Computers & Security, 17 (1998) 564-574
Security Views Dr. Bill Hancock, CISSP
Editor-in-Chief
Windows-98, RIP and My Adrenaline Rush
As some of you are aware, I have been an avid student
of the martial arts since age 4. I did rather well in
competition in the 70’s and 80’s at very large, interna-
tional tournaments. Its come in quite handy on a
couple of unfortunate times, but has always been part
of my life and has been there for me when I needed it
most.
What does this have to do with anything? Well, I still get an adrenaline rush when I step into a tournament
ring - even if I am just one of the other ‘old fossils’
who judge the efforts of the younger and more agile.
Of course, us ‘old fossils’ have a saying:
Youth md exuberance does riot stand a clzance against age arld deceit.. .
But, martial arts tournaments give me an adrenaline
rush. Probably always will.
Of course, other things do as well. One is when I come to a realization of how nasty a security problem
some ‘feature’ or another is in an operating system that I am fooling around with. With that, I recently had a small one that grew in scope when I put two-and-two
together and came up with a much larger number.
After recently purchasing a new Pentium II with all
the ‘bells and whistles’ on it, it came pre-installed with
the standard, buggy release of Windows-98. As the
proper geek that I am, once I was happy that every- thing was working, I parked myself on the Microsoft
Windows-98 CD-ROM that came with my system and started looking into items that are ‘optional’
installs such as theValuPack and other goodies that are
on the CD-ROM.
Whilst browsing the CD-ROM, I discovered that an
install existed for Routing Information Protocol (RIP).This was a bit of a surprise as making a desktop
system a router is not always a good idea for lots of
network control reasons and even more security
reasons. But, being curious as to whether it worked or not, I installed it and started playing with it.
I was quite successful in getting an ISP connection via
modem with PPP to route properly to an
Ethernet/802.3 connection on the system itself. This
meant that I could dial up an ISP and allow other nodes on my constructed testing LAN to communi-
cate with the ISP and, therefore, the Internet. A little
further extrapolation caused the revelation that any laptop running W98 with the optional RIP installed
would allow the laptop to ‘back door’ connect the laptop to the ISP on the modem side and the laptop to the corporate LAN on the Ethernet side of the connection. Hence an adrenaline rush - a secu- rity problem, and a pretty serious one, waiting to happen.
564 0167-4048/98$19.00 0 1998 Elsevier Science Ltd. All rights reserved
Computers & Security, Vol. 17, No. 7
For example, one of my customers has a site with 2000
telephone handsets on the property. They also have
over 950 analogue lines. Of those 950 analogue lines,
over 700 are modem connection lines for desktop
systems as the users got sick and tired of getting the IS
department to help them connect out to the world.
Using RIP with a W98 upgrade would now allow
these users to connect out to the world and also route
information from the local network to the Internet
and vice-versa.
Of course, using this type of network technique is not
new. Products such as WinGate have allowed this
capability on W95 for some time now. Other Network
Address Translation (NAT) products for W95 and MS-
DOS accomplish much the same thing. But, you must
purchase WinGate after the trial period for a small fee
and RIP comes included in the W98 distribution kit.
Further, you would also be required to do a little
snooping around the Net to figure out that there was
a WinGate in existence. Inclusion of RIP on the
distribution CD is much easier to discover and use.
I fully expect a lot of small businesses to implement
this optional component. 1 also fully expect large cor-
porate laptop users to do the same. In either situation,
compromise of the internal networks via unautho-
rized connectivity and access will become much more
commonplace. It also follows that if your company
does not have policies about what is allowed to be
connected to the corporate network and, importantly,
how, then be prepared to have your network compro-
mised by a desktop near you soon.
Stealth Probing of Internet-connected Sites
A recent series of long-term, low packet-count probing has been going on within various large
network sites belonging to the military and other large
sites. Low-bandwidth, or group, hacking involves
numerous hackers working together from different locations. Together, they intermittently send sets of IP packets against a network to test for vulnerabilities. Because the packets come from different hosts and at varying intervals, they come in, in effect, ‘under the
radar’ of most intrusion-detection applications currently on the market.
This type of attack has been rumored about for
several years, but it wasn’t until last month that it was
documented by the Shadow project of the US
Department of the Navy’s Surface Warfare Center.
With these new low-bandwidth attacks, hackers have
found a way to make the most obvious part of their
attacks - probing for vulnerabilities - virtually
undetectable. That frees them up to do the real
damage by racing through those holes to capture data
before they can be shut down. So far, there have been
three distinct patterns that have emerged:
Slow scans for machines and services: Attacker inter-
mittently checks for machines and services to develop
a picture of the target network. Once vulnerabilities
are mapped, attacker can go back through that hole.
