Date: Mon, 4 Mar 96 23:04:50 EST From: coast-request@cs.purdue.edu (Coast Watch maintainers) Reply-To: Coast-request@cs.purdue.edu Subject: Coast Watch Digest V2 #1 To: important-people@cs.purdue.edu (Coast Watch subscribers) Precedence: bulk Coast Watch Digest Mon, 4 Mar 96 Volume 2 : Issue 1 Today's Topics: Administrivia Student news Sponsors, donors, and the Lab dedication Hewlett-Packard and Secure Open Computing: Some Obervations Plugs for 2 new books Renaissance & COAST COAST at the NISSC, and an editorial Special CFP 6th UNIX Security Symposium, Focus on Applications of Cryptography The "Coast Watch" newsletter is intended as an irregular electronic digest of information about the COAST Laboratory and Project at Purdue University. It is distributed via e-mail to colleagues, sponsors, and friends of COAST. To subscribe or unsubscribe from the newsletter, send mail to the maintainers at . Past issues of the newsletter, as well as information on COAST, may be obtained via WWW at http://www.cs.purdue.edu/coast ---------------------------------------------------------------------- From: spaf (Gene Spafford) Subject: Administrivia Well, despite evidence to the contrary, this mailing list does exist. A variety of things got in the way of putting out a newsletter over the summer. Then, as autumn started, we were delaying a bit in hopes of capturing some especially good news about funding of some research projects. However, the Federal budget crisis interrupted the processes involved, both in government and in industry. It became clear early in the semester that the wait would be a long one, but by then we were too busy to pull things together. One thing happened after another, and well,.... Plus, what little spare time I've had has gone into the editing of "Computer Crime" (described later), and then into the rewrite of "Practical UNIX Security". It has been a busy run of months! The above should not be construed to mean that we haven't had good news in the time since the last newsletter! To the contrary, we've had graduations, awards, a new sponsor, completion of our lab, and many other important things. We'll tell you about them in the following news articles. The next issue of this newsletter should not be so long in preparation (he said, exhibiting extraordinary optimism :-). However, I did start out the first few issues noting that this was going to be an "irregular" newsletter chronicling some of our activities....I simply had no idea it would be *this* irregular! One small change in procedure: after this issue of the newsletter, we will forward important conference announcements directly to the list rather than wait for a newsletter to come out. That way, you can be sure to see timely announcements of calls for papers and registration information. We'll limit such announcements to one each for CFPs and general announcements per conference, and only for conferences involving computer/network/information security, crime, privacy, or related topics. I know that some of you have a heavy mail load already, so we'll try to keep from adding to it in any significant way. Our WWW page continues to grow and develop new links. Right now, we have a backlog of over 200 new links to add to the hotlist, and we have many, many new items added to the archive. If you haven't seen the page recently, you might want to check it out again -- we have a new look since summer (but you'll need something like Netscape that handles tables and frames to view it correctly). You can visit the page as . Recently, Mitch Sobol dubbed it the single best InfoSec resource on the net in his column in "Infosecurity News", and Magellan awarded us a 3-star rating for our pages. Not bad, considering it was all developed in bits and pieces in our spare time! We also invite you to submit items of interest to our readership. We can't promise that we'll use everything sent, but we're interested in making this forum a little more general in nature. The list is read by over 2000 security professionals world-wide, so that means good exposure for important messages. We are especially interested in brief announcements of on-line resources, meeting or conference announcements, or requests for information or further research. Contact me directly if you something you might like to submit to the list. As a little exercise, we decided to see which countries were represented on the COAST mailing list. We counted 51: Argentina, Australia, Austria, Belgium, Bermuda, Brazil, Canada, Chile, China, Croatia (Hrvatska), Czech Republic, Denmark, Ecuador, Estonia, Finland, France, Germany, Great Britain (UK), Greece, Hong Kong, Hungary, Iceland, India, Ireland, Israel, Italy, Japan, Korea (South), Malaysia, Malta, Mexico, Netherlands, New Zealand (Aotearoa), Norway, Philippines, Poland, Portugal, Singapore, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, USSR (former), United Arab Emirates, United Kingdom, and the United States. It simply goes to show that information security *must* have a global awareness, even if we focus on local needs. As an attempt to clear out the list backlog, this issue has: * an update on activities of some of the COAST students * news about our latest sponsors, including news that our lab renovations are finally finished (Yay!). Included is an invitation, so read closely! * a short essay on open systems security work at HP, and how they envision HP's relationship with COAST * some "plugs" for two new books you may find interesting * some editorial observations from the NISSC conference -- provide some feedback on them, please! * a brief description of what Vince Russo & the Renaissance group are doing with COAST * a repeat of the CFP for our vulnerability workshop * the CFP for the Usenix Security Symposium We hope