person or
organization that we trust is growing. The Java API including signed
applets will be available in Q3 of 96, and Microsoft is spearheading
a code signing proposal. So in the not-too-distant future, we should
be able to enforce greater security and functionality by verifying
content, robots, applets, and transactions through the signature on
the digital ID card. ID card providers (certificate authorities) are
appearing, and even the US Postal Services is getting into the act.
Signing and security in java applets
Microsoft proposal on code signing
Getting into the card issuing business
Verisign - http://digitalid.verisign.com/
The US Post Office - http://nic.nasa.gov/ana/projects/usps.html
Phone Companies -
PRIVATE PARTIES ON THE PARTY LINE
Virtual Private Networks
The Internet is one big party line where packets of information
bounce hither-thither from source to destination, free to spend a
night or a lifetime with some random computer somewhere along the
way. But as a public thoroughfare, it has great cost advantages
compared to private networks from stringing your own wire. So how do
you have the best of both worlds of low cost and privacy? Although
some large scale network providers such as MCI can provide a
facsimile of private lines by routing your traffic entirely over
network segments that it manages, the trend has been to more control
over your own destiny through virtual private networks (VPNs).
And the party line on privatizing the party line? IP level
encryption. Sender to recipient, end-to-end encryption of
information being transmitted across the Internet means that stray
packets are unintelligible to anyone but the intended recipient.
Encryption at the IP level of the Internet protocol stack also
allows easy support of different application protocols such as HTTP,
FTP, and Telnet, on a variety of underlying network technology such
as Ethernet, Frame Relay, or ATM.
Products that secure the communications between designated sites in
your private network on the Internet are springing up like mushrooms
after a rain. They can be software-only, such as Digital Equipment's
Internet Tunnel, or hardware-based, as NetFortress from Digital
Secure Networks Technology. The SunScreen solution from Sun
Microsystems provides firewall and cryptographic key clearinghouse
services as well as the basic site-to-site encryption. These
solutions work well for organizations that must secure
communications between different facilities. The Security Middleware
products from Virtual Online Network Environments use smartcard
authentication to verify individual users rather than host
computers. This product, if deployed by Internet Service Providers,
would allow even small Mom-and-Pop outfits to have affordable
private networks. And on the large enterprise side of the story, an
industry coalition is forming to enable secure wide area networks
(S/WAN) through encryption and key management standards.
Encryption and Cryptographic Keys
SHOOT-OUT AT THE E-COM CORRAL
Where's the beef?
Glorious sunrise on the range. The entrance to the E-COM corral,
Marlboro Man look-alikes hoist the corral's new brand over the
gates. Bold, wrought iron letters, SET. The crowds cheer and
applaud. Suddenly, a lone cowboy in black with a gold belt buckle
rides up with six shooters blazing. The natives shoot back and give
chase. Exit, stage left. The scene continues undisturbed.
By late 1995, Netscape's SSL (Secure Sockets Layer) had won the
standards race for secured transmission of content (read credit card
numbers) across the Net. Commerce on the Internet received a crucial
boost in early 1996 when leading credit card associations Visa and
Mastercard finally set aside their differences and competing
standards (STT and SEPP) in favour of a common specification, SET
(Secure Electronic Transaction). This specification enables the
other aspects of a credit card transaction, e.g., authorization of
the charges, to occur online, not just the transmission of card
Then First Virtual Holdings announced the identification of a major
flaw in the use of software-based encryption of credit card numbers:
keystroke capture at the client desktop. Their point is that if
someone has managed to gain control of your computer to monitor your
keystrokes, he can capture your credit card number and no amount of
encryption for transmission will help protect you. With the
interconnectivity of the net and the ease of downloading a hostile
applet, the vulnerability of the desktop computer cannot be
overemphasized, particularly for those new to computer and network
security issues. However the hyperbolic press releases on a topic
well known to security experts, combined with the fact that First
Virtual offers electronic commerce through a mechanism without the
use of encryption has led to a flurry of responses ranging from
supportive to outraged.
As of this writing, the tempest has subsided to the bottom of the
virtual teacup and electronic commerce marches on.