Multisourced attack: Attacker tries to access or crash a
server, also known as denial of service, from multiple
points of origin.
Multisourced attacks to multiple targets: Attacker
dilutes the so-called attack density, making it look like
normal traffic that is converging on the same data.
So far there has been a lot of vendor posturing and
assurances of product upgrades coming out to fight
this new method of probing for weakness. We will see.
What is already known is that this type of probing
requires monitoring consisting of various database and
neural network methods as well as macho computing
hardware to handle the performance issues that are
sure to be an issue. This type of monitoring comes at
a price and it’s not going to be cheap to implement nor simple to solve.
Lotus Domino Security Flaws Redux Another security glitch on Lotus Development’s
Domino Web server may make it possible to view sensitive credit card, address, and phone data from the Web. The breach was reported last week by LOpht Heavy Industries, a group dedicated to security research.Their advisory is located on their web site at:
565
Security Vie ws/Dr. Bill Hancock
http://www.lOpht.com (that’s a zero, not an O).This
flaw could make Lotus Domino application-based
payment and client data available from a Web browser.
LOphtS website said it “received reports regarding a
vulnerability in some implementations of Domino-
based applications, which result in the Internet publi-
cation of sensitive information belonging to
customers of Lotus/IBM and their business partners.”
LOpht said Web browser users can access database
information simply by navigating to the payment entry part of a Domino site, then substituting ‘open’
after -.nsf database names in the URL. LOpht suggests
developers use reader and author names fields to
prevent unauthorized access to sensitive data. It also
suggests disallowing anonymous access to names.nsf,
catalog.nsf, log.nsf, domlog.nsf, and domcfg.nsf
databases.
Ironically, while Lopht was posting the advisory about
the security-flaw on its website, Lotus outlined details
of its E-commerce and public-key infrastructure
security plans at its developer’s conference. To address
security concerns, Lotus placed its IETF PKI compli-
ant implementation in the public domain last summer.
Lotus officials said Microsoft, Intel, and Security
Dynamics Technologies pledged to support the
reference implementation. Having a single PKI imple-
mentation will keep down the number of certificate
authorities businesses will have to maintain for trading
partners and foster greater extranet development. PKI
functionality for Notes/Domino will be completed
and available in the next six to 18 months.
European Companies Not Impressed With E-Commerce
A recent survey by Andersen Consulting shows that many European business executives are slow to incor- porate electronic commerce into their operations. While 82% of executives said they believe E-com- merce will have a strategic impact on their business in the future, only 39% are taking steps today to incor- porate the technology into their strategy. Only 19%, the survey found, regard E-commerce as a serious competitive threat.
Moreover, one-half of the respondents believe that
consumers lack an understanding of E-commerce. A
majority view privacy and security as major barriers.
Eight percent cited the need for governments to work
together to form a common, international E-com-
merce framework. The survey, conducted between
December 1997 and July 1998, involved more than
300 senior executives throughout Europe
Vendor-Supplied Security for Computers Dell Computer Corp. is working overtime to help IS
managers secure the data in their users’ notebooks,
desktops and servers. Dell recently announced
DellGuard, a security initiative that features password-
protected hard drives for notebooks and desktops,
along with an 800-number that assists in tracking
stolen PCs. In the first half of 1999, the company plans
to add smartcard hardware to its notebooks and
desktops that will provide a single point of user
authentication.
The smartcard solution, which would require a card
reader and be used during logon, would reduce the
number of passwords needed and lessen the chance of
an unauthorized user gaining access to data stored on
a PC or network. Dell’s smartcard security product is
expected on Latitude notebooks and OptiPlex
desktops, sources said. While the company is consider- ing using third-party smartcard devices, it is also devel-
oping its own reader, which could add about $100 to
the price of the notebook, sources said. Dell is also
evaluating biometric security technology, including a
fingerprint sensor developed by Veridicom Inc., in
Santa Clara, Calif., which authenticates users via their
fingerprints.
The company’s DellGuard initiative will focus on
standards-based solutions that are compatible with Microsoft Corp.‘s Windows NT 5.0. Windows NT
5.0, for example, will support smartcards and include a smartcard API as well as built-in data encryption.
Dell isn’t alone in its security efforts. Compaq
Computer Corp. is a member of the BioAPI Consortium, a group that is working to develop APIs for biometric security. The Houston company also
566
Computers & &writ-v, Vol. 17, No. 7
has a fingerprint recognition device for its Deskpro
PCS.
IBM will also introduce a smartcard encryption prod-
uct for its ThinkPad notebooks.The company is devel-
oping a reader that will tit into the notebooks’ PC Card readers. The smartcard product, which has not
yet been priced, will be available first as an option,
sources said.
