Date: Mon, 29 May 95 00:02:46 EST From: coast-request (Coast Watch maintainers) Reply-To: Coast-request Subject: Coast Watch Digest V1 #2 To: important-people (Coast Watch subscribers) Precedence: bulk Coast Watch Digest Mon, 29 May 95 Volume 1 : Issue 2 Today's Topics: Editorial comments Random Bits Article: What's The Problem? New sponsors COAST Lab COAST people on the move Interesting Web site... Port scan detection tool released Two publications on computer crime CMAD III review ACSAC '95 Call for Papers and Participation The "Coast Watch" newsletter is intended as an irregular electronic digest of information about the COAST Laboratory and Project at Purdue University. It is distributed via e-mail to colleagues, sponsors, and friends of COAST. To subscribe or unsubscribe from the newsletter, send mail to the maintainers at . Past issues of the newsletter, as well as information on COAST, may be obtained via WWW at http://www.cs.purdue.edu/coast ---------------------------------------------------------------------- Date: May 27, 1995 From: spaf (Gene Spafford) Subject: Editorial comments Well, here is a second edition of the "Coast Watch" newsletter. Since the first appeared, we've had nearly 500 people join the mailing list. And, somewhat embarassingly, this is 3 months late. As I stated in the first issue: We intend for this to be a simple way of letting our friends and colleagues know about what we're up to here in COAST. For the time being, It will be issued on an irregular basis, approximately every other month. It will contain little snippets of news about our projects, personnel, and things happening in the community. Our original plan was to issue a newsletter every 2-3 months at first; thus, we would have one in February some time, and again in April or this month (May). When February rolled around, we had several things pending, including a not-quite-finished workshop review, some renovation plans on the COAST Laboratory, and a pending big announcement about an exciting sponsor arrangement (that fell through when the company reorganized. Sigh.) Unfortunately, the newsletter got pushed back repeatedly as we waited for resolution of those items, and during a couple of extremely hectic and stressful weeks, the issue of the issue (so to speak) dropped from mind. It resurfaced a few days ago when my calendar program reminded me it was time for issue #3. Ooops! So, here is a very late issue #2. We may see issue #3 in June or July, and then get into some form of semi-regular schedule. Then again, Murphy rules. Little snippets does describe what's in this issue. We have several announcements, news of some new contibutions to COAST, and some annoucements of goodies available electronically. We also have a conference announcement that may be of some interest (note that the deadline for submissions is very near...sorry). Drop me a line and let me know if you think I should leave conference announcements out of future issues. Alternatively, if you think you might like for me to remail them on as soon as I get them, sans newsletter, I can do that too. We also have a contibution from Mark Graff at Sun Microsystems. Mark has the title of "Security Coordinator" at Sun. He is known to many of our readers as Sun's representative to the FIRST (and is currently the chair of that group's steering committee), and the "man behind the curtain" handling security bug reports to Sun. I offered Mark a soapbox to comment on whatever was currently on his mind, and he contributed the item you will find herein. If you have something you might like to contribute to a future newsletter, pass it on to me. The next newsletter is scheduled for ...well, whenever we fill it. --spaf ------------------------------ From: spaf Subject: Random Bits There are many little things to report. Rather than stuff each into a separate article, we'll bundle them together. *You* decide if there is a common theme! :-) * Through the continuing hard work of Mark Crosbie and Ivan Krsul, we now have an experimental WWW interface for our ftp archive. It is linked in through the COAST homepage at http://www.cs.purdue.edu/coast Visit it and let us know what you think. (The archive is now over 17,000 separate files system entries and growing!) * Several new tech reports are now available through the WWW page and in the ftp server. These include a report on IP over ATM, and several reports on our intrusion detection work. More reports will be appearing in the next few weeks. * We didn't get any serious entries to our contest, announced in the last issue, to help name our intrusion detection system. Sandeep Kumar, the Ph.D. student who has designed the system, is near to finishing his work and we had to pick a name. Thus, we have named the prototype IDIOT, for "Intrusion Detection In Our Time." Sandeep's thesis will be issued as a tech report in the next few months, and you can read all about IDIOT there. If you want a copy of the code, let me know -- there are some restrictions on supplying copies of it, but none that can't be worked out! ------------------------------ Date: Wed, 22 Mar 1995 11:04:50 -0800 From: Mark.Graff@Eng.Sun.COM ( Mark Graff ) Subject: Article: What's The Problem? "What's the problem?" How often have I heard that! I hear it from hackers who can't understand why a vendor hasn't used their one-line security fix yet. I hear it from customers who have found that bugs fixed in one release have surfaced again in the new improved release. I have even heard it from Spaf. So what *is* the problem? Is it that the vendors hire fools on purpose? Or do their