this helps bring you up-to-date with some of what we've been doing here. More soon! (And a sort of PS: we will have a formal paper on our escapade with Kerberos 4 available sometime within the next few weeks. It will be available via the WWW page when it is ready.) --spaf ------------------------------ From: various (People at COAST) Subject: Student news Here's a brief account of what a few of the COAST students have been up to in the last year: * Mark Crosbie spent the summer as an intern at Hewlett-Packard Corporation. While there, he developed a proof-of-concept prototype of his autonomous agents ideas. When he returned to Purdue in August, he completed his MS degree, and is now considering several job and research offers. Several of Mark's papers have appeared in conferences over the last few months, and have been issued as tech reports; you can also find them on our WWW page. * Ivan Krsul spent the summer as an intern at Xerox PARC. There, he was involved in several projects, including one in electronic commerce. He is now preparing for his PhD prelim exams (thesis proposal). He plans to return to Xerox PARC for the summer. In the fall, Ivan's paper on the software forensic work he did for his MS thesis won the Best Student Paper award at the National Information Systems Security Conference. That's two in a row for our students! * Bryn Dole spent the summer at Sun Microsystems, with the Internet Commerce Group. There, he helped develop testing methods for the new SunScreen SPF-100 product. Back in COAST, he's working on developing some formalized testing of firewalls. Most recently, he was working with Steve Lodin and myself on the Kerberos 4 key weakness discover. Bryn is currently considering several job offers. * Christoph Schuba has gone to Xerox PARC as a student-in-residence. He returned to Purdue in the fall to pass his preliminary exam, and then returned to PARC. Until August he will be working on his Ph.D. thesis under the local supervision of Dr. Bryan Lyles. He will return to Purdue in August to write and defend his thesis under the supervision of Prof. Gene Spafford. Christoph's work, funded jointly by Xerox and Sprint through COAST, involves an examination of the issues involved in building high-speed firewalls for ATM networks. Some papers on his work should be available this spring. * Steve Lodin spent the summer back with Delco Electronics where he travelled to GM sites around the world, helping to perform security audits. In August, he returned to Purdue to finish his last two semesters of graduate study as a GM Fellow. In addition to his research on firewalls, Steve got the idea of looking at Kerberos 4 as widely-distributed and examined code that he could use as an example of how to create random numbers. Was that a surprise! * Sandeep Kumar successfully defended his Ph.D. thesis and began work full time at Hewlett-Packard. There, he is working on advanced security software for HP products. We won't be surprised to hear if HP comes out with an advanced misuse detection system in the near future! * Frank Wang, an undergrad who worked with COAST last year on several projects, spent the summer and fall working as a co-op with Hewlett-Packard. He returned to Purdue in January to complete work on his undergraduate degree. * Keith Watson, an undergraduate who was working with COAST on network scanning tools, returned to Northern Telecom for another co-op period. He will be returning to Purdue (and COAST) in the fall of 1996, to finish his degree and possibly undertake a grad degree with us. Before he left, he completed an extension package for Farmer and Wietse's SATAN tool. This was distributed to COAST sponsors, and reportedly will be integrated with an upcoming SATAN release. * Shyue-hong Chuang, an undergraduate working with COAST on logging and intrusion detection systems, graduated in December. He returned to his native Singapore for a period of mandatory national service. He then intends to pursue a graduate degree in computer security. * Grad students Aurobindo Sundaram, Katherine Price, and Todd Ellis joined us in COAST, as did undergrads Tanya Mastin, Karyl Stein, Keith Brown and Amy Eng. All are involved in projects we'll report in coming newsletters. ...all of these students and others have links in the COAST WWW pages, including links to papers and project information. Note that several of the students are available for student internships. Contact them directly if you are interested. ------------------------------ From: coast Subject: Sponsors, donors, and the Lab dedication To: coast The end of 1995 and the beginning of 1996 saw several pleasant developments for what we are trying to accomplish here. First of all, the Hewlett-Packard Company became our most recent sponsor. The people at HP have a strong interest in building security tools and mechanisms for their customers, so the connection is obvious. The COAST-HP link has been building over the last year, with HP hiring Sandeep Kumar full-time, and hosting Mark Crosbie and Frank Wang for internships. The sponsorship was a natural next step, and we welcome HP's participation. An essay with several observations by Bob Schwehr about HP's view of security and relationship with COAST is included later in this newsletter. Next, US Sprint provided us with another increment of support for Christoph Schuba and his work on ATM firewalls at Xerox PARC. This is a joint project with Xerox, with some really exciting preliminary results. We are grateful for the continuing support of Sprint and Xerox for this effort. Last, but not least, Schlumberger provided a gift of $20,000 towards the COAST lab renovation. This was the final amount we needed to put us over the top, including repaying the remaining amount that