Hewlett-Packard Co., a longtime smartcard backer,
recently announced ProtectTools, a program to inte-
grate smartcard readers into its Vectra VL desktops,
Kayak workstations and OmniBook notebooks. The
Palo Alto, Calif., company is working withveridicom’s
sensors for inclusion in future desktops and note-
books.
While all of these initiatives are useful and beacon the user to thinking more about being secure and less
about the overall problem (it’s the “I have a lock on
the door and am therefore secure” syndrome), they are
all based on different methods, technologies, tech-
niques, etc. Until we can get all the vendors together
in a single mode of security, all this does is exacerbate the differentiation of security products for the same
technical problem and, as usually happens, the users
turn the security features off in defiance of IS person-
nel due to their “operational needs” (i.e. they don’t
want to mess with the solution as it is intrusive and
annoying).
Network Associates Introduces a New Firewall Concept: Adaptive Proxies
Network Associates, Inc., recently announced a new method to protect networks via firewall technology
that promises to remove the longstanding tradeoff between security and speed when choosing a tirewall.
The new patent-pending tirewall technology features
‘Adaptive Proxies’ which maintain the tight security
standards of proxy firewalls, but can dynamically ‘adapt’ packet flows on the fly to achieve substantial
performance improvements. The new Adaptive Proxy technology is the result of years of research at NAI Labs, the security research division of Network
Associates.The new technology will debut this month
in Gauntlet Firewall 3.0 for Windows NT, and will be
widely available on all Unix and NT versions of
Gauntlet later in 1998.
Historically companies have faced a tradeoff between the speed of stateful packet inspection firewalls and the
tight security of application proxy firewalls. The new
adaptive proxy model eliminates that tradeoff by
dynamically applying the appropriate degree of secu-
rity as it is needed.
Application proxy firewalls like Gauntlet have tradi-
tionally been viewed as better than average security
due to specific architectural features that help secure ancillary information when a connection is in
progress. Because all data passing through the firewall
is examined at the application layer, the highest level of the protocol stack, application proxy tirewalls have full knowledge of exactly what is occurring in each
attempted connection. Proxy firewalls are also consid-
ered to be superior to stateful packet inspection
firewalls because they act as a ‘proxy’ for all authorized
connections, never allowing direct contact between
the trusted and untrusted networks. Although these methods offer significantly tighter security, the addi-
tional security measures sometimes require more time
to process.
In contrast, stateful packet inspection firewalls to
simulate the approach of an application proxy tirewall
by examining data through a proprietary inspection
module at a much lower level of the protocol stack. Once a connection has been established, stateful pack-
et inspection tirewalls also allow direct connections (if
NAT facilities are not enabled) between endpoints
through the firewall, potentially exposing internal systems to compromise from sophisticated attackers if the firewall is incorrectly set up.
The new patent-pending ‘Adaptive Proxy’ technology
supposedly gives users the best of both previous fire-
wall technologies. Adaptive Proxy firewalls dynamical- ly ‘adapt’ packet flow on-the-fly based on user-defined security rules. This allows users to customize firewall policies to their specific needs without sacrificing speed or security. When security requirements are
567
Security Vie ws/Dr. Bill Hancock
high, the initial security examination still occurs at the
application layer, assuring the maximum security of a
traditional proxy firewall. Once all the details of that
session have been cleared by the proxy, however,
subsequent data packets can proceed directly through
the much faster network layer. Initial vendor bench-
mark tests of the new Adaptive Proxy technology have
demonstrated tenfold or greater performance
improvements with zero security compromise (of
course, these are vendor provided and still need to be
verified).
Gauntlet’s new Adaptive Proxy technology will also
enable more flexible integration between individual security products such as security vulnerability scanners, virus security scanners, and intrusion protec-
tion sensors. As part of its ‘Active Security’ initiative,
Network Associates is enabling properly authenticated
devices to automatically ‘adapt’ firewall security levels
according to a firewall administrator’s pre-established
security policies whenever security sensors and
scanners detect an important threat to the network.
Next!
Aussies Outsource their Equivalent of the US National Security Agency
The partial handover of Australia’s most secretive intelligence network to a foreign company was a
threat to national security, the main opposition Labour
Party said Tuesday.
The Defense Signals Directorate (the Australian
equivalent of the US National Security Agency),
which is so secretive its annual budget isn’t even made public, has handed over some of its foreign intelligence
gathering to private companies, one of which is
British Aerospace Australia. The handover was made public when British Aerospace advertised for 40 peo- ple with expertise in languages of the Asia-Pacific region to work in Australia.
Labour defence spokesman Arch Bevis said handing
such sensitive work to a foreign-owned company was madness and clearly not in Australia’s interests.