brains fall out when they sign on? Neither, really. The key to this phenomenon is that the result you are decrying, while it may be the best effort of an individual engineer, is also the end result of a (usually) appropriate response to market pressures. Excellence is not free, and uniform excellence is seldom appropriate (so say I) in a broad market. What's operating here is an economic principle that, out of ignorance, I'll call "Just Enough (but Not Too Much)". Some instances: 1. Software vendors will fix Just Enough bugs to sell the product into the desired market. More would be Too Much, diverting needed resources from (and putting more bugs into) other products. You can affect this balancing act by getting decision makers in your group to explain to decision makers at your vendor that you would buy more systems if they had fewer security bugs. By the way, is that true? 2. Important bugs will be fixed quickly. Critical bugs will be fixed quickly several times. OK, that's being a smartass; but remember that the goal is to do Just Enough testing to get Just Enough quality. Too Much testing takes Too Much time--and customers often will get hurt by any delay (especially if the bug is a security hole and some oaf is determined to announce it to the world). 3. Companies will asssign Just Enough people to get a job done Just Well Enough most of the time. If the folks assigned to work on security bugs are not overwhelmed once in a while, then the group must have excess capacity part of the time--so goes the reasoning. So any group that doesn't creak and groan under the load on occasion must have Too Many people. "One bug, one engineer; two bugs, two engineers; and so forth." So it's been explained to me--as an answer to the rhetorical question, "What's the problem?" Don't go getting me into trouble, now, by assuming that I am trying to enunciate a Policy on the part of Some Vendor. Not only do they not pay me enough for that, but also I have never been to Business School. Hey, do you think they teach Just Enough Theory there? ------------------------------ From: spaf Subject: New sponsors It's time to recognize new sponsors and contributors to COAST since the last newsletter. Our biggest single contribution since January came from Hughes Research Laboratory. At the beginning of the year, personnel at Hughes arranged a large, outright gift of $15,000 to COAST, sufficient to fund almost half of the remodelling and renovations needed for our new laboratory! We are very grateful to HRL, and we look forward to involving them in projects we'll be undertaking in the new lab! Sun Microsystems has come through for us with another donation to support yet another student. They have also donated another workstation, several monitors, one of their new SunScreen firewall products, and some other equipment and software to the lab. Sun has been the only computer system vendor to provide on-going support to COAST. To date, they have donated half of all our workstations, and this past semester they were supporting 4 of the 8 graduate students in the lab. Thanks, Sun! Sprint has provided funding for Chirstoph Schuba's PhD research at Xerox PARC. Since the beginning of this year, Sprint has funded Christoph's research at Purdue and now at Xerox. They have committed to providing funding to support Christoph's research through to his degree completion next year. Of course, the good people at Xerox PARC are also providing assistance to Christoph, both financial and technical. Security Dynamics has provided a near-complete upgrade to our in-house authentication system. We have a complete software upgrade, and will shortly be getting a new shipment of SecureID cards. Security Dynamics has been a valued contibutor to our efforts from the very beginning. Our sincere thanks to all these companies and the people involved who continue to assist us in our research! ------------------------------ From: spaf Subject: COAST Lab Well, the university's physical plant has finally gotten around to processing our work order. Over the last couple of weeks a crew of workman were in my office and the lab, ripping out blackboards, changing wiring, and painting walls. The rooms look vastly different now, and much better. The new furniture has been moved in to my office, and I now have to reorganize all my files and books so I can find them again. :-) (You'd be amazed and shocked at some of the things I found in my files and behind the bookcase while we were moving... I owe several people some letters of explanation!) The furniture for the lab will be installed on June 8. For those of you who haven't been following the story, we've been looking for a permanent home for the COAST lab for almost 2 years. Last year, the head of the Computer Sciences department allocated an unused classroom for our use, and I moved my office into a room next door. Although we have a fair amount of new space, the rooms badly needed some cleaning, painting, and appropriate office furniture (many of the students are working using old class tables as desks). Unfortunately, we haven't had the undesignated funds to do this. The dean of the School of Science and the head of the department came through with a small gift of funds to get us started, and agreed to loan me the rest. The catch is, if I don't pay it back by the end of summer, I will probably have to make it up by teaching several years of intro courses for non-majors and serving on every departmental committee in existence: department heads are much more creative than loan sharks. :-) Then, Hughes Research Laboratories started