the department loaned to COAST for the physical renovations, pay for the rest of our new furniture, a page printer, and some additional specialized resources. Next week, on March 11, we will have a dedication ceremony for the COAST lab. At that time, we will formally recognize the contributors to the renovation and equipping of the COAST Lab: Sun Microsystems, Bell Northern Research, Schlumberger Limited, and Hughes Research Laboratories. You are all invited to attend, if you can make it! The dedication itself will take place at 3:15 in the Computer Sciences Building, outside the COAST Lab (room G-18). Following the short ceremony, refreshments will be served. We will then follow with an invited colloquium: "riverrun: a Vicious Viconian Ricorso on the Informatic Vicus." The colloquium will be delivered by our distinguished guest, Marvin Schaefer. Marv is the Chief Scientist of Arca Systems, Inc, and was the first Chief Scientist of the DoD National Computer Security Center where he was principal author of the "Orange Book" (but we forgive him for that :-). A complete abstract of the colloquium, along with directions to get to the CS building, may be found at . ------------------------------ Date: Tue, 19 Dec 1995 09:09:32 -0800 From: Bob Schwehr Subject: Hewlett-Packard and Secure Open Computing: Some Obervations To: COAST friends HP's interest in security is driven from its customer base among the fortune 1000 companies. Business processes are increasingly being automated, and interconnected. Many firms have offices and people spread over a widely dispersed geography. HP makes not only servers and workstations, but also PC's, laptops, palmtops, and even has links to firewalls and cellular telephones. Companies need to use them extensively across diverse communication paths. A great many people have potential access to important business data. Simply managing this access gets complex and expensive. We hear reports that the costs from losses and misuse are doubling each year. This taxes the ability of technology to deal with the challenges and meet the constraints of the business world. Over 1/2 of the losses are from internal people, and may be classified as misuse. Others are simply the result of the increasing sophistication of criminals, tempted by the large electronic cash flows. HP has contributed to COAST in the belief that the base technology needs to find clever ways to detect issues in real time and to use methods that do not obstruct every day business. These breakthrough will benefit everyone and further enhance the ability of computing to serve and ever increasing market. We cannot afford to lose the confidence of the business world. The opportunity is enormous. HP's open computing paradigm stems from a long-term involvement in business and technical computing (yes, distributed R&D also needs security) coupled with our product line of enterprise solutions. We connect all those levels of servers through palmtops and cell phones every day. The bywords for the secure computing framework are "it must be: Manageable (friendly, courtious) Applicable ( kind, thrifty) Reliable ( trustworthy, loyal)", kind of like a Scout Oath for computing in business. A business enterprise needs to be able to manage its network of computers in a coordinated way. HP OpenView is a package that provides single point administration for computers from many vendors. The newest addition to the administrative ability is Admin Center. System managers can configure all their computers from a single package. It can be accessed from anywhere in the world. People use it to set all system, network and security parameters for the enterprise. The OpenView framework also contains OpCenter, for displaying and manipulating status data for system performance, network status, and even security status throughout the enterprise. OpenView is the focus for HP's centralized control and management of enterprise computing. The processes work with data from a variety of machines and networks, in real time. Applications are key to making security management successful. HP has demo'd packages from SAIC doing security monitoring and intrusion detection. We have used technology developed via the COAST projects to enhance this capability to do auditing and detection of anomalies in real time. These can be both rule based and probabalistic in nature, using genetic programming. Perhaps an intruder can be detected and manipulated while "in the act"! These are exciting areas of activity. They stem from HP's long-term involvement in process control and "B1" level government security. We are fortunate to have application portability between our base, C2 level, operating system (HPUX) and our B1 products. B1 closes two vulnerabilities in UN*X for the commercial world. First it replaces the root capability with a "least privelege model. Any one person cannot get rights to all system internals in this relm. It also adds multi-level access controls to files and resources. A simple use: helping finance protect wage plans. It also has a secure windows feature that commercial businesses have not used as much at this point. For years people worried that B1 applications were too complex to be usable, and too hard to integrate with applications. Well, last fall HP/Secure Ware/ and 5-Paces demonstrated internet banking with a Netscape web interface. Security First Bank is the first institution to gain government certification for web transactions. Guess what? The application uses Netscape linked to the HP-B1 Un*X as a gateway to other commercial UN*X applications running C2, or lower security levels. They are on line. Look them up. They were on-line at the INTERWORKS show in Atlanta. Think what this may do for business structure. You could run an entire web mail order business from a single room of computers and a warehouse... It has to be reliable, right? That means access when needed, system up time, and little to no service time. It also means it has to be easy to use. You should not even know that the Netscape bank is running via secure networks, gateways, etc... The advantage of having the security "built into the operating system" is that all of the high availability systems including fail-over processes still work. All this means service that will not be interrupted. The Telcom people are especially focused on this area. Time is money for all of us. In conclusion, HP has had security in its operating systems from the early 70's. Today's implementations are more creative and sophisticated, as are the users. Additionally business applications are beginning to the pace security needs even more that the traditional government application focus. I wonder if all those gadgets in the James Bond movies are really so different from the "toys" I use every day at work? The research at the COAST research lab will be central to the computing processes of the next century as computers become even more pervasive than they are today. ------------------------------ From: spaf Subject: Plugs for 2 new books To: coast This piece is a bit commercial, but I think there is some value involved, so that helps explain it. Of course, I do have reason to be a bit biased.... and a bit proud. I've put a lot of effort into both, and I think the results are worthy of attention. First, there is the release of O'Reilly's: "Computer Crime: A Crimefighter's Handbook." It is a revision of the FBI's computer crime training manual and has a great deal of information particularly directed to law enforcement types. Thus, if you work regularly with some law enforcement agents who might benefit from some more exposure to computer security terminology and concepts, you might suggest this (or buy them a copy!). The book also has some useful information for a computer security manager. The inclusion of the text of Federal, state and international computer crime statutes makes it an especially valuable resource; at $25, it's a real bargain. More information is available via the WWW at http://gnn.com/gnn/bus/ora/item/c rime.html Enclosed is the descriptive text from one of the associated WWW pages: Computer Crime: A Crimefighter's Handbook By David Icove, Karl Seger & William VonStorch Consulting Editor Eugene H. Spafford 1st Edition August 1995 ISBN: 1-56592-086-4; Order number: 086-4 464 pages, $24.95 Full Description: Terrorist attacks on computer centers, electronic fraud on international funds transfer networks, viruses and worms in our software, corporate espionage on business networks, and crackers breaking into systems on the Internet...Computer criminals are becoming ever more technically sophisticated, and it's an increasing challenge to keep up with their methods. Computer Crime: A Crimefighter's Handbook is for anyone who needs to know what today's computer crimes look like, how to prevent them, and how to detect, investigate, and prosecute them if they do occur. It contains basic computer security information as well as guidelines for investigators, law enforcement, and computer system managers and administrators. Part I of the book contains a discussion of computer crimes, the computer criminal, and computer crime laws. It describes the various categories of computer crimes and profiles the computer criminal (using techniques developed for the FBI and other law enforcement agencies). Part II outlines the risks to computer systems and personnel, operational, physical, and communications measures that can be taken to prevent computer crimes. Part III discusses how to plan for, investigate, and prosecute computer crimes, ranging from the supplies needed for criminal investigation, to the detection and audit tools used in investigation, to the presentation of evidence to a jury. Part IV of the book contains a compendium of the computer-related U.S. federal statutes and all of the statutes of the individual states, as well as representative international laws. Part V contains a resource summary, detailed papers on computer crime, and a sample search warrant for a computer crime. + + + + + Then there is the magnum opus many of you have been waiting for, the long-awaited 2nd edition of "Practical Unix Security," now retitled as "Practical Unix & Internet Security." Simson Garfinkel (my co-author) and I started in on the rewrite in January of 1995. As I write this, we are finishing the final quality control check on the proofs. In between, we've done a lot of research and writing. The book has grown from 450 pages to over 1000 (yup, that's 3 zeros). When the first book came out, it was widely hailed as the definitive reference. (Well, someone must have liked it -- over 60,000 copies were sold world-wide!) Simson and I decided that the rewrite needed to cover more systems (especially System V R4), and issues relating to connecting a Unix system to the Internet. Along the way, we added and expanded chapters on WWW security, firewalls, TCP/IP services, NFS security, personnel security and the nature of policy. We hope this one lasts awhile, because we might not survive another rewrite like this one! More info, including a table of contents for the book may be found at . You can also order a copy of the book there (or by phone, 800-889-8969 [US/Canada credit card orders], 800-998-9938 [US/Canada inquiries], or 707-829-0515 [local/overseas]), so you can be first on your subnet to have a copy when they are released late this month. All 1000 pages can be had for only $39.95. And I promise to sign at least one of those pages for you if you catch me at a conference or visit here at COAST. Here's some more info from the WWW page: Practical UNIX & Internet Security, 2nd Edition By Simson Garfinkel & Gene Spafford 2nd Edition April 1996 (est.) ISBN: 1-56592-148-8; Order number: 1488 950 pages (est.), $39.95 (est.) A complete revision of the first edition, this new guide spells out the threats, system vulnerabilities, and countermeasures you can adopt to protect your UNIX system, network, and Internet connection. It's complete -- covering both host and network security -- and doesn't require that you be a programmer or a UNIX guru to use it. The second edition contains hundreds of pages of new information on Internet security, including services, wrappers, and monitoring tools. Covers many platforms, both System V and Berkeley-based, including Sun, DEC, HP, IBM, SCO, NeXT, Linux, and other UNIX systems. Although primarily intended for users and administrators of Unix computing systems, the broad and comprehensive coverage of generic security issues and concerns will be of value to every computer security professional. ------------------------------ From: russo ("Vincent F. Russo") Subject: Renaissance & COAST To: spaf Professor Vince Russo has recently recieved funding for work on the Renaissance distributed object system from the Department of Defense totalling approx. $200K over two years. This research will investigate security architectures for modern object-oriented distributed systems such as those prescribed by the object management environments proposed by the Object Management Group (OMG). The resultant architecture is intended to meet a number of goals including: The accommodation of heterogeneous operating systems, both research and commercial. The ability to allow both trustworthy and untrustworthy hosts to interoperate. Acceptable performance and the ability to allow effective caching strategies. No *requirement* that servers be modified to provide base security. Allowing servers to enforce a finer-grained identity-based security. Strongly authenticated hosts and users within system. Scalability to large distributed systems. The facilitation of eventual formal reasoning about system security properties. The ability to support the flexibility of run-time object interface matching present in most object-oriented systems. Minimizing the amount of code that must be trusted. The ability to contain damage from a single compromise. Authentication is a vital ingredient to any security architecture. Without confidence in the binding between entities and their security attributes, access control decisions and their enforcement is futile. The fundamental questions here are: which authentication scheme to use and where should it be inserted. The research will begin with integrating the powerful authentication building block, SPX, at the kernel level. The research will later investigate additional authentication mechanisms. For more information contact Dr. Russo by email to russo@cs.purdue.edu, or visit the COAST WWW page for links. ------------------------------ From: spaf Subject: COAST at the NISSC, and an editorial Once again, COAST was well-represented at the National Information Systems Security Conference (formerly the National Computer Security Conference). The conference was held last year in Baltimore in October. COAST was represented by three accepted papers and two invited panel appearences. And, for the second year in a row, someone from COAST got the "Best Student Paper" award. Ivan Krsul won that award for his paper on software authorship analsysis. His paper outlined some of the results of his Master's thesis on identifying the authors of malicious code by analyzing characteristics of the author's coding style. This pioneering work has generated quite a bit of interest by law enforcement professionals. Mark Crosbie presented his paper on network intrusion detection. The paper described his design of an intrusion detection system based on small, autonomous agents. This work also has generated quite a bit of interest, and has been the subject of two subsequent papers at an AAAI conference and at a conference on Genetic Programming. The two papers appear to have impressed more than the regular attendees. Both of them (and COAST) were featured in a nice article in "Science" (Vol 270l, November 17, 1995, pages 1113-1114). I was the busiest of the COAST group, delivering a paper done with Sandeep Kumar on his PhD research, describing the implementation and performance of the IDIOT intrusion detection system; serving on two panels: "Will Encryption Keep Hackers Out?" and "Computer Security Education"; attending the other talks; and attending a DoD advisory committee meeting. The "Will Encryption Keep Hackers Out?" panel session was extremely well attended, with an overflow audience, perhaps as much for the panel composition as the topic: Steve Bellovin (AT&T), Steve Kent (BBN), Mike Higgins (DISA), and myself, with moderator Dorothy Denning (GWU). The panel basically agreed that encryption will do nothing to help the big problems of buggy software, misconfiguration, inattention, lack of training and education, and lack of management support. If we encrypted everything, including the OS software, then the machines couldn't run, and they might be safer. The audience seemed a little disappointed at this harmonious view, so the panel threw out some pointed comments about various vendors, government policies, and even some members of the audience. This seemed to partially satisfy the audience members looking for a melee, and the panel then adjourned. The other panel session, on computer security education, was sparsely attended. This reflects a problem we have in this area, and is the topic of one of my "standard rants": It is terribly discouraging to see