“Not even Margaret Thatcher or Ronald Reagan
went this far with privatization”, Bevis said. “Giving
British Aerospace Australia a contract to advertise for
and employ language and communications intercept
experts has enormous implications for Australia’s
national security.”
“In a conflict situation, the information they would be
gathering could affect the lives of thousands of military
personnel.” Bevis called on Prime Minister John
Howard’s government to make public any plans for the
sell-off of other aspects of Australia’s defence systems.
What I find truly interesting about this is that the task
is over and done with, the politicians are going crazy over it and there is a high probability that the situation
has existed for years. In my years working in ‘spook
shops’, it was not uncommon at all to have a great many commercial contractors working with us side-
by-side. It would never appear on the books of any
contractor as to what, exactly, they were doing - but they were there doing it nonetheless. Sorry, guys -
nothing really earthshattering here. Been happening
for years. I sometimes wonder what will be outsourced
next. Upon reflection, I probably don’t want to know.
New E-mail Newsletter on Electronic Identify Fraud
John Ellingson, principal of e-Dent&cation LLC
announced the start of publication of a free E-mail
newsletter called Electronic Identity Fraud.
Publication is devoted to the newly created problems of electronic commerce and electronic data inter-
change (EDI) wherein people in remote locations
do business through electronic means and lose the
valuable opportunity for personal face to face evalua-
tion of each other.
Much attention has been devoted to the security of the message, using encryption and passwords and fire- walls. But the important question of the identity and honesty of the sender of the message has been
ignored. The newsletter is available on request to [email protected]. Please say Identity Fraud as subject of request.
568
Computers & Security, Vol. 17, No. 7
John Ellingson is chairman of NBIB Inc. which devel-
oped an identity detection system now used by 17 000
banks.The new system is designed specifically for non
bank companies engaged in electronic commerce. He
is at [email protected].
World’s Smallest Combination Lock is Created
A team of US scientists have developed a minuscule
mechanical device they describe as “the world’s small-
est combination lock”, promising to build a virtually
impenetrable computer firewall.
Sandia National Laboratories said in a news release
that the Recodable Locking Device is a series of tiny
notched gears that move to the unlocked position
only when the right code is entered.Using the micro-
electromechanical system (MEMS) so small that it
takes a microscope to see it, Sandia said, the device is
the first known mechanical hardware designed to keep
unwanted guests from breaking codes and illegally
entering computer and other secure systems.
The Recodable Locking Device is hardware. With it
in place, a user would only have one opportunity to
enter the correct password - and a one in one
million chances of guessing it, compared with a one in
10 000 chances in most passwords used in software
firewalls. The system shuts down if the password is
incorrect and can only be reset by the owner. The
entire device is about the size of a button on a dress
shirt and could be built into a small chip that would
be incorporated into any computer, computer
network or security system.
It consists of a series of six code wheels, each less than
300 microns in diameter, driven by electrostatic comb
drives that turn electrical impulses into mechanical
motion.To unlock the device, a user must enter a code
that identically matches the code stored mechanically
in the six code wheels. If the user makes even one wrong entry, the device mechanically ‘locks up’ and does not allow any further tries until the owner resets it. Sandia said that the device has a powerful potential besides being a deterrent to hackers. They expect to
see the device used in commercial applications within
the next two years.
Getting Bitten by Year 2000 Problems in Places You Never Thought of.. .
Oddly enough I get a lot of E-mail questions about
security and the Year 2000 problem. While some of
you readers will refer to this section as “I already knew
that”, and you may be correct, it strikes me that there
are many out there in cyberspace who really don’t
understand the Y2K problem to the depth that it
extends. If nothing else, use this section of this month’s
column to educate your management.
Everyplace you read you hear about the Year 2000
problem, especially when computer systems and
software is involved. Is it real? Yeah, unfortunately, it
most certainly is. Is your company at risk due to it!
Yes, it is and that’s a question we can explore in detail
later, but first we need to understand what the Year
2000 (also known asY2K) problem is.
When programmers write programs, which are on
every computer in every location, they have to create
program code sequences that involve the use of dates
and times. When defining any type of date many
times, programmers must specify rules for the format-
ting of year of the date. For instance, specifying only
19 for a year as the first two digits is going to cause big
problems when the year 2000 hits and it starts with
20. Programs cannot do anything other than what
they were programmed to do and those who are
expecting 19 for the first two year digits are going to
freak out in a major way when something hands a 20
to them instead. At a minimum, things stop working. At a maximum, systems crash and incorrect date
information is saved. This can have some pretty far-
reaching and catastrophic effects for a lot of things like
databases and real-time programs which use dates and
times for serious work like nuclear reactor failsafe
programs.