our year off with a gift (see related article) that enabled us to get all the painting and construction work finished. All that remains to finish both rooms is some remaining funding for the furniture, some data wiring, and a printer. We're about $20,000 short of our goal to finish the renovations this calendar year. Is any of you would like to sponsor the remaining work on the lab, please let us know. Donors to the lab effort will be specially recognized in some lasting manner in the lab itself. And remember -- donations to Purdue are potentially tax deductable (as well as a good investment in future research.) It might also save me from having to teach COBOL to football players and serve on the department's "Committee to Evaluate and Select Toner Vendors for Network Printers Whose Names Begin with the Letter A"! As for everyone else, keep watching the newsletter. We hope to do something special to dedicate the new lab once everything is completed, and everyone will be invited. We simply hope we don't have to wait another year to do it! ------------------------------ From: Spaf Subject: COAST people on the move Well, times change, and some students graduate. So it is with two of our COAST students: -- Taimur Aslam defended his MS thesis at the end of the spring semester. His thesis was on a classification of software faults in such a way that it might be used to guide preventative testing and/or penetration testing. A week before the defense, he started work full time at Motorola in the Chicago vicinity (known as "cutting it mighty close." :-) Taimur's thesis will be available as a tech report sometime later this summer. The database of flaws he cataloged will be available under some limited circumstances: contact me if you are interested. -- Sandeep Kumar defends his Ph.D. thesis, entitled "Classification and Detection of Computer Intrusions" on June 14. Subsequent to that, he will begin work at the Hewlett-Packard Corporation in California. There, he will be working on computer security products for HP, possibly including a next-generation version of his IDIOT (Intrusion Detection In Our Time) system. Sandeep's dissertation will be available as a technical report later this summer. The IDIOT prototype is potentially availble to researchers: contact me for details. Congratulations to them both! Not graduating, but moving (sort of) is Christoph Schuba. Christoph is the second most senior student in the COAST group. Last summer he was a summer intern at Xerox PARC. Starting this summer, he is back there full-time, working on his Ph.D. dissertation. An exact title and proposal have yet to be finalized, but the general area involves security and high-capacity networks, such as ATM networks. This is a bit of an experiment for us -- normally, our Ph.D. students do almost all their work in residence here on campus. In this case, Christoph has done much of his preliminary work here, and will conduct the bulk of his research in residence at PARC. This will allow him access to resources that we do not currently have within COAST and the CS Department. Once he has his research completed, Christoph will return to Purdue to write and defend the dissertation. Christoph's work is being funded by Sprint and Xerox. Last of all, three more COAST Ph.D. students are pursuing summer internships: -- Ivan Krsul is also spending the summer at Xerox PARC, after obtaining a highly competitive intern position. He will be working in security of electronic documents and services. -- Bryn Dole will be spending the summer (the part after his honeymoon, that is) at Sun Microsystems, working with the Internet Commerce Group. He will probably be looking at network security issues, including the problem of how to test firewalls and related technologies. -- Mark Crosbie will be spending the summer at Hewlett-Packard. While there, he expects to do some additional research into his ideas on autonomous agents for network protection. With luck, all three of these students will return with a clear set of ideas to craft into thesis proposals. We'll have them all tell about their experiences in an upcoming COAST newsletter. (Their intern experiences, that is. We won't make Bryn write a newsletter article about his honeymoon!) ------------------------------ From: mcrosbie (Mark Joseph Crosbie) Subject: Interesting Web site... Hello all! I've mirrored the ENCORE (Evolutionary Computing Network Repository) into our archive. We are now an official Eclair (A mirror site for the archive) and a Clife site - Web pages about Artificial Life. Check out http://www.cs.purdue.edu/coast/archive/clife/Welcome.html This page is an excellent jump point to anything about Evolutionary Computing, including some interesting stuff I sent out earlier about genetic music and genetic art. If you are interested in Genetic Programming/Algorithms, the COAST archive now has an extensive collection of papers in ftp://coast.cs.purdue.edu/pub/EC See the README for details. [Spaf's note: if it isn't clear to you how this is related to computer security research, then you haven't read my paper about computer viruses as a form of artificial life, and you haven't read Mark's tech report about using genetic algorithms for network protection. Both are in the archive and on the WWW pages.] ------------------------------ Date: Sun, 28 May 1995 17:42:42 -0500 From: spaf (Gene Spafford) Subject: Port scan detection tool released Christoph Schuba (one of the senior students in the COAST Lab) and I have written a small program in Perl v5 to detect port scans. You can run this on a host and designate