companies so desparate for trained computer security professionals that they are willing to pay 6-figure hiring bonuses and employ "experts" with dubious backgrounds. However, those same companies won't consider investing similar amounts in education/research programs at universities that might help grow the field. When will people learn that there is no "quick fix" for security needs? Why is there such limited willingness to help academia in this arena? And where will we be left if all the able faculty are finally lured away from academe? For those of you who are unfamiliar with the NISSC, it is held each year and is cosponsored by NIST and the National Security Agency. The primary function of the conference seems to be to allow a public forum for major government agencies (largely Department of Defense-related) to "sync up" with the outside world. Vendors, researchers, and outside associations make presentations that are well-attended by people in government; government organizations make presentations that are well attended by vendors and press; and lots of vendors and contractors get to pitch their products and services. This is not a 1st-tier research conference, although each year several of the research-oriented contributions are high-quality, quite novel, and very interesting. The conference is the largest in the field of information security, overall -- I was told that this year almost 4000 people attended at least one of the sessions. With that as background, I'd like to note four things I found particularly striking: 1) Almost everyone at the conference with ties to the US government fails to understand the Internet. They all talk about the "NII" (National Information Infrastructure) rather than the "GII" (Global Information Infrastructure). That the Internet reaches over 100 countries and all seven continents seems to have failed to register. One person from Europe told me that I was the only presenter in 3 days of talks who acknowledged that the Internet had a global presence that involved people *other than* "foreign" computer criminals and spies! Once you understand this attitude, it becomes much clearer why we have such silliness as the ITAR export controls on cryptography, "computer indecency" bills, and other such nonsense in the US government. They have a Ptolemaic view of the Internet -- the US is at the center, and there are only little "peripheral" uses elsewhere. 2) MLS (multi-level security) systems are still seen by many people as "the solution." Unfortunately, those people generally don't understand what "the problem" is that corresponds to "the solution." Vendors are happy to continue selling systems to those people, who are probably not getting what they think they are. I am reminded of the story of the data center manager who was told by the auditors that he had to have RACF or "Top Secret" to help protect company data. A year later, at the next audit, he proudly showed the auditors that he had complied -- there was an unopened distribution box on the shelf. As an exercise, I visited a few vendor booths and made an enquiry to the effect of "I need some C2 systems now that I am getting an Internet connection." The sales droids were happy to pitch their products to me, not bothering to mention that their C2 assesments assumed no network connections (and in the case of PC systems, no floppy drive, either). Neither did they ask about what assets I was trying to protect, or what policies I was trying to implement. To them, the magic C2 rating (or B2, or whatever) was the universal solution to my problem. Sad to say, there are many purchase decisions being made solely on such (mis)information. 3) Firewalls are a big thing, but it isn't clear that customers know what to ask or that vendors know what to tell them. Visiting booths, I generally asked the same two questions: how can I know for certain that your product will work effectively, and can I use your product as an internal firewall between two partially-trusted subnets? The responses were too often similar: * Of course our product works! We use it ourselves (or "customer X" uses it) and we haven't detected a failure yet! * Of course our product works! We hired some expert hackers and they couldn't break it. (Or, in the case of the Sidewinder, the sales rep asked "Haven't you heard about our Challenge?") * An internal firewall? What's that? * That's silly -- a firewall is to keep hackers out. Why would you want to put one inside where there are no hackers? In other words, generally clueless. If these people were selling vitamins, the hype would be "Take our brand of vitamin and you will never grow old"; when asked for proof, the response would be "Well, we've all been taking them for the last year, and none of us have died from old age yet (that we can tell)!" As a result of this experience, and many others like it, I recently submitted an essay to the last issue of IEEE Cipher on hacker challenges (see http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/commentary/960212.challenges.html) that explains my views on assuring and advertising security products. It was slammed by several vendors (as I expected), but curiously got no response from anyone else. Are challenges and marketing hype the only workable way to sell a product? 4) Intrusion detection and investigation are receiving almost no attention. There was only one booth where I saw any coverage of products in these areas, and it was really shared space in another vendor's booth (for Stalker, a good product, too). Maybe everyone still believes MLS and firewalls are going to save them? But how can they tell they have a problem from the insiders who exploit the misconfigurations, or from outsiders who exploit the bugs? How do they expect to use all those megabytes of data they are collecting on their certified systems? What do *you* think? Any comments on these issues? Send them in to me, and we'll publish some of the responses in a future issue. Unless you state otherwise, we'll assume any responses are fair game to republication. ------------------------------ From: Gene Spafford Subject: Special CFP **NOTE THE DEADLINE** To: COAST Watchers Call for Papers Invitational Workshop on Computer Vulnerability Data Sharing Gaithersburg, Md., June 10 - 12, 1996. Sponsored by: The Advanced Research Projects Agency (ARPA) The COAST Lab at Purdue University The National Communications System (NCS) The National Institute of Standards and Technology (NIST). Researchers in communities including intrusion detection, security, incident handling, and software engineering have long expressed an interest in having access to a repository of vulnerability data that could be used in their experiments and analyses. These communities have different requirements for such a repository and would derive different benefits from it. These differences have often been cited as obstacles to the creation or sharing of such a repository. The purpose of this invitational workshop is to bring together interested researchers from these communities to explore these differences and questions. We hope to reach a consensus on creating a repository that can benefit all. Issues explored at this workshop are expected to include: * determining a vulnerability classification scheme, * defining useful levels of abstraction for vulnerability definition for research, incident handling or intrusion detection, * developing the data structures and applications to support the classification scheme, * developing a sanitization method that protects incident victims, * ensuring the integrity and authenticity of the repository data, * regulating access to the data to only those with legitimate need, proprietary constraints, and other external controls (and defining what "legitimate need" might be). Other administrative issues to be addressed include the collection and dissemination qualifications among the users, overall management of the repository, and resource requirements. Broader issues would include unanswered legal questions regarding participation and information dissemination, participant trust limitations, and creating a self-supporting capability. Position papers are invited that address one or more of the following topics: * How should a repository of vulnerability data be structured? * What mechanisms should be used to collect, store, sanitize and disseminate the information? * What data items should be present in the data? * Should explicit exploitation scripts, or transcripts of example exploitations, be included? * How can the accuracy and quality of the information be ensured? * Should access to the data be restricted in any way? * What is the liability issue of disseminating information that is subsequently used to cause a threat event? * Who might want to use this data appropriately and how? * To whom, under what circumstances, and how should the repository distribute unfixed vulnerabilities? * What could the subscription model look like to create a self-supporting repository? Individuals interested in attending the workshop are invited to submit a position paper draft to the program committee. Invitations will be extended by the program committee based on these drafts. Paper drafts should touch on one more topics suggested by the above. At least some suggestions should be made to questions or problems posed in this area. Papers should be submitted via e-mail as standard PostScript or as plain ASCII text. Paper copies may be submitted in lieu of electronic copies by advance permission only -- contact the committee chairs at the electronic mail address given below. Papers should not exceed 20 printed pages in length, and must NOT contain proprietary or classified data. Important Dates: Extended Abstracts Due: March 8 Invitations extended: April 10 Final Papers due: May 14 Program Committee: Gene Spafford, Purdue University (co-chair) Tim Grance, NIST (co-chair) Rebecca Bace, NSA Dave Bailey, Galaxy Computer Services Matt Bishop, UC Davis Carl Landwehr, NRL Tom Longstaff, CERT Teresa Lunt, ARPA Marv Schaefer, ARCA Systems Steve Smaha, Haystack Labs. Inc. Kevin Zeiss, AFIW Send abstracts or comments to ------------------------------ Date: Fri, 23 Feb 96 18:35:42 PST From: security-mailing-owner@usenix.org Subject: 6th UNIX Security Symposium, Focus on Applications of Cryptography Announcement and Preliminary Call for Papers 6th UNIX Security Symposium Focusing on Applications of Cryptography July 22-25, 1996 Fairmont Hotel San Jose, California Sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association Co-sponsored by UniForum In cooperation with: The Computer Emergency Response Team (CERT), and IFIP WG 11.4 Important Dates Dates for Refereed Paper Submissions Extended abstracts due: Mar 19, 1996 Program Committee decisions made: Apr 15, 1996 Camera-ready final papers due: June 10, 1996 Registration Materials Available: End April 1996 USENIX Program Committee: Program Chair: Greg Rose, Sterling Software. Fred Avolio, Trusted Information Systems, Inc. Steve Bellovin, AT&T Bell Laboratories Brent Chapman, Great Circle Associates Diane Coe, The MITRE Corporation Ed DeHart, CERT Kathy Fithen, CERT Dan Geer, Open Market Inc. Peter Gutmann, University of Auckland Kent Landfield, Sterling Software Clifford Neuman, University of Southern California Avi Rubin, Bellcore Eugene Spafford, COAST Laboratory, Purdue University Ken van Wyk, Defense Information Systems Agency Karen Worstell, The Boeing Company Readers: Matt Bishop, U.C. Davis; Phil Karn, Qualcomm; Lee Damon, Qualcomm UniForum