Even worse are where programs have algorithms where date computations are made based upon only the last two digits of the year. Let’s say you wanted to
569
Security Views/O=. Bill Hancock
know how many months had transpired from the first
of January of the year 1900 until the last day of
December of the year 1999. If the computation were
made such that only the last two digits were used, then
this task done before the year 2000 would result in a
computation of 99 times 12 or 1188 months. But,
what if the same question were modified to the
number of months from the first day ofJanuary of the
year 1900 until last day of December of the year 2000?
The answer would come back as 12, not 1200 as the
correct answer would be.This simplistic example can be expanded to problems like invoicing for time spent
on jobs (typical timesheet applications), time manage-
ment software, calendar tracking applications, etc.,
which affect everyday user routines. It can also affect
railroad scheduling, flight scheduling, reservations for
practically anything, industrial control systems, finan-
cial and accounting systems and, basically, anything
run by a computer.
So, the problem is quite serious. And, without updat-
ing systems, it is not going away. In fact, the two
examples above are simplistic ones that are easily
understood.There are a rash of them that are consid-
erably more complex and difficult to understand and
correct. Another problem are the nay-sayers that claim
that Y2K is over-hyped and that very few things will
be affected.There have been some articles written by
non-technophiles to this effect and they couldn’t be
more wrong if they tried. There are extremists that
claim “all will come to a halt” and those who claim
“nothing is wrong”. The truth is in the middle,
leaning more towards the “all will come to a halt” than
“nothing is wrong”.
Some companies are taking the Y2K problem very
seriously. Consider the expenditures of the following
banks to address the Y2K problem (sources are
Chicago Tribune and Grain’s Chicago Business):
Chase Manhattan Corp $250 million Citibank 50-70% of staff dedicated
to the problem BankAmerica Corp $250 million First Chicago NBD Corp $100 million LaSalle National Bank $30 million
If you examine the locations where computers are
being used, you can begin to see how problems with
something as simple as a date can cause personal and
professional problems.
I have an intercom system in my home. It has a digi-
tal calendar in it and was manufactured about two
years before I bought my home in 1987. Just for fun,
I moved it up to January 3, 2000, and it displayed
January 3, 1900. It does not even have the year 2000
capability to display the number in the unit. So, I
called the company that makes the unit and they told
me that to fix the problem would require replacement
of the main unit with a new unit for a cost of about
$700. Needless to say, I am really unhappy about this
and am now tracking down the programmer for my
intercom unit to do him/her bodily harm.
Another personal experience is my microwave oven in
my kitchen. Installed at the same time, it has a timer,
date and day display. Guess what happens when you
set it to January 3,2000? It beeps at you and displays
a fault code and then reverts to 1900. I called the manufacturer and they said that a $50 upgrade will fix
it. Gee, how happy am I again? I am up to $750 in
personal out-of-pocket upgrades and I have not even
gotten to the house security system, car calendars,
sprinkler system,VCR clock/calendars (yes, campers,
they are affected as well), refrigerator (yes, it is ‘calen-
dar-challenged’), stereo system, digital wrist watches,
electronic alarm clocks, etc. All of this has nothing to
do with my office, but all of it is up-close and person-
al. And, a lot of it is going to break in the year 2000. Sigh.
What does this have to do with security? Plenty.
Remember that most computer-based security tech-
nologies use programmable date information to keep
logs and audit trails. Let’s examine some very simpli- tied example areas of risk and security issues where the Y2K problem, not fixed, will cause problems:
Perimeter facility access security products. These products, typically used to secure a building or grounds area, use computers to control access to the facilities. Dates are extremely important for enforce- ment ofTime of Day (TOD) operations when people
570
Computers & Security, Vol. 17, No. 7
are allowed in or out of a facility. TOD also causes
problems for people with access which expires on
specific dates at specific times. If the date modules of
the programs controlling perimeter access can’t deal
with Y2K, the entire security system may be in jeop-
ardy and will either lock everything down or lock up
nothing at all.
Card control access systems. In a recent test at a
customer site, we put the clock ahead to test a card
control system. Everything worked great except the
elevator card key facilities. Turns out that the system
was upgraded properly, but the elevators were not and
it was expensive to do so. Therefore, it was cut from
the budget. Since the card keys did not cooperate in
the elevator card reader PROMS after Jan. 1,2000, the
elevators would not allow us to go anywhere a card
was required to reach a specific floor. I am sure that
other embedded logic card control systems will have
similar problems as I have seen them on several
already.