a set of ports to monitor, both TCP and UDP. Whatever is sent to the port (up to a threshold number of bytes) is logged in sanitized form. This can be helpful in detecting if someone is probing your system, whether manually or using something like ISS or SATAN. It may have some debugging applications, too. There are options to log to syslog or to stderr. You can choose the ports you want to monitor. You can specify if you want to use the ident/authd protocol to attempt to identify the party on the other end of a TCP connection. You can specify a timeout after which the connection is dropped. You can specify the levels and class of syslog message, as well as the log host to use. Some other options exist (see the manual page). Sun Microsystems is the only vendor to be a COAST sponsor. That may explain why we have lots of Sun machines and none from anyone else :-) So, other than SunOS and Solaris, we can't be 100% certain how this behaves. However, we tried to write in portable Perl5, so we expect this to work without problem on many other systems. We'd like to hear about any exceptions. Comments, questions, bug reports, ehancements, and so on can be directed to Christoph and myself at . Copies of the code, including a PGP signature file, may be found at: http://www.cs.purdue.edu/coast/coast-tools.html#tools ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z ------------------------------ From: spaf (Gene Spafford) Subject: Two publications on computer crime Several weeks ago, I received an advance copy of a report entitled "The CSI Primer on Computer Crime & Information Warfare." This was written by Richard Power at the Computer Security Institute . It provides a very nice introduction to some of the issues, and includes some enlightening statistics. It's a good report to pass to management who aren't aware of what the fuss is all about. Copies of the report have been made available to CSI members. According to Richard, it is also available to non-members for $37.00. Interested folks can call CSI at 415-905-2626 or write to Computer Security Institute, 600 Harrison Street, S.F., CA. 94108. I didn't ask if there was a discount for educators or volume purchases, so you might want to ask. $37 seems a tad steep to me for the report, but I don't have a corporate budget, either. :-) The second publication is one I participated in producing. "Computer Crime: A Crime-Fighters Handbook" has just gone to the typesetter. This book, by K. A. Seger, W. R. VonStorch and D. J. Icove was developed as a text for use by the FBI in training its agents. The authors felt it might have wider appeal, and approached O'Reilly & Associates about publishing it as a regular book. I was asked to serve as consulting editor and write the forward; Debby Russell continues in the role of series editor. The book is intended to serve as an introduction to computer crime for law enforcement and investigative personnel. It presents terminology and some limited technology for the non-specialist. It also has some interesting background material from the FBI's behavioral studies group, copies of various state, Federal, and international computer crime laws, and an overview of security issues that might be faced by an investigator. All this and more packed into about 400 pages of O'Reilly text. The book is due out sometime this fall. It will be ISBN 1-56592-086-4, and has a tentative list price of $24.95. I'll be happy to print a book review if any of you care to submit one! ------------------------------ From: schuba. lodin, kumar Subject: CMAD III review To: coast CMAD III --- 3rd Annual Workshop on Computer Misuse and Anomaly Detection Sonoma, California. January 10-12, 1995 S. Kumar, S. Lodin, Ch. Schuba COAST Laboratory Purdue University [An enhanced version of this report is available via WWW from http://www.cs.purdue.edu/homes/swlodin/cmad/report.html] This workshop was sponsored by the National Security Agency, Air Force Information Warfare Center & the University of California Davis. Attendance was by invitation only. The workshop was attended by members from the legal community, CERT and security experts specializing in intrusion detection. The vendor community seemed under-represented. The highlight of the talk was a presentation by Tsutomu Shimomura who described how he was able to detect and recover from the intrusion on his computer systems at the San Diego Super Computing Center. Jan 10 (Auditing Applications Software) Talks on the opening day were started by Marv Shaefer of ARCA Systems Inc. who outlined and emphasized the differing requirements of auditing from the perspective of the OS and the application. He said that reconciling these differences would be important to audit next generation applications effectively. He said that the difficulty with auditing applications is that the nature of controls for an application often changes over time and that the separate access control policies may compose surprisingly. He stated that the objective of audit logging is to produce an accurate, immutable, and persistent record of relevant activity that can provide valid evidence to an auditor or other officials once a malfeasance has been detected. The next speaker was Olin Sibert of Oxford Systems who said that low level auditing at the OS/TCB/kernel level was becoming increasingly irrelevant for lack of general mechanisms to deduce higher level application abstractions from these events. He mentioned the need for generic audit trail formats and API to log application events. Olin explained using examples how "Computer Oriented" breaches were