informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/issm303.hac

457 lines
22 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÚÄÄÄÄÄÄ InformationÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ °°°Û °°°°°Û °°°°°Û °°Û °°Û ³
ÃÄÄÄÄÄÄ Systems ÄÄÄÄÄÄÄÄÄÄÄ °Û ÄÄ °°°Û ÄÄ °°°Û ÄÄÄ °°°°Û ÄÄ °°°Û ÄÄÄÄ´
³ °Û °°°°°Û °°°°°Û °°°°°°°°°°°°Û ³
ÃÄÄÄÄÄÄ Security ÄÄÄÄÄÄÄÄÄÄ °Û ÄÄÄÄÄ °°Û ÄÄÄ °°Û Ä °°Û Ä°°Û Ä°°Û ÄÄÄÄ´
³ °°°Û °°°°°Û °°°°°Û °°Û °°Û ³
ÀÄÄÄÄÄÄ Monitor ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Dedicated to the pursuit of security awareness..............
===========================================================================
Volume 3 Number 3 July 1993
===========================================================================
IN THIS ISSUE
WHO'S READING YOUR SCREEN
What's New?
Questions on Security Tokens
Clyde's Computer Security Hall of Fame
Virus Alert
Dear Clyde
Token Demo
Jim's Corner
Computer Speak
Computer Security Slogan Awardees (Insert)
The ISSM is a quarterly publication of the Department of Treasury, Bureau of the
Public Debt, AIS Security Branch, 200 3rd Street, Parkersburg, WV 26101 (304)
480-6355
Editors: Ed Alesius
Kim Clancy
Mary Clark
Jim Heikkinen
Joe Kordella
*******************************
* *
* WHO'S READING YOUR SCREEN *
* by Philip Elmer-Dewitt *
* *
*******************************
It's a situation that arises a million times a day in offices around the world.
An employee has something personal to tell a co-worker---a confidence, a joke, a
bit of gossip that might give offense if it were overheard. Rather than pick up
the phone or wander down the hall, he or she simply types a message on a desktop
computer terminal and sends it as electronic mail. The assumption is that
anything sent by E-mail is as private---if not more so---than a phone call or a
face-to-face meeting.
That assumption, unfortunately, is wrong. Although it is illegal in some states
for an employer to eavesdrop on private conversations or telephone calls---even
if they take place on a company-owned phone==there are no clear rules governing
electronic mail. In fact, the question of how private E-mail should be has
emerged as one of the stickiest legal issues of the electronic age, one that seems
to evoke very different responses depending on whose electronic mail system is
being used and who is reading the E-mail.
Does the White House, for example have the right to destroy electronic messages
created in the course of running the government? That issue came to a head last
week when a federal judge barred the BushAdministration from erasing computer
tapes containing E-mail dating back to the Reagan era---including electronic memos
that are relevant to Iran-contra and might implicate officials in the Iraqgate and
Clinton passport scandals.
The White House had issued guidelines that would have allowed staff members to
delete that mountain of electronic evidence. Judge Charles Richey dismissed those
instructions as "capricious" and "contrary to the law." He specifically rejected
the argument that all substantive E-mail had been saved in computer printouts.
The paper versions, Richey noted, omit who received the documents and when. "What
government officials knew and when they knew it has been a key question in not
only the Iran-contra investigation but also in the Watergate matter."
Many historians and legal experts applauded the decision. Government officials,
they argue, are civil servants conducting the public's business; the public has
the right to review any documents they create--paper or electronic. But how would
those citizens feel if it were their E-mail that was being preserved for
posterity? Shoudn't private missives sent over a privately owned computer be
sacrosanct?
That's what Rhonda Hall and Bonita Bourke thought. Three years ago, they were
hired by a California subsidiary of Nissan to set up and run the electronic mail
networkthat links the car company's Infiniti dealers. A female supervisor heard
that some of their E-mail was getting pretty steamy and began monitoring the
messages. She soon discovered that the two had some disparaging things to say
about her, and the women were threatened with dismissal. When Hall and Bourke
filed a grievance complaining that their privacy had been violated, they were
fired.
One might think the two employees had a strong case for unlawful termination. But
their case was dismissed. Nissan's lawyers argued successfully that since the
company owned the computer system, its supervisors had a perfect right to read
anything created on it. "I'm dismayed," says Noel Shipman, the attorney who is
handling Hall and Bourkes's appeal. "To me, the simple bottom line is that
gentlemen don't read each other's mail."