Fax machines. Many of them have built-in electronic
day and date display and transmittal facilities.We took
a relatively new unit (about 3 years old) and moved
the date up just for fun. It wouldn’t let us and beeped
at us every time we tried. Really frustrating. In many
companies, the date-time-group (DTG) provided on
transmitted .fax documents is a crucial business
requirement, especially where negotiations are going
on or where there are date restrictions on actions by
company management. If a fax machine cannot trans-
mit an effective date, this is bad science for all
involved.
PBX systems are particularly sensitive to calendar date
events. Discussions with some industry experts tell me that many PBX switches that are over 10 years old will
have problems withY2K. A customer of mine running
a very large switch with over 10 000 users has a switch
that is effectively 20 years old. Needless to say, aY2K
test was a disaster and upgrading the switch will be
expensive and time consuming.
Manufacturing systems. Companies that engage in manufacturing products actually have three threats to their business: embedded systems, the supply chain to
the business (and all associated systems) and internal,
third-party packages. There are a lot of 1970’s tech-
nologies in embedded systems that will not work
properly in 2000 and there is a great deal of microcode
and other specialized applications that may be difhcuit
if not impossible to debug and fix. In fact, one well
known pharmaceutical firm I know of is discontinu-
ing a version of a major diabetic therapy product due
to the expense of converting the system to work in
Y2K: it’s cheaper to get rid of the system and move
customers to a newer product than to upgrade the
system which makes the pharmacological components
to work properly later on. Supply chain vendors who have problems shipping raw materials will impact
arrival and scheduling of manufactured components
and cause total chaos in the manufacturing and deliv-
ery of product. Internal packages configured for Just
In Time (JIT) inventory systems may suffer due to the
standardY2K problem but also may not be equipped to deal with the issues of scheduling and manufactur-
ing problems imposed by materials problems with the
supply chain issues. It becomes a mess rather quickly
when just a few things start to go badly.
Retail systems. Solely dependent upon supply chains,
the problems of supply chain system failure to the
retail channel will have far reaching and major effects
to retail systems which depend on rapid delivery of sellable items where inventory is tight and rapid
change in spending patterns occur. Supply chain
components may not notify the retail consumer until
it is much too late to do anything reasonable about the
problem.
Utility systems.What happens if a nuclear power plant
failsafe system, which may not be date-dependent, is
told by a date-dependent system to scram the reactor. At that point, massive logging of events is required and
needed. What if the logging system fails? The plant may be left in an ‘Unanalyzed Condition’ (which is
very bad - all safety issues that happen at a nuclear
plant must be completely analyzed and resolved before
a restart can occur) and the plant must be shut down until the safety issues are identified and corrected. Nothing has caused melt down and probably won’t. The problem is that it cannot be started back up. Lights out.
571
Security Vie ws/Dr. Bill Hancock
Health care. Hospitals and other medical organizations
depend on diagnostic systems which have their own
embedded systems within them. A lot of these systems
stop when maintenance intervals are reached.
Computing the wrong date may cause that to happen
a lot quicker than expected.These organizations have
a lot of the same problems as the retail sector’s
problem with supply chain Y2K problems, but here
people’s health and, indeed, their lives may be at stake.
The list of opportunities to fail goes on and on.The
point is clear: Y2K is serious, ubiquitous and some-
thing that a lot of companies are simply not paying
attention to solving.This is especially the case in small
and medium sized companies where expenditure to
fix the problems is not part of the overall corporate
goal of survival.
Then, there are the legal problemsYes, legal problems.
In any area where liability is produced, there is always
the human and corporate tendency to find someone
else upon which to shift the blame and, therefore, the risk. For instance, in a public company, failure to
disclose Y2K potential problems subjects the directors
and officers of a company to a rash of lawsuits, The liability is that these individuals have a fiduciary
responsibility to act in the best interests of the corpo-
ration. While corporate ‘standards of care’ vary from
state to state, they exist to protect the company and
stockholders. What is particularly important, especial-
ly for public companies, is the risk to the company of
shareholder lawsuits and enforcement actions by state
or federal authorities based upon a company’s lack of
official or sufficient disclosure of Y2K issues in
required public filings with the Securities and
Exchange Commission (SEC), or with state securities regulators. The SEC issued guidance in 1997 (Staff
legal Bulletin No. 5 onYear 2000 Disclosures) which
advises companies of their year 2000 disclosure obligations. While a ‘guidance’ by the SEC is not a law,
you don’t ever ignore it lest your company trigger an SEC enforcement action or class action lawsuit by stockholders. The SEC requires “specific and mean- ingful”information aboutY2K issues and also specifies minimum informational requirements (which can be extensive in some situations). By keeping a consistent
and exhaustive chronology of events that the compa-
ny undertakes to properly address the problems, these
opportunities are minimized. Lack of doing anything
can open up the company to a variety of problems
including business failure.