simpler to detect using traditionally understood notions of auditing than "Organization Oriented" based breaches which were policy based and ill defined. He also said that the intrusion detection community has thus far focused more on outside intrusions than on inside abuse. After an intermission Steve Smaha of Haystack Labs went on to describe the typical customer attitude to security. He said that customers were spending less on host based security controls and more on boundary control measures like firewalls. He then went on to describe the details of Haystack Labs' commercial intrusion detector called "Stalker". He mentioned that the working goal of an intrusion detection system is to provide accountability, do *misuse* (not anomaly) detection and possibly provide a unitary audit trail derived from several sources and its analysis. Professor Karl Levitt of UC Davis followed Steve Smaha and his talk was titled "Toward the Auditing of Application Programs". He said that application audit trails (AAT) should supplement system audit trails (SAT). He asked what system support might be required to produce trusted AAT and which applications were good candidates for generating AATs. He felt that DBMS, editors, financial and medical applications were promising candidates for application auditing. Jan 10 (Network Management) After lunch, Bill Cheswick of AT&T Bell Labs spoke on the use of firewalls to protect a network. He suggested setting up a "honeypot" machine on the internal net that is near the network gateway and that holds what appear to be goodies. The existence of this honeypot machine is made known to very few and is watched carefully. This honeypot machine serves as a snare for intruders who manage to break in past the bastion host. The idea of the honeypot is similar to putting a burglar alarm inside your safe, as a last (and cheap) measure to see if someone got through the security. These can be implemented even if other security measures, like firewalls, are infeasible. Marcus Ranum of Trusted Information Systems followed Bill and rambled at length (ed. his words, not ours). He proposed that the security community reduce its commitment to tracking the sources of attacks and building cases for prosecuting them. Marcus claimed that the cost and difficulty of tracking hackers, combined with the difficulty of prosecution, and the "slap on the wrist" that they get when brought to trial shows there is no cost justification. He pointed out further that from a cost/benefit approach, deterring hackers by prosecution appears to be much less effective than deterring hackers via technological countermeasures like firewalls and secure systems. The only effective means of directly countering hackers would be to take questionable measures such as declaring all-out information warfare against the hacker community, effectively sinking to their level. He noted that in some cases, this process appears to have begun. Improving the situation, Marcus claimed, is a matter of taking incremental steps by identifying countermeasures that would block off whole avenues of attack. He described a "wouldn't it be nice?" firewall, which does nothing but stamp incoming packets as "infected" and pass them on to internal machines running with environments that support different types of access control against different types of data. Thus, a TELNET session from the outside might be able to log in, but would be incapable of executing (or even seeing) certain programs or files. Files imported from the outside might not be executable until manually "blessed". Marcus concluded by begging for people to focus on building simple tools from which complex security architectures could be assembled, rather than the other way around. Paul Traina of Cisco Systems outlined how cryptography cannot easily solve the problem of maintaining the integrity of routes in the internet. The chief problem is performance. He showed why it is insufficient to assign a public/private key to every router and sign/encrypt the routing information before sending it to the next hop gateway. The problem is that this method does not provide end-to-end authentication of routes. To achieve that, one would need a path encryption which would allow the verifier to check a route update all the way to the source (similar to the X.509 certification scheme). Jan 11 (System Vulnerabilities) Bob Abbott of Abbott Computers Partners said that the primary problem facing the security community is the loss of confidence in security. He said that software glitches are the key to penetrations. Penetrations might exploit single glitches or a combination of glitches. The primary cause is the incomplete or inconsistent validation of parameters. The problem, in his view, should be cheaper to fix the problem at the operating system level. The three major reasons for continued penetrations are: 1. Software change cycle is more frequent (because of the market being more money driven). 2. There is more and larger software to be subverted. 3. There is a lack of understanding of how software maintenance increases the potential for penetrations. The conclusion is that all points of penetration prevention and detection should be considered. These include before penetration checks (software analysis, integrity reviews, testing, programming standards), during penetration checks (checksums, table integrity), and after penetration checks (table status, audit trails). Following Bob Abbott, Christoph Schuba of the COAST laboratory, Purdue University described a vulnerability in the Domain Name Service (DNS). He abstracted the problem to say that if the binding process (for example, mapping internet address numbers to domain names) can not be trusted then names cannot be trusted. The vulnerable points are a corrupted sender, receiver or intermediary, and the service provider itself. The best point of detection is an open question. To prevent vulnerabilities in DNS several methods can be employed: 1. Harden DNS (watch Paul Vixie's version of BIND). 