Program Committee: Jim Schindler, Chair, Hewlett-Packard Rik Farrow, Internet Security Consulting Overview The goal of this symposium is to bring together security and cryptography practitioners, researchers, system administrators, systems programmers, and others with an interest in applying cryptography, network and computer security, and especially the area where these overlap. The focus on applications of cryptography is intended to attract papers in the fields of electronic commerce and information processing, as well as security. Please note that papers about new cryptographic algorithms are not solicited; however new applications are. This will be a four day single track symposium with tutorials, refereed and technical presentations, and panel discussions. Tutorials will take place the first two days followed by two days of technical sessions. Tutorials July 22-23 Tutorials for both technical staff and managers will provide immediately useful, practical information on topics such as local and network security precautions, what cryptography can and cannot do, security mechanisms and policies, firewalls and monitoring systems. Technical Sessions July 24-25 In addition to the keynote presentation, the technical program includes refereed papers and invited talks. There may be panel sessions. There will be Birds-of-a-Feather sessions and Works-in- Progress Reports on two evenings. You are invited to make suggestions to the program committee via email . Papers that have been formally reviewed and accepted will be presented during the symposium and published in the symposium proceedings. Proceedings of the symposium will be published by USENIX and will be provided free to technical session attendees; additional copies will be available for purchase from USENIX. Symposium Topics Presentations are being solicited in areas including but not limited to: *Anonymous transactions *Applications of cryptographic techniques *Attacks against secure networks/machines *Cryptanalysis and codebreaking as attacks *Cryptographic tools *Electronic commerce security *Firewalls and firewall toolkits *Legislative and legal issues *Case studies *Computer misuse and anomaly detection *File and File system security *Network security *Security and system management *Security in heterogeneous environments *Security incident investigation and response *Security tools *User/system authentication *Penetration testing *Malicious code analysis Note that this symposium is not about new codes or ciphers, or cryptanalysis for its own sake. How to Submit a Refereed Paper Submissions must be received by Mar 19, 1996. Authors are encouraged to submit an extended abstract which discusses key ideas and demonstrates the structure of the finished paper. Extended abstracts should be 3-5 pages long (about 1500-2500 words), not counting references and figures. The body of the extended abstract should be in complete paragraphs. The object of an extended abstract is to convince the reviewers that a good paper and presentation will result. Full papers can be submitted if they are complete in advance of the date. Full papers should be 8 to 15 typeset pages. Authors will be notified of acceptance on April 15, 1996. All submissions will be judged on originality, relevance, and correctness. Each accepted submission will be assigned a member of the program committee to act as its shepherd through the preparation of the final paper. The assigned member will act as a conduit for feedback from the committee to the authors. Camera-ready final papers are due June 10, 1996. Please accompany each submission by a cover letter stating the paper title and authors along with the name of the person who will act as the contact to the program committee. Please include a surface mail address, daytime and evening phone number, and, if available, an email address and fax number for the contact person. If you would like to receive detailed guidelines for submission and examples of extended abstracts, you may send email to: securityauthors@usenix.org or telephone the USENIX Association office at +1 510 528 8649. The UNIX Security Symposium, like most conferences and journals, requires that papers not be submitted simultaneously to another conference or publication and that submitted papers not be previously or subsequently published elsewhere. Papers accompanied by "non-disclosure agreement" forms are not acceptable and will be returned to the author(s) unread. All submissions are held in the highest confidentiality prior to publication in the Proceedings, both as a matter of policy and in accord with the U.S. Copyright Act of 1976. Where To Submit Please send one copy of an extended abstract or a full paper to the program committee via each of two, for reliability, of the following methods. All submissions will be acknowledged. o Preferred Method: email (Postscript or ASCII) to: securitypapers@usenix.org o Alternate Method: postal delivery to Security Symposium USENIX 2560 Ninth St., Ste. #215 Berkeley CA 94710 U.S.A. Phone: +1 510 528 8649 o Fax: +1 510 548 5738 Cash Prizes Cash prizes will be awarded for the best paper at the conference and the best student paper. Registration Materials Materials containing all details of the technical and tutorial programs, registration fees and forms, and hotel information will be available at the end of April 1996. If you wish to receive the registration materials, please contact USENIX at: USENIX Conference Office 22672 Lambert Street, Suite 613 Lake Forest, CA USA 92630 +1 714 588 8649; Fax: +1 714 588 9706 email: conference@usenix.org Information can also be found under the USENIX Association WWW page URL: http://www.usenix.org ------------------------------ End of Coast Watch Digest ------------------------------