The Original SSL vs. SHTTP race
The SET specification
RSA's SET Central
The First Virtual press release
Select e-mail responses
FAMOUS LAST WORDS
Chiseled in stone, many many copies
Large scale search sites are invaluable to many netizens. For
example, with the growth of the Net in the past year, publishing
Netsurfer Focus would be too painful to contemplate without access
to sites such as Alta Vista*. The corollary is that with these high
powered spiders, every utterance on the Net, be it on a web page or
a newsgroup, may be a matter of public record that above all else
can be readily found.
The story of your online life, whether you are a frequent poster to
'alt.sex.binaries' or 'sci.crypt' (hello, potential employer!), or
your personal web page showing three beautiful children, a dog named
Jimmy, and a house far beyond your 20K$ a year salary (hello, IRS!)
can be there for all who cares to see. And then there are the large
online directories. Coming hard on the heels of the info-preneurs
that have set up directory sites, the phone companies are rushing
online with their multi-million listing offerings. Privacy issues
become intertwined with physical security because it has become so
easy to identify and physically locate you, your beliefs and habits,
and your computer.
Resources behind Alta Vista
The Internet Archive Project
The Smithsonian's 1996 US presidential election web archive
Internet e-mail and white pages
NYNEX Interactive Yellow Pages (Big Yellow)
* How quickly those of us who are old enough to have done research
in the library with index cards and books of abstracts forget! -Ed.
Safeguarding the homestead
As computers move into the home, security takes on new dimensions.
Beyond the hard assets of your computer, and the soft assets of your
data, you need to think about protecting your family and especially
children. Bringing access to the cyberworld to your desktop means
exactly that, and we all know there are parts of the world, real or
cyber, that you don't want to take the kids.
A number of companies have sprung up to help you avoid the back
alleys and redlight districts of the Net. Software such as SurfWatch
or NetNanny block access to known sites where offensive material are
available, or to any site that you deem inappropriate. The sites
that are blocked vary from package to package. Some include on their
verboten-list not just pornography but web resources about
homosexuality, or feminism, or anything that does not promote
"family values". Yet other packages can log all the surfing
activities, enabling Orwellian possibilities right in your own home.
In sum, they are tools that do not excuse us from our
responsibilities to decide what is appropriate in our households.
In addition to the reviewer-based systems, another development that
will facilitate appropriate surfing is some widespread form of
labelling or self-labelling. Just like the "PG", "R", and "X" movie
ratings in the US, labelling provides a more standardized way to
assess the content of a web site. The PICS (Platform for Internet
Content Selection) standard is a technical specification for how to
label Net content. It is developed by the World Wide Web consortium
and can be used to implement any rating system. Currently, there is
much industry momentum behind RSACi, the Recreational Software
Advisory Council Internet rating system. This is an extension of the
rating system for computer games, and has been endorsed by major
online services. Most of the leading blocking products do or will
Recreational Software Advisory Council System
Comparison of blocking products
Surfwatch screening product
SafeSurf self-rating system
Short takes and follow-ups
Reach out and hack someone
A year ago, an enterprising cryptographer named Hal Finney issued a
challenge to his colleagues to crack the encryption on an SSL
(Netscape's Secure Sockets Layer) transmission. Appropriately for
Internet time, not one, but two independent successes turned up
within a month. This was the start of a series of black-hat testing
of net software by cryptography and security aficionados across the
Internet community. Rooted in the belief that strength of security
solutions comes from careful scrutiny and not obscurity, expert
volunteers continue to probe and pummel away. Ongoing efforts
include a series of challenges issued by Internet service provider
Community ConneXion. The reward? The archetypical programmer's notch
- a t-shirt.
The Crack SSL challenge
The Netscape random number generator problem
The Community ConneXion challenge series
Netscape - http://www.c2.org/hacknetscape/
Microsoft - http://www.c2.org/hackmsoft/
Java - http://www.c2.org/hackjava/
Digicash - http://www.c2.org/hackecash
The Tracker Industry
Hacker Shimomura turned tracker when cracker Mitnick reputedly broke
into Shimomura's computer around Christmas, 1994. Since then, the
event has turned into a mini-industry of its own with not one or
two, but three books written about the incident. A web site was also
created to promote "Takedown", Shimomura's book. This time, however,
crackers had the last laugh when they hi-jacked the URL for the
Takedown site by forging a change-of-address e-mail message to
address keepers at the Internet Network Information Center. We can
be assured of future pranks and publicity stunts as the movie rights
are sold and the cameras begin to roll.
The First Two Books, Reviewed
The Other Book
The Cyberthief and the Samurai. Jeff Goodell, 1996. Dell
The "Takedown" Site
International Arms Trafficking
In February, the US State Department announced an amendment to the
International Traffic in Arms Regulation (ITAR) allowing U.S.
persons to temporarily export cryptographic products for personal
use without the need for an export license (aka the 'Matt Blaze
exemption'). However, US cryptographers and their allies continue
their campaign for the availability and export of strong (>40 bit
key) cryptography. The software industry is clearly concerned about
their inability to compete in the international markets with the
current export controls. IBM-Lotus struck a compromise with the
government by giving it exclusive access to 24 bits in the 64 bit
key used in Lotus Notes Release 4. RSA went the other way and
located a development center in Japan. This allows RSA to provide
identical encryption technologies outside of the US without tripping
over ITAR. On the heels of the successful challenge to the
Communications Decency Act, an industry coalition to lobby
Washington is also forming.
The original arms smuggler
Arms smuggler gets a reprieve
A way to circumvent ITAR
The Notes compromise and more offers of the same
Industry and citizens unite
6TH USENIX Security Symposium: Focusing on Applications of
The Lighter Elements
DigiCrime: Where do you want to break in today?
Microsoft Bob helps you with your passwords
Storming the castle
A portrait of J. Random Hacker
A yardstick of the success of a technology is the linear footage of
books written about it. A recent purchase of 7 books about the
Internet stacked up to 9 inches in height and a price of $426.43 per
foot. Computer security has come certainly into its own on this
front. When we published the first Netsurfer Focus on Network and
Computer Security, there simply weren't that many books out there.
Since then, things have changed for the better. So here is an
updated selection for your consideration.
* Firewalls and Internet Security: Repelling the Wily Hacker.
William R. Cheswick and Steven M. Bellovin, 1994. Addison-Wesley.
A practical guide and a classic.
* Fundamentals of Computer Security. Edward Amoroso, 1994.
The more theoretical approach.
* Information Security: An Integrated Collection of Essays. Marshall
D. Abrams, Sushil Jajodia, and Harold J. Podell, 1995. IEEE
Computer Society Press, Los Alamitos, CA.
Papers on a variety of topics including formal methods and network
and database issues.
* Internet Firewalls and Network Security. Karanjit Siyan and Chris
Hare, 1995. New Riders Publishing.
Another useful, practical guide.
* The Underground Guide to Computer Security. Michael Alexander,
Entertaining and PC-oriented.
* Network and Internetwork Security: Principles and Practice.
William Stallings, 1995. Prentice-Hall.
Broad coverage from secure network and email management to
intrusion detection to cryptography and authentication.
* Network Security: How to Plan For It and Achieve It. Richard H.
Baker, 1995. McGraw-Hill.
Strong organizational and MIS focus.
* Original selections from our first edition
Netsurfer Focus Home Page: http://www.netsurf.com/nsf/index.html
Flames, flowers, and flip remarks to: firstname.lastname@example.org
We appreciate hearing from you even if we do not manage to respond
to every message that is sent to us. We reserve the right to quote
you in future issues of Netsurfer publications or on our website,
so don't say anything you'd regret, OK?
To subscribe to Netsurfer publications:
By WWW form: http://www.netsurf.com/subscribe.html
By e-mail: email@example.com
Netsurfer Focus Netsurfer Communications, Inc.
Publisher: S. M. Lieu President: Arthur Bebak
Production Manager: Bill Woodcock Vice President: S. M. Lieu
(c) S. M. Lieu. This document may be distributed freely in
electronic form in its entirety and without modification. All
other rights reserved.
NETSURFER DIGEST is a trademark of Netsurfer Communications, Inc.
Other publication, product, and company names may be trademarks of
their companies. "God is in the details" is a quote from Mies van
der Rohe. "Fire burn, cauldron bubble" from William Shakespeare,
Macbeth Act 4 Scene 1.