2. Harden application usage. 3. Employ careful protocol design with security as an important consideration. 4. Use cryptographically strong methods. 5. Watch the IETF Working Group on DNS. Following Christoph, Kevin Ziese of the Air Force Information Warfare Center spoke on the need to share vulnerability data among the security community. He also focused on the lack of a common, consistent way of dissecting vulnerabilities into common classes from which a researchable data base of vulnerabilities could be developed. He said that vulnerabilities tend to cluster in classes and that we often focus on fixing a particular vulnerability rather than attempting to fix the class. He said the security problem has taken a new dimension with the explosive growth of the WWW and that every connection is a potential threat. His recommendations include developing a taxonomy to understand the process, developing a methodology for dissecting vulnerabilities and implementing a measurement process. Vulnerabilities are a symptom, not the disease. The use of metrics should drive the countermeasures employed. The development of plug-and-play modules for security is needed. Tsutomu Shimomura followed Kevin Ziese and described an attack on his computer system at the San Diego Super Computing Center. The attack was a realization of the classic attack using IP spoofing described in the paper by Robert Morris and later by Steve Bellovin ("Security Problems in the TCP/IP Protocol Suite", 1989). Because of good instrumentation, the attack was monitored well. It involved wedging the TCP state machine, then predicting TCP sequence numbers. After the fake TCP connection was established, the intruders gained access by making the intruded machine believe that their machine was a trusted machine. The most disturbing aspect of this attack was that the attack seemed scripted or automated based on the timing of events. The attack also involved compiling and installing a kernel loadable module. There is a tool floating around called TAP which is a kernel module that allows you to watch streams on SunOS, and capture what a person is typing. It is easy to modify so that you could actually write to the stream thus emulating that person and hijacking their terminal connection. A method for stopping the IP spoofing attack is to make sure firewalls and screening routers are setup to block traffic that originates from the outside that has source addressing inside. A method for stopping the second attack is to disable the capability of the kernel to load modules dynamically after all valid modules are loaded. Der Mouse developed a script for SunOS 4.1.2 to do this. It is retrievable from ftp://coast.cs.purdue.edu/pub/tools/unix/disable_mod_cmds. The attack seemed specifically to target Tsutomu. He even played audio files of the attackers leaving voice mail. For the story that beat the CERT Advisory, see the Monday, January 23, 1995 issue of The New York Times. The front page story by John Markoff is titled "Data Network Is Found Open To New Threat". In the weeks that followed, nearly every newspaper, magazine, and TV news program carried information about the incident. Further references are the CERT Advisory on this intrusion and Steven Bellovin's response to the attack and the publicity. Jan 11 (Protection Mechanisms for CMAD Systems) Next, Dr. Matt Bishop of UC Davis spoke about protecting CMAD systems. He discussed a model with the following principals: Agent, Director, & Notifier. Then he examined the threats imposed on each of these principals by the following types of attacks: modification, masquerading, denial of service, flooding, interception, assurance & replay. Jan 12 (Legal Issues: Present and Future) Not surprisingly, one of the more interesting sessions involved the legal experts. Prosecuting attorney Bill Cook described some of the issues surrounding the development and execution of taking a computer-related case to trial. Some of the potential problem areas described by Bill include copyrighted material, patented programs, trade secrets, defamation, pornography, viruses, and technology transfer. Martha Stansell-Gamm from the US Department of Justice Computer Crime Unit discussed some of the goals the DOJ has been pursuing in the US and abroad. She explained recent legislative amendments to the wiretap statute in the Digital Telephony Act, and also discussed training programs for federal prosecutors and agents. Also in the legal session, Kevin Ziese described the legal issues encountered and the close interaction he had with the Department of Justice when the Air Force Information Warfare Center discovered an intrusion at an Air Force site. Their actions required many interpretations of the current legal situation. Stansell-Gamm concluded the session by saying "Kids, don't do this at home". Jan 12 (Customer Requirements: Present and Future) Tom Longstaff from CERT moderated the last session of the workshop. He briefly talked about the requirements of the customers of CERT and concluded that unobtrusive and free solutions are wanted. He then introduced the panelists who discussed the topics from their point of view: Dave Bailey, Galaxy Computer Services; Steve Lodin, Purdue University COAST Project & Delco Electronics Corp; Carolyn Tubyrfill Sun Microsystems; Toney Jennings, Trident Data Systems; Pete Hammes ASSIST; Susan Odneal, Kaiser Permanente; and Dan Essin, USC. Steve spoke from his experience as a system administrator at Delco Electronics Corp. He looked at customer requirements as present requirements, future requirements and the grand vision. Present requirements stress quick solutions that can avert the main threat and patch the currently poor state of security to some reasonable, but not necessarily perfect state. This means mainly perimeter defense to protect against outside threats. He did not spend much time on the grand vision, basically a perfect world without any threats, because what prevention cannot ward off, a highly configurable, reliable, and functionally correct IDS can detect and lead to almost instantaneous correction. The most interesting part of the talk was therefore the future requirements. Steve expanded the metaphor of perimeter defense to a more active border patrol providing firewall functionality, auditing capabilities, and an inclusion of future technologies such as mobile networking that will disrupt and blur the definition of a perimeter. All existing and future platforms of operating systems and networking technology have to be supported in a uniform way. A special role of support will fall to the vendors. He also raised the question why the vendor community was represented so poorly at the workshop - a point that was picked up in later talks and extensively discussed. Final points included next generation network protocols such as IPv6 and the necessity of multinational support for virtual network perimeters. Toney Jennings and Tim Grance, talked about the implementation of DIDS at an Air Force site with more that 250 workstations. The requirements for the product were generated after the product was implemented. Test sites seemed to get more interested in the product because of its network management capabilities than because of its original purpose. Susan Odneal talked about the restructuring that Kaiser Permanente is going through and the effects it will have on their security requirements. In conclusion, the workshop was enlightening. The need for more vendor representation was apparent. It was concluded by the participants that there is a need for another workshop next year. For more information about any particular session, contact the individual speakers. There will be workshop proceedings available later, contact Matt Bishop for more information. ------------------------------ From: abrams@mitre.org (Marshall D Abrams) Subject: ACSAC '95 Call for Papers and Participation CALL FOR PAPERS AND PARTICIPATION 11th Annual Computer Security Applications Conference December 11-15, 1995 New Orleans, Louisiana The Conference The phenomenal growth of the Internet is threatening our very notion of privacy and property. Information networks and computers are routinely processing private, proprietary, sensitive, classified, and critical information. The Internet has created an addiction to information and instantaneous information exchange in the military, government, and private sectors. Computers are making decisions ranging from the mundane to life threatening. To provide protection to this information, the information technology community must: o Develop methodologies and tools for designing systems capable of protecting the sensitivity and integrity of information, and assuring that expected services are available when needed. o Design safety-critical systems such that their software and hardware are not hazardous. o Develop methodologies and tools capable of assuring that computer systems accorded trust are worthy of that trust. o Build systems of systems out of components that have been deemed trustworthy. o Build applications on evaluated trusted systems without compromising the inherent trust. o Include computer security in enterprise modeling and reengineering. o Extend computer security technologies to specifically address the needs of the civil and private sectors. o Develop international standards for computer security technology. For the past 10 years the Annual Computer Security Applications Conference has been helping the IT community meet these challenges by providing a forum for information exchange that is unsurpassed. The Conference will explore a broad range of technology applications with security and safety concerns. Technical papers, panels, vendor presentations, and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments are solicited. Selected papers will be those that present examples of in-place or attempted solutions to these problems in real applications; lessons learned; and original research, analyses, and approaches for defining the computer security issues and problems. Of particular interest are papers that present descriptions of secure systems in use or under development, presenting general strategy, methodologies for analyzing the scope and nature of integrated computer security issues, and potential solutions. Papers will be judged for best paper awards. A prize will be given for the Outstanding Conference Paper and the Best Student Paper. For the Best Student Paper, expenses to attend the conference will also be awarded . Panels of interest include those that present alternative or controversial viewpoints or those that encourage lively discussion of relevant issues. Panels that are simply a collection of unrefereed papers will not be selected. Vendor