But it's not that simple. The Electronic Communications Privacy Act of 1986
prohibits "outside" interception of E-mail by a third party--the government, the
police or an individual--without proper authorization (such as a search warrant).
It does not, however, cover "inside" interception-seeking a peek at the office
gossip's E-mail, for example. In the past, courts have ruled that interoffice
communications were considered private only if employees had a "reasonable
expectation" of privacy when they sent it.
The fact is no absolute privacy exists in a computer system, even for the boss.
System administrators need to have access to everything in a computer in order to
maintain it. Moreover, every piece of E-mail leaves an electronic trail. Though
Oliver North tried to delete all his electronic notes in order to conceal the
Iran-contra deal, copies of his secret memos ended up in the backup tapes made
every night by the White House system operators. "The phrase 'reasonable
expectation of privacy' is a joke, because nobody reasonably expects any privacy
nowadays," says Michael Godwin, general counsel for the Electronic Frontier
Foundation, a not-for-profit group devoted to protecting the civil liberties of
people using electronic networks.
Some computer users are taking matters into their own hands. If the law will not
protect the privacy of their E-mail, they'll do it themselves--by scrambling their
messages with encryption codes. Godwin's group is advocating that the government
let private individuals use the most powerful encryption systems--systems that
even the FBI can't crack. Unfortunately, such complex codes are likely to
undermine the principal virtue of electronic mail: convenience. In the end,
people bent on private communication--or government officials involved in criminal
conspiracies--had best pick up the phone, or better yet, stroll down the hall and
have a good old-fashioned face-to-face conversation.
Copyright 1993 TIME, Inc.
Reprinted by permission.
**********************END OF ARTICLE*********************
+++++++++++++++++++++++
+ +
+ WHAT'S NEW? +
+ +
+++++++++++++++++++++++
The AIS Security Branch's Electronic BBS number has changed. Bureau telephone
changes at the Parkersburg location have been completed and the 420 prefix has
been replaced with a 480. The new BBS number is (304) 480-6083.
A new feature starts with this issue of the ISSM, titled "Jim's Corner". This
article, written by Jim Heikkinen, will list Security Branch Training offerings;
various computer security Videos; CBTs; and publications available to Bureau
personnel through the AIS Security Branch.
****************END OF ARTICLE***************
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% QUESTIONS ON SECURITY TOKENS %
% By Kim Reese %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
In the last issue of the ISSM, an article was published describing security tokens
and Public Debt's plans to implement this technology in 1994. As a result,
several questions about the tokens were received. We felt that others may have
had the same questions and decided to publish them with their responses.
1) What do the Tokens look like?
The Tokens resemble a small pocket calculater.
2) How big are the Tokens?
The Tokens are approximately 2 1/2" x 3 3/4" in its case. The actual
Token itself is the size of two credit cards stacked together.
3) Will I have to have the Token with me at all times? I.E. carry it with
my BPD I.D.
No, you can secure your Token in your desk unless you are required to
have dial-in access from home in order to perform your job function.
4) How many steps is this adding to my Logon?
Approximately three steps plus Logon I.D. and mainframe password. The
Security branch is looking at purchasing software that would allow you
to log directly into the mainframe at the fifth step.
5) Do I take the Token home with me?
No, unless you require dial-in access from home.
6) What happens if I loose the Token?
If your Token is lost notify your ISSM. The ISSM will provide you with
another Token and notify the other ISSMs and OAIS Security branch to be
aware of the missing Token.
7) What happens if the Token breaks?
If your Token breaks notify your ISSM. The ISSM will replace your Token
with a new one and return the faulty Token to the OAIS Security branch
to be returned to the contractor for repair or replacement.
8) What if I forget my PIN number?
Contact your ISSM. If you have not changed your PIN number the ISSM is
able to determine the PIN number of your Token through the OAIS Security
branch. If you have changed your PIN number the ISSM will replace
your Token and provide the PIN number assigned to the new Token.
9) If I loose my Token and someone else finds it can they use my Token?
No, The other person would need to know your PIN number in order to
activate your Token.
10) Could someone borrow my Token to gain access if they cannot find their
Token?
No, the other person would need access to both your PIN number and your
Logon I.D./Password.
11) Do the Tokens need to be LOCKED UP when we are not using them?
Yes, the Tokens should be kept in a secured area. (i.e. locked in your
desk)
12) Is the LOGON complicated using the Tokens?
No, you will be provided short, concise step-by-step instructions on the
process and one-on-one training.
13) Who do I contact if the Token is not functioning properly?
