Upload
helen-meyer
View
213
Download
0
Embed Size (px)
Citation preview
Computers and Securit- Vol. 17, No. 7
implement the infrastructure, users were stumped over
how they should proceed and what they would use it
for. Overall, the report generally favours the approach
of the Canadian encryption company Entrust, over
California-based VeriSign. The survey, based on inter-
views with the companies’ key customers, suggested
that while VeriSign’s customers enjoyed financial
flexibility because digital certificate rental allowed
them to avoid capital and depreciation costs, they
could pay for that flexibility in the long run. Entrust offers a software product that is bought, installed and
operated by the enterprise, while theVeriSign solution
offers a public key infrastructure service that is
effectively leased or outsourced to VeriSign and
operated by it on the users’ behalf. Giga claimed that
the Entrust users surveyed preferred the benefit of having a security solution that they could completely
control, while VeriSign users preferred having a
‘public trust utility’ which allowed them to outsource
some of their security management. Computer Weekly, September 24, 1998, p. 30.
US finally relaxes encryption policies. In the
United States theVice President has announced a new
federal policy for the encryption and protection of
electronic communication which will dramatically
increase privacy and security without endangering the
countries security. Taking effect immediately, American companies will be able to use encryption
programs of unlimited strength when communicating
between most countries. Health, medical and insurance companies will be able to use far stronger
electronic protection for personal records and
information. Law enforcement agencies will still have
access to criminally related information under strict
and appropriate legal proceduresThe assistant director
of the FBI, Carol Morris said, “We in federal, state and
local law enforcement, are pleased with the adminis-
tration’s support to establish a technical support
centre.This centre will provide federal, state and local law enforcement with the resources and the technical
capabilities we need to fulfil our investigative respon-
sibilities.” She also went on to say that in light of strong, commercially available encryption products that are being proliferated within the United States, and when such products are used in the furtherance of serious criminal activity, this centre becomes very, very
critical to solving the encryption issues that we need
to make cases. With respect to export controls, the
administration is updating its policy in three areas: our
existing policy and some revisions there, an expansion
with respect to certain sectors, and an expansion with
respect to so-called recoverable products. With respect to the existing policy, the US Government has for two
years, ending this December, permitted the export of
56-bit products after an initial one-time review
without further review by the Government. From now on, 56-bit products will be freed from export
controls after a one-time review, in perpetuity, not
ending at the end of this year. The administration is
removing the requirement for key recovery plans or
key recovery commitments to be provided in return
for that change. In addition, they are continuing to
permit the export of key recovery products without restraint worldwide and the regulations relating to
those exports will be simplified. Insurance companies
are to be added to the definition of financial institu-
tions and they will be treated in the same way under
this policy as banks and other financial institutions are
now. In addition, the same kind of treatment for
exports of these encryption products will be given to
the health and medical sector operating in the same set
of countries. Finally, with respect to recovery-capable
or recoverable products, including so-called ‘door-bell’
products, permission has been granted under a presumption of approval and an export licensing
arrangement to a list of 42 countries. Also announced
is the ability to export strong encryption of any bit length, with or without key recovery features, to
subsidiaries of US companies to all destinations in the world with the exception of the seven terrorist
nations. Network Security, October 1998, p. 2.
Slam the spam door, John Fontana. Some IT managers are ignoring a simple ‘set-it-and-forget-it
defence’ against junk E-mail, and the oversight could
be costly.The action any organization can take against junk E-mail is to shut off a feature called relay.This can
be done on any messaging server based on the SMTP
standard. When relay is turned off, it prevents spam- mers from hijacking corporate servers and resources to distribute junk E-mail. By switching off the relay feature, corporate servers cannot be used to relay spam and disguise the origin of messages. An open relay,
615
Abstracts of Articles and Recent Literature
however, gives spammers free use of corporate E-mail
servers and it could expose companies to a loss of
income, time and resources. In the United States, there
are currently three major pieces of spam legislation
moving through Congress. But legislation forces
corporations to fight spammers in costly legal
proceedings. Internet Week, August 17, 1998, p. 1, 45.
This security catches on - slowly, Suruchi Mohan. Public key infrastructure (PKI) is a comprehensive set
of functions for encryption and digital services. Its
components include a directory, a certification author-
ity and certification revocation lists. PKI’s most popu-
lar feature is its two sets of keys - a public key and a
private key - for encryption and digital signatures.
Despite its promise, PKI has been slow to catch on. A
primary reason is the technology’s complexity and the
requirement for a directory services infrastructure.
Computerworld, Aqust 24, 1998, pp. 37-38.
Immunizing your system, Frank Booty. There are
now over 20 000 known viruses and between 500 and
550 appearing every month.The big growth has been
in macro viruses which spread much faster than tradi-
tional viruses because people exchange data much more readily than executable files. Most viruses these
days are spread via E-mail and groupware systems.
Today, it’s nigh on impossible for network administra-
tors to combat the threat of a rapid virus infection
without protecting multiple points of entry. The
widespread adoption of network computing has made
it vital to establish a complete multi-tier virus defence
system. IBMToday,july 1998, pp. 34-35.
Cryptographic accelerators ftice an uncertain future, Christopher Null. Unless you run a busy E-commerce site that does millions of dollars in
business daily, you probably don’t give much thought
to cryptographic acceleration. Although today’s cryp- tography services can be slow and place a considerable burden on your Web servers, the hardware available to speed things up is expensive and can be incompatible with existing hardware.The author started his review of cryptographic accelerators by looking at a prerelease PC1 card, the CryptoSwift II, from Rainbow Technologies Inc. He also looked at nFast 300 KM recently released by nCipher Corp. In
performance, the nFast beats the Rainbow accelerator
by providing up to 300 1024-bit RSA signings per
second.The nFast series of accelerators also supports a
wider range of algorithms compared with the
Rainbow device. Algorithms supported include: DES,
triple-DES, CAST, and SHA-1. Also supported are
S-HHTP and Secure MIME protocols.The real issue
over cryptographic acceleration is this: will quickening
encryption and authentication transactions actually
speed up you Web site or messaging system? In other
words, is encryption really the bottleneck? Also of
concern is the uncertainty of future support for emerging cryptographic standards, such as Private
Communication Technology, Internet Keyed
Payments Protocol and Secure Courier. IANTimes, August 17, 1998, pp. 30-3 1.
Axent’s on security consulting, Rutvell Yasin. Beset by growing complexity and a shortage of skilled
security experts, IT managers are looking for a broad-
er range of security offerings and services from their
suppliers. Axent Technologies becomes the latest to
step up to that challenge by acquiring Secure
Network Consulting Inc. Axent officials hope to give SNCI full reign to offer best-of-class tools. The
challenge facing most organizations is how to link
enterprise security with business operations success- fully. The combination of a “services-based organiza-
tion like SNCI and a company with a
product/methodology base is a good marriage”. The
integration of consultants with defence and military
backgrounds into the commercial sector may pose a
challenge for Axent. Attaining the lofty goal of providing users with a complete security life-cycle
services programme will be more of a challenge. In
addition to Axent other companies have launched
global service organizations or acquired companies to obtain those resources. These companies include:
Check Point Software Technologies, Network Associates, Security Dynamics and VeriSign. InternetWeek, August 24, 1998, pp. 1, 47.
Who goes there? Paul Grant. We hear much about the security threats that occur when companies go online. Cases of hackers breaking into systems and causing untold damage are well documented, often making national or international news. And now, with
616