Ok, now that your consciousness has been properly
raised, let’s examine what you can do about the prob-
lem and what steps are necessary to avoid the Y2K
pitfalls that are sure to come along.
There are four overall steps that have to happen to
properly address and fixY2K problems:
1. Inventory and assessment of your exposures toY2K
in software and systems .
2. Analyze and find your year 2000 risks and legal
requirements.
3. Fix your programs and applications.
4. Test your changes.
Before you get too carried away and start the steps,
there is that legal liability exposure-‘thing’ that you
have to be concerned about - whether you are a
public or private firm. One sure help in a courtroom
is a great deal of documentation about all the steps and
work that was done to ensure that your systems were
being corrected for Y2K compliance. That starts first
and now: document everything that goes on, regard-
less of how trivial it might seem, to ensure that your
company has proper paper-trail compliance efforts in
the case of a legal action against the company as a
whole or specific officers and directors.
While the following statement might seem a little brain-damaged and normally filed in the ‘common
sense’ file, it’s crucial: upgrade and fix mission critical systems first! A quick assessment will yield information about what systems and software are critical to keep- ing the business rumling or what supply chain facili-
ties are critical to keeping materials flowing. These areas obviously must be the first addressed regardless of
572
Computers & Security, Vol. 17, No. 7
their complexity as they are considered to be business
critical to keeping the company afloat as a profit gen-
erating machine.
(1) Inventory and assessment of your expo- sures to Y2K
This step has two components: business issues and
technical issues. Business issues require the concerns
over compliance with Y2K by vendors, business part-
ners, suppliers, subsidiaries, embedded systems, end
products, retail products or provision and industry-
specific business, legal issues and regulatory require-
ments. The technical issues include: an inventory of
software products in-use; vendor statements verifying
either no issues or what issues are to be solved inY2K
compliance (you will need to contact each one); in-
house software analysis to discover what was ‘home grown’ and will cause problems; embedded systems
that you may be using that have older software in
them and may fail or not operate correctly; etc.
(2) Analyze and find your year 2000 risks and legal requirements
Now that you have a rough idea of what the scope of
software and business problems are to be solved, the
problem of analyzing any in-house code and process-
es for Y2K conversion efforts needs to be done. This
can be an especially painstaking effort and is essential
to ensure that you know exactly how much work and
what types of efforts will be required to properly con-
vert systems to Y2K compliance. Testing of date
changes and effects of failure of one system vs. what
happens to another is just a small piece of what has to
happen. Other tasks include how your company
affects supply chains, your requirements onY2K legal-
ly and to your customer base and many other related
issues.
(3) Fix your programs and applications
This sounds easy, but it’s not. A lot of programs that are home-grown or are used in systems no longer sup- ported by a vendor may be extremely difficult, if not impossible, to fix. This may entail entire replacement of selected systems or subsystems that are in use to
ensure that they can properly function when year
2000 comes around.You will most likely need to find
source code for affected programs or get the upgrad-
ed ones from vendors if they exist. Consultants who
are familiar with your systems and problems will most
likely need to be retained and an overall project and
plan for correction will need to be designed and
implemented.Tools and other facilities that will facil-
itate the conversion of code or products will also need
to be tested. certified and used for the conversion.
(4) Test your changes
This is often one of the most painful stages and often
takes as long as it takes (or more) than it does to make
code changes. Testing involves the use of automated
testing tools., conditional testing, interrelationships
with other programs and how the changes affect other code components and many other issues. If you are in
the supply chain as a vendor, the pain can increase
seriously when you consider that you may need to
create a parallel system environment to test changes
and updates. Interactive systems can be a real challenge
as user interfaces, reports, database interfaces and all
manner of interactive methods must be tested to
ensure that everything works as required. Of course,
there is user training, documentation and many other
steps to ensure that everything gets done correctly and
functions in accordance with plans.
A final comment about consultants. Be careful who
you select to do your work, ensure they have the prop- er credentials and get some specific information about
what they can and cannot do for you in the conver-
sion effort. As in any service sector industry, there are
some very reputable individuals and some that are less
than what they seem. Remember that all the work is
being done by people, not machines, and the selection
of those people with the right qualifications are what
makes or breaks a conversion. Also, the customer has
the absolute right to know what they are getting and
why and also be intimately involved in the process.
Failure to get thoroughly engaged in the process leads to miscommunications, overcharges and runaway pro-
jects. Get involved and stay that way.
When starting your conversion efforts, ensure that
573
Security Vie ws/Dr. Bill Hancock
your team has the proper systems, tools and facilities
that are necessary for the job. Some larger consultan-
ties have developed their ownY2K conversion pack-
ages. Mainframe vendors, such as IBM, have entire
Web sites and conversion suites that are used for
conversion help. Project management tools, Gantt
chart progress tracking, source control systems, formu-
la and strategies for date management and upgrades
and a whole host of other technical tools and facilities
are necessary to properly plan and upgrade systems
and code forY2K compliance. All of this costs money
and does not come for free. These are expenditures
over and above the actual code conversion and, with-
out them, the effort will take much longer and have a
less overall chance for success.
Y2K is non-trivial. In some systems, the effort may
involve as little as upgrading a system to a new version
of the product. In most cases, especially if there is
home-grown software involved, the effort must be
carefully planned and progress controlled to ensure
success. Even if your in-house systems are not affect-
ed, if you are a manufacturer, retail supplier or other
‘middleware’ type of business, you may be affected by
otherY2K problems at other companies and vendors.
Take some time and analyze your exposures and know
what alternatives you have before real problems creep
up on you and it’s too late to do anything about them.
Insist on vendor compliance and remember to work
with your vendors and suppliers to minimize the
impact of systems that have not been converted.
Develop a disaster plan of action in case there are
supply-side problems that you have no control over
but affect your ability to pursue your business. And,
remember that there are a great deal of legal issues that
you must deal with to ensure that the company’s liabilities are properly dealt with.
Recommended reading
The Year 2000 Software Crisis Ian S. Hayes, William M. Ulrich Yourdon Press Computing Series ISBN O-13-9601 54-6
Practical Methods for Your Year 2000 Problem
Robert B. Chapman
Manning Publications Co.
ISBN O-884777-52-X
The Year 2000 Computing Crisis
Jerome T. Murray, Marylyn J. Murray
McGraw-Hill
ISBN o-07-912945-5
Dr. Bill Hancock, Executive Vice President and Chief Technolog Officer of Network-l Software and Technology, Inc., is a well known computer and network consultant, designer and engineer with thousands of network desqqx to his credit. In the business for over 25 years, he has drslgxd and rr-engineered networks (over 4000) for many of the Fortune 1000 as well as many international companies and governments with system counts from two to over 1.5 million rystrms. He has held full-time technical and management positions at various Fortune 100 companies including Standard Oil of Ohio, I>igital Equipment Corporation, Texas Instruments and US governmental organizations such as the Naval Security Group Command. A prolific network architect and designer, he has desiqed networks for a wide variety of organizations such as the Capitol of the United States of America. 17 power companies, NASA research networks, aircraft control systems such as components of Boeing aircraft and the F-16 and F-22, manufacturmg networks, K&II networks, telephone companies, banks and financial institutions, distributed control systems, various governmental networks and components of the worldwide network known as the Internet. A network and system security expert, Bill has designed and developed commercial dial-up security, encryption, network firewall, authentication, digital signature and other products.As a consultant, Bill is often sought to provide guidance on security policies, procedures, trchnolo+s, strategies and actual hacker prosecutions and trackdowns. Bill often works with law enforcement professionals worldwide to identify, stop and prosecute computer criminals and offenders. Bill is an often sought speaker for keynotes at InterOR Comdex, CEBIT, NT World, NrtworksExpo, Compsrc, Internet World, Mactivity and is well known for his detailed knowledge of networking and security as well a\ his humorous style of speaking. Uill has written 20 books on computer networking and security and has wrlttrn art&s for Datn C(~rwrrr~rnirati[l,r~s Mqaziue, DEC hf&ionnl, D@fa/ I\%~Lx, ?+lru 34/3X, Tl~e Wall Street J~umnl, 7%~ D&s .IL&ri<q X&s, IEEE ~l’etuarkj, ~X’c’ettrark M/;,rld, .%eruvrk Set&y and many othrr publications. Hr currently writes a regular column in h’etu~or~ Sctlrrity magazine. Hr is also a US network expert to the IS0 and sits on various international ctandards committrea. 13111 is a member of many industry societies (IEEE, ACM, I)ECUS, etc.) and has sat on the boards of several organizations. Bill is a member ofANS1 and sits on srvrral standards committees domestically and internationally, Hr holds \cveral patents in networking .md security trchnologics and is a Certified Informatmn Systems Srcurrty Professional (CISSP), Certified Network IIrsi~mnrr (with Archltrct Endorsement) and has earned a B.A.. M.S. and I’h.lI m Computer Science. Further bmgraphical information can br found in: W/IO? W/IO it1 rlrc K&/d, K%o i M/l10 i,r Awleritn, l&%0’, l&%0 irr Srir~lrc 0ifn Eqiwerir~~~, otrd W7raIc W/r0 ifi Firmrrr md Irrdurtry.
574