You contact the Command Center, just as you do for other mainframe
questions.
14) You mean I have to learn a new PIN number every time the battery goes
dead on the Token?
Yes, the contractor will probably do all maintenance of the Tokens
including changing batteries. We are not equipped or trained to
properly maintain the Tokens, therefore this was included in the
procurement contract.
15) Do the Tokens need to avoid severe temperature changes?
Yes, this should not be a problem if the Token is left in your desk.
16) What kind of training will be provided on the Token use?
Token training will be done on a one-on-one basis with each user by
their ISSM until the user is comfortable with the Logon process.
17) When is the implementation date for the Tokens?
Implementation for the Tokens is tentatively scheduled for March 1994.
18) To whom do I report a missing Token.
Report missing Tokens to your ISSM who will notify OAIS Security branch
of the missing Token.
19) Will we be financially responsible for a lost or broken Token?
No, the procurement contract covers maintenance issues.
Please forward any additional questions to the OAIS Security Branch or a member
of the Token Committee. The committee members are Kim Clancy, Dana Whited, Mary
Clark, Glenn Siber, Kim Reese and Sandra Woods.
****************END OF ARTICLE*****************
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X X
X CLYDE'S X
X Computer Security X
X Hall of Fame X
X X
XXXXXXXXXXXXXXXXXXXXXXXXXXX
Patrick Conner, ISSM for the Office of Administration, Division of Management
Services has been inducted to the Computer Security Hall of Fame.
Patrick Conner's dedication to his ISSM responsibilities are impressive. Upon
Pat's assignment as an ISSM, his commitment to ensuring the success of the
Division of Management Services security program was evident. Pat accepted his
new responsibilities with enthusiasm and was obviously concerned about "doing the
job right." Pat has assisted in blazing new ground for the security program when
he educated application development teams in his area of their responsibilities
in regards to security. Pat contacted the AIS Security Branch and requested a
meeting so that all members of the development team could be made aware of their
security responsibilities during development of the project. This is an
impressive accomplishment for both Pat and Public Debt. It ensures that
applications are installed with security in mind and aids Public Debt in enhancing
the integrity of its computing program. Pat's dedication to ensuring that the job
is done right the first time is a valuable one. Thanks Pat for a job well done.
Submitted by Kim Clancy, Manager of the AIS Security Branch
****************END OF ARTICLE*****************
{{{{{{{{{{{{{{{{{{{{{{{{{{
{ {
{ VIRUS ALERT {
{ {
{{{{{{{{{{{{{{{{{{{{{{{{{{
The following information was received from the Office of Information Resources
Management...
This is to advise you that the Mint has encountered virus problems with PCs rented
by Price-Waterhouse Corporation for work being conducted at the bureau. The Mint
ADP staff identified computer viruses in the equipment Price-Waterhouse brought
to the Mint. To date, the Mint has found two viruses which have affected five of
the Price-Waterhouse PCs and 60% of their disks. By taking immediate action, the
Mint was able to eradicate the viruses, save the Price-Waterhouse data, and
prevent the viruses from spreading to the Mint's own nationwide computer network.
Of particular concern to the Mint is the discovery that Price-Waterhouse
apparently has known that it has had virus problems in its own offices for
approximately 9 months. Since Price-Waterhouse may be working with bureaus other
than the Mint, we are alerting you of this situation, and suggest that action be
taken as appropriate within your bureau to ensure that your systems are not
infected.
****************END OF ARTICLE*****************
++++++++++++++++++++++++++
+ DEAR CLYDE +
+ +
++++++++++++++++++++++++++
Responses to questions for those who are searching for the truth.
Dear Clyde,
I have information on my PC I want to protect. Do you have any suggestions about
PC security techniques?
R. Concerned
Dear Concerned,
The easiest way to secure data on your PC is to install programs which will
require a password to gain access to your data. For most PCs, a boot-up password
can be installed by running the set-up program for your PC. Also, files can be
password protected within such applications as WordPerfect, Dbase and Lotus. If
your PC does not have a password protection feature, there are programs such as
PW62.ZIP, SECURE.EXE, ENCRYPT.EXE, DECRYPT.EXE, and PASSWORD.EXE available from
the AIS Security Bulletin Board.
Another measure of security is to guard against destructive virus files being
loaded onto your PC. There are virus detection programs available such as Central
Point, Commcrypt, F-Prot, and Vader to aid you in detection of such virus codes.
Always remember when leaving your area, if you activate software which will
require a password to be entered prior to your PC being able to be used, your data
will be secured.