presentations of interest should emphasize innovative product implementations, especially implementations involving the integration of multiple products. Vendor presentations that simply describe product features will not be selected. Areas of Interest: Security in Enterprise Modeling and Reengineering Trusted System Architectures and Technology Encryption Applications (e.g., Digital Signatures) Certification, Evaluation, and Accreditation Application of Formal Assurance Methods Trusted DBMSs, Operating Systems, and NetworksSecurity Policy and Management Issues Electronic Document Interchange Open Systems and Composed Systems Software Safety Analysis and Design Risk/Hazard Assessments AIS Security Tools Instructions for Submissions: We provide blind refereeing of papers and ask that you put names and affiliations of authors on a separate cover page only. Substantially identical papers that have been previously published or are under consideration for publication elsewhere should not be submitted. Panel proposals should be a minimum of one page that describes the panel theme and appropriateness of the panel for this conference, and should identify panel participants and their respective viewpoints. Send 5 copies of your completed Papers and Panel proposals to Dr. Gary Smith (papers from Europe should be sent to Klaus Keus) by May 31, 1995. For panel/forum preparation instructions, please contact Jody Heaney at (703) 883-5837 or via e-mail at heaney@smiley.mitre.org. Send five copies of your vendor presentation proposal to Steve Rome. Vendor presentation proposals should include an abstract that describes the product and example applications. Send one copy of your tutorial proposal to Daniel Faigin. It should consist of one- to two-paragraph abstract of the tutorial, an initial outline of the material to be presented, and an indication of the desired tutorial length (full day or half day). Electronic submission of tutorial proposals is preferred. Authors will be required to certify prior to June 30, 1995, that all necessary clearances for public release have been obtained; that the author or qualified representative will be presented at the conference to deliver the paper, and that the paper has not been accepted or previously published elsewhere. Authors will be notified of acceptance by August 1, 1995. Camera-ready copies are due not later than September 30, 1995. Instructions to Students: Student papers must be authored 100% by students; no faculty authors are permitted. Send 5 copies of student papers to Dr. Gary Smith; please identify your paper as "Authored by Student." Contact Ravi Sandu, Student Paper Award Chair, to ensure that your paper is considered for the Best Student Paper Award. This award includes expenses to allow the student to travel to the conference and present the paper. Contact Information Send your papers to: Dr. Gary Smith Technical Program Chair ARCA Systems, Inc. 8229 Boone Blvd., Suite 610 Vienna, VA 22182 (703) 734-5611 smith@arca.va.com or Klaus J. Keus BSI Bundesamt fuer Sicherheit in der Informationstechnik Kessenicher Str. 216 53129 Bonn Germany Phone: Germany-(0)228-9582-141 Fax: Germany-(0)228-9582-455 e-mail: keus@bsi.de Send tutorial proposals to: Daniel Faigin Tutorial Program Chair The Aerospace Corporation P.O. Box 92957, MS M1/055 Los Angeles, CA 90009-2957 (310) 336-8228 faigin@aero.org For information about Student Paper contact: Ravi Sandhu Student Paper Award Chair George Mason University ISSE Department, Mail Stop 4A4 Fairfax, VA 22030 (703) 993-1659 sandhu@isse.gmu.edu Send vendor proposals to: Steve Rome Vendor Track Chair NSA, V23 9800 Savage Rd. Ft. Meade, MD 20755 (410) 684-7374 romes@romulus.ncsc.mil Videos Still Available! Video tapes of the 1989, 1990, 1992, 1993, and 1994 Distinguished Lecturers are still available. The titles and lecturers are: 1994 Donn Parker "Computer Loss Experience and Predictions" 1993 H. O. Lubbes, "COMPUSEC, A Personal View" 1992 James P. Anderson, "Computer Security Myths and Mythtakes" 1990 Dorothy Denning, "The Data Encryption Standard: Fifteen Years of Public Scrutiny" 1989 Stephen T. Walker, "INFOSEC: How Far We Have Come! How Far Can We Go?" The price for each tape is $17.00. An additional $5.00 will be charged for foreign orders for postage. Checks should be made out to Applied Computer Security Associates (ACSA). Send check to Dr. Marshall Abrams, 2906 Covington Road, Silver Spring, MD 20910. Please indicate which tape you are ordering. Conference Proceedings Some copies of the 1992 and 1994 proceedings can still be purchased through Ron Ross for $25 each. Contact him at The Institute for Defense Analyses, 1801 N. Beauregard Street, Alexandria, VA 22311, (703) 845-6617, e-mail: rross@ida.org. For 1991 & 1993 Proceedings, contact the Computer Society Press by dialing 1-800-CS-BOOKS or (714) 821-8380. The non- member price is $80, the IEEE member price $40. Mailing List To be added to the Annual Computer Security Applications Conference mailing list to receive future conference announcements, please send Name, Company, Address, City/State/Zip, Country, and e-mail address to Vince Reed, Publicity Co-chair , The MITRE Corporation, 1500 Perimeter Pkwy., Suite 310 , Huntsville, AL 35806, phone: (205) 830- 2606, fax: (205)830-2608, e-mail: vreed@mitre.org Sponsored by Applied Computer Security Associates in cooperation with IEEE Computer Society Technical Committee on Security and Privacy, and ACM Special Interest Group on Security, Audit and Control. ------------------------------ End of Coast Watch Digest ------------------------------