If you need help installing any of these programs, your ISSM can help you.
Send your comments or questions to Clyde c/o the AIS Security Branch in
Parkersburg, Room 107F, or leave them in Clyde's mailbox located on the Security
bulletin boards throughout the Parkersburg office.
****************END OF ARTICLE*****************
============================
= =
= TOKEN DEMO =
= by Mary Clark =
= =
============================
A Security presentation was delivered by Kim Clancy, AIS Security Branch Manager,
to the Executive Board (E-Board) introducing the Computer Security Issues and
options facing Public Debt. As a result, it was determined that Public Debt's
mainframe would be protected by the use of randomly generated passwords using a
DES compliant token device. Such passwords change at each logon attempt and are
therefore considerably more secure than the "static passwords" that we now use.
Beginning in March, 1994, all Bureau of Public Debt mainframe users will be
required to use a token-generated password device.
A token implementation team was organized, and an implementation plan was
developed that included the steps involved in the implementation of token controls
on the mainframe. One of the tasks identified by the team to be completed before
implementation was user awareness of the tokens.
As part of the awareness plan, a token demonstration was set up at E-Street (Room
527), C-Street (Room 223), and Parkersburg (In the front hall under Security
branch's bulletin board, main building). This simple demonstration is an
imitation of how the tokens will be utilized to improve the security of our
mainframe computer system. It requires approximately five steps to gain access
to the mainframe. These steps include:
1. Entering a user name.
2. Entering a fixed password.
3. Entering a PIN number to activate the token.
4. Entering a password from the PC into the token.
5. Entering the token generated password into the PC to gain access.
Although the logon procedure will vary slightly with the mainframe software, this
demonstration gives a general idea of the steps involved with the token
technology. Included with the demonstration is a handout listing questions and
answers on Security Tokens. The handout answers the most frequently asked
questions about the security tokens.
Any questions or comments regarding the demonstration should be directed to your
ISSM or one of the token team members. The token team consists of: Kim Clancy,
Mary Clark, Kim Reese, Glenn Siber, Dana Whited, and Sandy Woods.
****************END OF ARTICLE*****************
!!!!!!!!!!!!!!!!!!!!!!!!!!!
! !
! JIM'S CORNER !
! by Jim Heikkinen !
! !
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Starting with this issue I will offer training opportunities for anyone who
desires a security "tune-up".
Initially, however, some background information is required to provide insight
into the Security Branch security awareness training mission.
The AIS Security Branch is mandated by the Computer Security Act of 1987, Public
Law 100-235, to provide "...mandatory periodic training in computer security
awareness and accepted computer practices of all employees who are involved with
the management, use, or operation of each federal computer system within or under
the supervision of..." the Bureau of Public Debt.
Further, the branch follows the guidelines and standards developed by the National
Institute of Standards and Technology (NIST) in providing this required training.
NIST Special Publication 500-172 may be considered the training "bible" in that
all employee categories, subject matter areas and training levels are provided for
in a matrix of training activities that satisfies the exigencies of P.L. 100-235.
I'll expand each category and explain how each applies to our individual security
responsibilities in future issues of the newsletter.
Also, samples of opportunities for refresher training and interesting audio-visual
materials will be offered.
Formal training to be announced:
ACF2 - Washington (contract award is imminent)
SNA/APPN/APPC - IBM Network Architectures
Novell NetWare Security - Novell specific security issues
Publication: (Available on request basis through the Parkersburg AIS Security
Branch.)
"Computer Addiction? A study of computer dependency" by Margaret A. Shotton
*******************END OF ARTICLE******************
################################################
# #
# COMPUTER SPEAK #
# COMPUTER TERMS AND THEIR MEANINGS #
# #
################################################
DES (Data Encryption Standard) ... an encryption method approved as a standard by
the U.S. National Institute of Standards and Technology (NIST) and the American
National Standards Institue (ANSI) for encoding nonclassified sensitive digital
information.
eavesdrop ... Unauthorized interception of information. Usuallly refers to
passive interception (receiving information), rather than active interception
(changing information.
encryption ... the transformation of original text (called plaintext) into
unintelligible text (called ciphertext). Sometimes called "enciphering."
******************END OF ARTICLE******************
The AIS Security Branch Runs an Electronic BBS. Give us a call at (304) 480-6083.
An electronic version of the ISSM is posted on the board and can be downloaded.
Articles in the electronic version may include more detail in that we are not
limited by space constraints as we are in the paper copy.
******************END OF ARTICLE******************

Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink