630-1 Yhomit

profileabcity84
Computer_Security_Handbook_Set_----_INTRODUCTION_TO_PART_I_FOUNDATIONS_OF_COMPUTER_SECURITY.pdf

INTRODUCTION TO PART I

FOUNDATIONS OF COMPUTER SECURITY

The foundations of computer security include answers to the superficially simple question “What is this all about?” Our first part establishes a technological and historical context for information assurance so that readers will have a broad understanding of why information assurance matters in the real world. Chapters focus on principles that will underlie the rest of the text: historical perspective on the development of our field; how to conceptualize the goals of information assurance in a well-ordered schema that can be applied universally to all information systems; computer hardware and network elements underlying technical security; history and modern developments in cryptography; and how to discuss breaches of information security using a common technical language so that information can be shared, accumulated, and analyzed.

Readers also learn or review the basics of commonly used mathematical models of information-security concepts and how to interpret survey data and, in particular, the pitfalls of self-selection in sampling about crimes. Finally, the first section of the text introduces elements of law (U.S. and international) applying to information assurance. This legal framework from a layman’s viewpoint provides a basis for understanding later chapters; in particular, when examining privacy laws and management’s fiduciary responsibilities.

Chapter titles and topics in Part I include:

1. Brief History and Mission of Information System Security. An overview focusing primarily on developments in the second half of the twentieth century and the first decade of the twenty-first century

2. History of Computer Crime. A review of key computer crimes and notorious computer criminals from the 1970s to the mid-2000s

3. Toward a New Framework for Information Security. A systematic and thor- ough conceptual framework and terminology for discussing the nature and goals of securing all aspects of information, not simply the classic triad of confiden- tiality, integrity, and availability

4. Hardware Elements of Security. A review of computer and network hardware underlying discussions of computer and network security

I · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

I · 2 FOUNDATIONS OF COMPUTER SECURITY

5. Data Communications and Information Security. Fundamental principles and terminology of data communications, and their implications for information assurance

6. Local Area Network Topologies, Protocols, and Design. Information assur- ance of the communications infrastructure

7. Encryption. Historical perspectives on cryptography and steganography from ancient times to today as fundamental tools in securing information

8. Using a Common Language for Computer Security Incident Information. An analytic framework for understanding, describing, and discussing security breaches by using a common language of well-defined terms

9. Mathematical Models of Computer Security. A review of the most commonly referenced mathematical models used to describe information-security functions

10. Understanding Studies and Surveys of Computer Crime. Scientific and sta- tistical principles for understanding studies and surveys of computer crime

11. Fundamentals of Intellectual Property Law. An introductory review of cy- berlaw: laws governing computer-related crime, including contracts, and intel- lectual property (trade secrets, copyright, patents, open-source models). Also, violations (piracy, circumvention of technological defenses), computer intru- sions, and international frameworks for legal cooperation

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1CHAPTER

BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

Seymour Bosworth and Robert V. Jacobson

1.1 INTRODUCTION TO INFORMATION SYSTEM SECURITY 1 · 1

1.2 EVOLUTION OF INFORMATION SYSTEMS 1 · 3 1.2.1 1950s: Punched-Card

Systems 1·4 1.2.2 Large-Scale Computers 1·4 1.2.3 Medium-Size Computers 1·5 1.2.4 1960s: Small-Scale

Computers 1·6 1.2.5 Transistors and Core

Memory 1·7 1.2.6 Time Sharing 1·7 1.2.7 Real-Time, Online

Systems 1·7 1.2.8 A Family of Computers 1·7 1.2.9 1970s: Microprocessors 1·8 1.2.10 The First Personal

Computers 1·8 1.2.11 The First Network 1·8 1.2.12 Further Security

Considerations 1·9 1.2.13 The First “Worm” 1·9 1.2.14 1980s: Productivity

Enhancements 1·9

1.2.15 1980s: The Personal Computer 1·9

1.2.16 Local Area Networks 1·10 1.2.17 1990s: Interconnection 1·11 1.2.18 1990s: Total

Interconnection 1·12 1.2.19 Telecommuting 1·12 1.2.20 Internet and the World

Wide Web 1·12 1.2.21 Virtualization and the

Cloud 1·13 1.2.22 Supervisory Control

and Data Acquisition 1·13

1.3 GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE 1 · 13 1.3.1 IA Standards 1·13 1.3.2 Computers at Risk 1·14 1.3.3 InfraGard 1·18

1.4 RECENT DEVELOPMENTS 1 · 19

1.5 ONGOING MISSION FOR INFORMATION SYSTEM SECURITY 1 · 20

1.6 NOTES 1 · 20

1.1 INTRODUCTION TO INFORMATION SYSTEM SECURITY. The growth of computers and of information technology has been explosive. Never before has an entirely new technology been propagated around the world with such speed and with so great a penetration of virtually every human activity. Computers have brought vast benefits to fields as diverse as human genome studies, space exploration, artificial intelligence, and a host of applications from the trivial to the most life-enhancing.

Unfortunately, there is also a dark side to computers: They are used to design and build weapons of mass destruction as well as military aircraft, nuclear submarines,

1 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 2 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

and reconnaissance space stations. The computer’s role in formulating biologic and chemical weapons, and in simulating their deployment, is one of its least auspicious uses.

Of somewhat lesser concern, computers used in financial applications, such as fa- cilitating the purchase and sales of everything from matchsticks to mansions, and transferring trillions of dollars each day in electronic funds, are irresistible to miscre- ants; many of them see these activities as open invitations to fraud and theft. Computer systems, and their interconnecting networks, are also prey to vandals, malicious ego- tists, terrorists, and an array of individuals, groups, companies, and governments intent on using them to further their own ends, with total disregard for the effects on innocent victims. Besides these intentional attacks on computer systems, there are innumerable ways in which inadvertent errors can damage or destroy a computer’s ability to perform its intended functions.

Because of these security problems and because of a great many others described in this volume, the growth of information systems security has paralleled that of the computer field itself. Only by a detailed study of the potential problems, and implementation of the suggested solutions, can computers be expected to fulfill their promise, with few of the security lapses that plague less adequately protected systems. This chapter defines a few of the most important terms of information security and includes a very brief history of computers and information systems, as a prelude to the works that follow. Security can be defined as the state of being free from danger and not exposed to

damage from accidents or attack, or it can be defined as the process for achieving that desirable state. The objective of information system security1 is to optimize the performance of an organization with respect to the risks to which it is exposed. Risk is defined as the chance of injury, damage, or loss. Thus, risk has two elements:

(1) chance—an element of uncertainty, and (2) potential loss or damage. Except for the possibility of restitution, information system security actions taken today work to reduce future risk losses. Because of the uncertainty about future risk losses, perfect security, which implies zero losses, would be infinitely expensive. For this reason, risk managers strive to optimize the allocation of resources by minimizing the total cost of information system security measures taken and the risk losses experienced. This optimization process is commonly referred to as risk management. Risk management in this sense is a three-part process:

1. Identification of material risks 2. Selection and implementation of measures to mitigate the risks 3. Tracking and evaluating of risk losses experienced, in order to validate the first

two parts of the process

The purpose of this Handbook is to describe information security system risks, the measures available to mitigate these risks, and techniques for managing security risks. (For a more detailed discussion of risk assessment and management, see Chapters 47 and 54.)

Risk management has been a part of business for centuries. Renaissance merchants often used several vessels simultaneously, each carrying a portion of the merchandise, so that the loss of a single ship would not result in loss of the entire lot. At almost the same time, the concept of insurance evolved, first to provide economic protection against the loss of cargo and later to provide protection against the loss of buildings

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EVOLUTION OF INFORMATION SYSTEMS 1 · 3

by fire. Fire insurers and municipal authorities began to require adherence to standards intended to reduce the risk of catastrophes like the Great Fire of London in 1666. The Insurance Institute was established in London one year later. With the emergence of corporations as limited liability stock companies, corporate directors have been required to use prudence and due diligence in protecting shareholders’ assets. Security risks are among the threats to corporate assets that directors have an obligation to address.

Double-entry bookkeeping, another Renaissance invention, proved to be an excel- lent tool for measuring and controlling corporate assets. One objective was to make insider fraud more difficult to conceal. The concept of separation of duties emerged, calling for the use of processing procedures that required more than one person to complete a transaction. As the books of account became increasingly important, ac- counting standards were developed, and they continue to evolve to this day. These standards served to make books of account comparable and to assure outsiders that an organization’s books of account presented an accurate picture of its condition and assets. These developments led, in turn, to the requirement that an outside auditor perform an independent review of the books of account and operating procedures.

The transition to automated accounting systems introduced additional security re- quirements. Some early safeguards, such as the rule against erasures or changes in the books of account, no longer applied. Some computerized accounting systems lacked an audit trail, and others could have the audit trail subverted as easily as actual entries.

Finally, with the advent of the Information Age, intellectual property has become an increasingly important part of corporate and governmental assets. At the same time that intellectual property has grown in importance, threats to intellectual property have become more dangerous, because of information system (IS) technology itself. When sensitive information was stored on paper and other tangible documents, and rapid copying was limited to photography, protection was relatively straightforward. Nev- ertheless, document control systems, information classification procedures, and need- to-know access controls were not foolproof, and information compromises occurred with dismaying regularity. Evolution of IS technology has made information control several orders of magnitude more complex. The evolution and, more importantly, the implementation of control techniques have not kept pace.

The balance of this chapter describes how the evolution of information systems has caused a parallel evolution of information system security and at the same time has increased the importance of anticipating the impact of technical changes yet to come. This overview will clarify the factors leading to today’s information system security risk environment and mitigation techniques and will serve as a warning to remain alert to the implication of technical innovations as they appear. The remaining chapters of this Handbook discuss information system security risks, threats, and vulnerabilities, their prevention and remediation, and many related topics in considerable detail.

1.2 EVOLUTION OF INFORMATION SYSTEMS. The first electromechanical punched-card system for data processing, developed by Herman Hollerith at the end of the nineteenth century, was used to tabulate and total census field reports for the U.S. Bureau of the Census in 1890. The first digital, stored-program computers developed in the 1940s were used for military purposes, primarily cryptanalysis and the calculation and printing of artillery firing tables. At the same time, punched-card systems were already being used for accounting applications and were an obvious choice for data input to the new electronic computing machines.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 4 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

1.2.1 1950s: Punched-Card Systems. In the 1950s, punched-card equip- ment dominated the commercial computer market.2 These electromechanical devices could perform the full range of accounting and reporting functions. Because they were programmed by an intricate system of plugboards with a great many plug-in cables, and because care had to be exercised in handling and storing punched cards, only expe- rienced persons were permitted near the equipment. Although any of these individuals could have set up the equipment for fraudulent use, or even engaged in sabotage, apparently few, if any, actually did so.

The punched-card accounting systems typically used four processing steps. As a pre- liminary, operators would be given a “batch” of documents, typically with an adding machine tape showing one or more “control totals.” The operator keyed the data on each document into a punched card and then added an extra card, the batch control card, which stored the batch totals. Each card consisted of 80 columns, each containing, at most, one character. A complete record of an inventory item, for example, would be contained on a single card. The card was called a unit record, and the machines that pro- cessed the cards were called either unit record or punched-card machines. It was from the necessity to squeeze as much data as possible into an 80-character card that the later Year 2000 problem arose. Compressing the year into two characters was a universally used space-saving measure; its consequences 40 years later were not foreseen.

A group of punched cards, also called a “batch,” were commonly held in a metal tray. Sometimes a batch would be rekeyed by a second operator, using a “verify-mode” rather than actually punching new holes in the cards, in order to detect keypunch errors before processing the card deck. Each batch of cards would be processed separately, so the processes were referred to as “batch jobs.”

The first step would be to run the batch of cards through a simple program, which would calculate the control totals and compare them with the totals on the batch control card. If the batch totals did not reconcile, the batch was sent back to the keypunch area for rekeying. If the totals reconciled, the deck would be sort-merged with other batches of the same transaction type, for example, the current payroll. When this step was complete, the new batch consisted of a punched card for each employee in employee- number order. The payroll program accepted this input data card deck and processed the cards one by one. Each card was matched up with the corresponding employee’s card in the payroll master deck to calculate the current net pay and itemized deductions and to punch a new payroll master card, including year-to-date totals. The final step was to use the card decks to print payroll checks and management reports. These steps were identical with those used by early, small-scale electronic computers. The only difference was in the speed at which the actual calculations were made. A complete process was still known as a batch job.

With this process, the potential for abuse was great. The machine operator could control every step of the operation. Although the data was punched into cards and verified by others, there was always a keypunch machine nearby for use by the machine operator. Theoretically, that person could punch a new payroll card and a new batch total card to match the change before printing checks and again afterward. The low incidence of reported exploits was due to the controls that discouraged such abuse, and possibly to the pride that machine operators experienced in their jobs.

1.2.2 Large-Scale Computers. While these electromechanical punched card machines were sold in large numbers, research laboratories and universities were working to design large-scale computers that would have a revolutionary effect on

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EVOLUTION OF INFORMATION SYSTEMS 1 · 5

the entire field. These computers, built around vacuum tubes, are known as the first generation. In March 1951, the first Universal Automatic Computer (UNIVAC) was accepted by the U.S. Census Bureau. Until then, every computer had been a one-off design, but UNIVAC was the first large-scale, mass-produced computer, with a total of 46 built. The word “universal” in its name indicated that UNIVAC was also the first computer designed for both scientific and business applications.3

UNIVAC contained 5,200 vacuum tubes, weighed 29,000 pounds, and consumed 125 kilowatts of electrical power. It dispensed with punched cards, receiving input from half-inch-wide metal tape recorded from keyboards, with output either to a similar tape or to a printer. Although not a model for future designs, its memory consisted of 1,000 72-bit words and was fabricated as a mercury delay line. Housed in a cabinet about six feet tall, two feet wide, and two feet deep was a mercury-filled coil running from top to bottom. A transducer at the top propagated slow-moving waves of energy down the coil to a receiving transducer at the bottom. There it was reconverted into electrical energy and passed on to the appropriate circuit, or recirculated if longer storage was required.

In 1956, IBM introduced the Random Access Method of Accounting and Control (RAMAC) magnetic disk system. It consisted of 50 magnetically coated metal disks, each 24 inches in diameter, mounted on a common spindle. Under servo control, two coupled read/write heads moved to span each side of the required disk and then inward to any one of 100 tracks. In one revolution of the disks, any or all of the information on those two tracks could be read out or recorded. The entire system was almost the size of a compact car and held what, for that time, was a tremendous amount of data—5 megabytes. The cost was $10,000 per megabyte, or $35,000 per year to lease. This compares with some of today’s magnetic hard drives that measure about 31∕2 inches wide by 1 inch high, store as much as 1,000 gigabytes, and cost less than $400, or about $0.0004 per megabyte.

Those early, massive computers were housed in large, climate-controlled rooms. Within the room, a few knowledgeable experts, looking highly professional in their white laboratory coats, attended to the operation and maintenance of their million- dollar charges. The concept of a “user” as someone outside the computer room who could interact directly with the actual machine did not exist.

Service interruptions, software errors, and hardware errors were usually not critical. If any of these caused a program to fail or abort, beginning again was a relatively simple matter. Consequently, the primary security concerns were physical protection of the scarce and expensive hardware, and measures to increase their reliability. Another issue, then as now, was human fallibility. Because the earliest computers were programmed in extremely difficult machine language, consisting solely of ones (1s) and zeros (0s), the incidence of human error was high, and the time to correct errors was excessively long. Only later were assembler and compiler languages developed to increase the number of people able to program the machines and to reduce the incidence of errors and the time to correct them.

Information system security for large-scale computers was not a significant issue then for two reasons. First, only a few programming experts were able to utilize and manipulate computers. Second, there were very few computers in use, each of which was extremely valuable, important to its owners, and consequently closely guarded.

1.2.3 Medium-Size Computers. In the 1950s, smaller computer systems were developed with a very simple configuration; punched-card master files were replaced by punched paper tape and, later, by magnetic tape, and disk storage systems. The

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 6 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

electromechanical calculator with its patchboard was replaced by a central processor unit (CPU) that had a small main memory, sometimes as little as 8 kilobytes,4 and limited processing speed and power. One or two punched-card readers could read the data and instructions stored on that medium. Later, programs and data files were stored on magnetic tape. Output data were sent to cardpunches, for printing on unit record equipment, and later to magnetic tape. There was still no wired connection to the outside world, and there were no online users because no one, besides electronic data processing (EDP) people within the computer room, could interact directly with the system. These systems had very simple operating systems and did not use multiprocessing; they could run only one program at a time.

The IBM Model 650, as an example, introduced in 1954, measured about 5 feet by 3 feet by 6 feet and weighed almost 2,000 pounds. Its power supply was mounted in a similarly sized cabinet, weighing almost 3,000 pounds. It had 2,000 (10-digit) words of magnetic drum primary memory, with a total price of $500,000 or a rental fee of $3,200 per month. For an additional $1,500 per month, a much faster core memory, of 60 words, could be added. Input and output both utilized read/write punch-card machines. The typical 1950s IS hardware was installed in a separate room, often with a viewing window so that visitors could admire the computer. In an early attempt at security, visitors actually within the computer room were often greeted by a printed sign saying:

Achtung! Alles Lookenspeepers!

Das computermachine ist nicht fur gefingerpoken und mittengrabben. Ist easy schnappen der springenwerk, blowenfusen, und poppencorken mit spitzensparken. Ist nicht fur gewerken bei das dumbkopfen. Das rubbernecken sightseeren keepen hans in das pockets muss. Relaxen und watch das blinkenlichten.

Since there were still no online users, there were no user IDs and passwords. Programs processed batches of data, run at a regularly scheduled time—once a day, once a week, and so on, depending on the function. If the data for a program were not available at the scheduled run time, the operators might run some other job instead and wait for the missing data. As the printed output reports became available, they were delivered by hand to their end users. End users did not expect to get a continuous flow of data from the information processing system, and delays of even a day or more were not significant, except perhaps with paycheck production.

Information system security was hardly thought of as such. The focus was on batch controls for individual programs, physical access controls, and maintaining a proper environment for the reliable operation of the hardware.

1.2.4 1960s: Small-Scale Computers. During the 1960s, before the intro- duction of small-scale computers, dumb5 terminals provided users with a keyboard to send a character stream to the computer and a video screen that could display characters transmitted to it by the computer. Initially, these terminals were used to help computer operators control and monitor the job stream, while replacing banks of switches and indicator lights on the control console. However, it was soon recognized that these terminals could replace card readers and keypunch machines as well. Now users, iden- tified by user IDs, and authenticated with passwords, could enter input data through a CRT terminal into an edit program, which would validate the input and then store it on a hard drive until it was needed for processing. Later, it was realized that users also could directly access data stored in online master files.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EVOLUTION OF INFORMATION SYSTEMS 1 · 7

1.2.5 Transistors and Core Memory. The IBM 1401, introduced in 1960 with a core memory of 4,096 characters, was the first all-transistor computer, marking the advent of the second generation. Housed in a cabinet measuring 5 feet by 3 feet, the 1401 required a similar cabinet to add an additional 12 kilobytes of main memory. Just one year later, the first integrated circuits were used in a computer, making possible all future advances in miniaturizing small-scale computers and in reducing the size of mainframes significantly.

1.2.6 Time Sharing. In 1961, the Compatible Time Sharing System (CTSS) was developed for the IBM 7090/7094. This operating system software, and its associated hardware, was the first to provide simultaneous remote access to a group of online users through multiprogramming.6 “Multiprogramming” means that more than one program can appear to execute at the same time. A master control program, usually called an operating system (OS), managed execution of the functional applications programs. For example, under the command of the operator, the OS would load and start application #1. After 50 milliseconds, the OS would interrupt the execution of application #1 and store its current state in memory. Then the OS would start application #2 and allow it to run for 50 milliseconds, and so on. Usually, within a second after users had entered keyboard data, the OS would give their applications a time slice to process the input. During each time slice, the computer might execute hundreds of instructions. These techniques made it appear as if the computer were entirely dedicated to each user’s program. This was true only so long as the number of simultaneous users was fairly small. After that, as the number grew, the response to each user slowed down.

1.2.7 Real-Time, Online Systems. Because of multiprogramming and the ability to store records online and accessible in random order, it became feasible to provide end users with direct access to data. For example, an airline reservation system stores a record of every seat on every flight for the next 12 months. A reservation clerk, working at a terminal, can answer a telephoned inquiry, search for an available seat on a particular flight, quote the fare, sell a ticket to the caller, and reserve the seat. Similarly, a bank officer can verify an account balance and effect money transfers. In both cases, each data record can be accessed and modified immediately, rather than having to wait for a batch to be run. Today, both the reservation clerk and the bank officer can be replaced by the customers themselves, who directly interface with the online computers.

While this advance led to a vast increase in available computing power, it also increased greatly the potential for breaches in computer security. With more complex operating systems, with many users online to sensitive programs, and with databases and other files available to them, protection had to be provided against inadvertent error and intentional abuse.

1.2.8 A Family of Computers. In 1964, IBM announced the S/360 family of computers, ranging from very small-scale to very large-scale models. All of the six models used integrated circuits, which marked the beginning of the third generation of computers. Where transistorized construction could permit up to 6,000 transistors per cubic foot, 30,000 integrated circuits could occupy the same volume. This lowered the costs substantially, and companies could buy into the family at a price within their means. Because all computers in the series used the same programming language and the same peripherals, companies could upgrade easily when necessary. The 360 family

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 8 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

quickly came to dominate the commercial and scientific markets. As these computers proliferated, so did the number of users, knowledgeable programmers, and technicians. Over the years, techniques and processes were developed to provide a high degree of security to these mainframe systems.

The year 1964 also saw the introduction of another computer with far-reaching influence: the Digital Equipment Corp. (DEC) PDP-8. The PDP-8 was the first mass- produced true minicomputer. Although its original application was in process control, the PDP-8 and its progeny quickly proved that commercial applications for minicom- puters were virtually unlimited. Because these computers were not isolated in secure computer rooms but were distributed throughout many unguarded offices in widely dispersed locations, totally new risks arose, requiring innovative solutions.

1.2.9 1970s: Microprocessors. The foundations of all current personal com- puters (PCs) were laid in 1971 when Intel introduced the 4004 computer on a chip. Measuring 1/16 inch long by 1/8 inch high, the 4004 contained 2,250 transistors with a clock speed of 108 kiloHertz. The current generation of this earliest programmable microprocessor contains millions of transistors, with speeds over 1 gigaHertz, or more than 10,000 times faster. Introduction of microprocessor chips marked the fourth generation.

1.2.10 The First Personal Computers. Possibly the first personal computer was advertised in Scientific American in 1971. The KENBAK–1, priced at $750, had three programming registers, five addressing modes, and 256 bytes of memory. Although not many were sold, the KENBACK–1 did increase public awareness of the possibility for home computers.

It was the MITS Altair 8800 that became the first personal computer to sell in substantial quantities. Like the KENBACK–1, the Altair 8800 had only 256 bytes of memory, but it was priced at $375 without keyboard, display, or secondary memory. About one year later, the Apple II, designed by Steve Jobs and Steve Wozniak, was priced at $1,298, including a CRT display and a keyboard.

Because these first personal computers were entirely stand-alone and usually under the control of a single individual, there were few security problems. However, in 1978, the VisiCalc spreadsheet program was developed. The advantages of standardized, inexpensive, widely used application programs were unquestionable, but packaged programs, as opposed to custom designs, opened the way for abuse because so many people understood their user interfaces as well as their inner workings.

1.2.11 The First Network. A national network, conceived in late 1969, was born as ARPANET7 (Advanced Research Projects Agency Network), a Department of Defense–sponsored effort to link a few of the country’s important research universities, with two purposes: to develop experience in interconnecting computers and to increase productivity through resource sharing. This earliest connection of independent large- scale computer systems had just four nodes: the University of California at Los Angeles (UCLA), the University of California at Santa Barbara, Stanford Research Institute, and the University of Utah. Because of the inherent security in each leased-line inter- connected node, and the physically protected mainframe computer rooms, there was no apparent concern for security issues. It was this simple network, with no thought of security designed in, from which evolved today’s ubiquitous Internet and the World Wide Web (WWW), with their vast potential for security abuses.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EVOLUTION OF INFORMATION SYSTEMS 1 · 9

1.2.12 Further Security Considerations. With the proliferation of remote terminals on commercial computers, physical control over access to the computer room was no longer sufficient. In response to the new vulnerabilities, logical access control systems were developed. An access control system maintains an online table of authorized users. A typical user record would store the user’s name, telephone number, employee number, and information about the data the user was authorized to access and the programs the user was authorized to execute. A user might be allowed to view, add, modify, and delete data records in different combinations for different programs.

At the same time, system managers recognized the value of being able to recover from a disaster that destroyed hardware and data. Data centers began to make regular tape copies of online files and software for offsite storage. Data center managers also began to develop and implement offsite disaster recovery plans, often involving the use of commercial disaster-recovery facilities. Even with such a system in place, new vulnerabilities were recognized throughout the following years, and these are the subjects of much of this Handbook.

1.2.13 The First “Worm”. A prophetic science-fiction novel, The Shockwave Rider, by John Brunner8 (1975), depicted a “worm” that grew continuously throughout a computer network. The worm eventually exceeded a billion bits in length and became impossible to kill without destroying the network. Although actual worms (e.g., the Morris Worm of 1988) later became real-and-present menaces to all networked com- puters, prudent computer security personnel install constantly updated antimalware programs that effectively kill viruses and worms without having to kill the network.

1.2.14 1980s: Productivity Enhancements. The decade of the 1980s might well be termed the era of productivity enhancement. The installation of millions of personal computers in commercial, industrial, and government applications enhanced efficiency and functionality of vast numbers of users. These advances, which could have been achieved in no other way, were made at costs that virtually any business could afford.

1.2.15 1980s: The Personal Computer. In 1981, IBM introduced a general- purpose small computer it called the “Personal Computer.” That model and similar systems became known generically as PCs. Until then, small computers were produced by relatively unknown sources, but IBM, with its worldwide reputation, brought PCs into the mainstream. The fact that IBM had demonstrated a belief in the viability of PCs made them serious contenders for corporate use.

There were many variations on the basic Model 5100 PC, and sales expanded far beyond IBM’s estimates. The basic configuration used the Intel 8088, operating at 4.77 megaHertz, with up to two floppy disk drives, each of 160 kilobytes capacity and with a disk-based operating system (DOS) in an open architecture. This open OS archi- tecture, with its available “hooks,” made possible the growth of independent software producers, the most important of which was the Microsoft Corporation, formed by Bill Gates and Paul Allen.

IBM had arranged for Gates and Allen to create the DOS operating system. Under the agreement, IBM would not reimburse Gates and Allen for their development costs; rather, all profits from the sale of DOS would accrue to them. IBM did not have an exclusive right to the operating system, and Microsoft began selling it to many other customers as MS-DOS. IBM initially included with its computer the VisiCalc

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 10 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

spreadsheet program, but soon sales of Lotus 1-2-3 surpassed those of VisiCalc. The open architecture not only made it possible for many developers to produce software that would run on the PC, but also enabled anyone to put together purchased components into a computer that would compete with IBM’s PC. The rapid growth of compatible application programs, coupled with the ready availability of compatible hardware, soon resulted in sales of more than 1 million units. Many subsequent generations of the original hardware and software are still producing sales measured in millions every year.

Apple took a very different approach with its Macintosh computer. Where IBM’s system was wide open, Apple maintained tight control over any hardware or software designed to operate on the Macintosh so as to assure compatibility and ease of instal- lation. The most important Apple innovations were the graphical user interface (GUI) and the mouse, both of which worked together to facilitate ease of use and both of which were derived from research and development at the Stanford Research Institute and the Xerox Palo Alto Research Institute in the 1960s and 1970s. Microsoft had attempted in 1985 to build these features into the Windows operating system, but early versions were generally rejected as slow, cumbersome, and unreliable. It was not until 1990 that Windows 3.0 overcame many of its problems and provided the foundation for later versions that were almost universally accepted.

1.2.16 Local Area Networks. During the 1980s, stand-alone desktop com- puters began to perform word processing, financial analysis, and graphic processing. Although this arrangement was much more convenient for end users than was a cen- tralized facility, it was more difficult to share data with others.

As more powerful PCs were developed, it became practical to interconnect them so that their users could easily share data. These arrangements were commonly referred to as local area networks (LANs) because the hardware units were physically close, usually in the same building or office area. LANs have remained important to this day. Typically, a more powerful PC with a high storage capacity fixed9 disk was designated as the file server. Other PCs, referred to as workstations, were connected to the file server using network interface cards installed in the workstations with cables between these cards and the file server. Special network software installed on the file server and workstations made it possible for workstations to access defined portions of the file server fixed disk just as if these portions were installed on the workstations. Furthermore, these shared files could be backed up at the file server without depending on individual users. By 1997, it was estimated that worldwide there were more than 150 million PCs operating as LAN workstations. The most common network operating systems (NOS) were Novell NetWare and later Microsoft IE (Internet Explorer).

Most LANs were implemented using the Ethernet (IEEE 802.3) protocol.10 The server and workstations could be equipped with a modem (modulator/demodulator) connected to a dedicated telephone line. The modem enabled remote users, with a matching modem, to dial into the LAN and log on. This was a great convenience to LAN users who were traveling or working away from their offices, but such remote access created yet another new security issue. For the first time, computer systems were exposed in a major way to the outside world. From then on, it was possible to interact with a computer from virtually anywhere and from locations not under the same physical control as the computers themselves.

Typical NOS logical access control software provided for user IDs and passwords and selective authority to access file server data and program files. A workstation user logged on to the LAN by executing a log-in program resident on the file server.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EVOLUTION OF INFORMATION SYSTEMS 1 · 11

The program prompted the user to enter an ID and password. If the log-in program concluded that the ID and password were valid, it consulted an access-control table to determine which data and programs the user might access. Access modes were defined as read-only, execute-only, create, modify (write or append), lock, and delete, with respect to individual files and groups of files. The LAN administrator maintained the access control table using a utility program. The effectiveness of the controls depended on the care taken by the administrator, and so, in some circumstances, controls could be weak. It was essential to protect the ID and password of the LAN administrator since, if they were compromised, the entire access-control system became vulnerable. Alert information system security officers noted that control over physical access to LAN servers was critical in maintaining the logical access controls. Intruders who could physically access a LAN server could easily restart the server using their own version of the NOS, completely bypassing the installed logical access controls.

Superficially, a LAN appears to be the same as a 1970s mainframe with remote dumb terminals. The difference technically is that each LAN workstation user is exe- cuting programs on the workstation, not on the centralized file server, while mainframe computers use special software and hardware to run many programs concurrently, one program for each terminal. To the user at a workstation or remote terminal, the two situations appear to be the same, but from a security standpoint, there are significant differences. The mainframe program software stays on the mainframe and cannot, un- der normal conditions, be altered during execution. A LAN program on a workstation can be altered, for example, by a computer virus, while actually executing. As a rule, mainframe remote terminals cannot download and save files, whereas workstations usually have at least a removable disk drive. Furthermore, a malicious workstation user can easily install a rewritable CD device, which makes it much easier to copy and take away large amounts of data.

Another important difference is the character of the connection between the com- puter and the terminals. Each dumb terminal has a dedicated connection to its main- frame and receives only that data that is directed to it. A LAN operates more like a set of radio transmitters sharing a common frequency on which the file server and the workstations take turns “broadcasting” messages. Each message includes a “header” block that identifies the intended recipient, but every node (the file server and the workstations) on a LAN receives all messages. Under normal circumstances, each node ignores messages not addressed to it. However, it is technically feasible for a workstation to run a modified version of the NOS that allows it to capture all messages. In this way, a workstation could identify all log-in messages and record the user IDs and passwords of all other users on the LAN, giving it complete access to all of the LAN’s data and facilities.

Mainframe and LAN security also differ greatly in the operating environment. As noted, the typical mainframe is installed in a separate room and is managed by a staff of skilled technicians. The typical LAN file server, on the other hand, is installed in ordi- nary office space and is managed by a part-time, remotely located LAN administrator who may not be adequately trained. Consequently, the typical LAN has a higher expo- sure to tampering, sabotage, and theft. However, if the typical mainframe is disabled by an accident, fire, sabotage, or any other security incident, many business functions will be interrupted, whereas the loss of a LAN file server usually disrupts only a single function.

1.2.17 1990s: Interconnection. The Usenet evolved in the early 1980s as a free system for posting and retrieving news and commentary from participants—an

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 12 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

early form of disintermediation, since there were no controlling authorities to limit speech. Newsgroups developed on every conceivable topic, reaching tens of thousands of discussion areas within a few years. Computer enthusiasts and criminal hackers took to Usenet as an ideal channel for exchanging code, including details of hacks.

The commercial equivalents of the Usenet were the value-added networks (VANs) such as America On Line (AOL), CompuServe, and Prodigy. These services provided modems for telephone access, email, and facilities for defining discussion groups. Fees varied from hourly to monthly.

1.2.18 1990s: Total Interconnection. With the growing popularity of LANs, the technologies for interconnecting them emerged. These networks of physically interconnected local area networks were called wide area networks, or WANs. Any node on a LAN could access every node on any other interconnected LAN, and in some configurations, those nodes might also be given access to mainframe and minicomputer files and to processing capabilities.

1.2.19 Telecommuting. Once the WAN technology was in place, it became feasible to link LANs together by means of telecommunications circuits. It had been expensive to do this with the low-speed, online systems of the 1970s because all data had to be transmitted over the network. Now, since processing and most data used by a workstation were on its local LAN, a WAN network was much less expensive. Low- traffic LANs were linked using dial-up access for minimum costs, while major LANs were linked with high-speed dedicated circuits for better performance. Apart from dial-up access, all network traffic typically flowed over nonswitched private networks. Of the two methods, dial-up communications were considerably more vulnerable to security violations, and they remain so to this day.

1.2.20 Internet and the World Wide Web. The Internet, which began life in 1969 as the Advanced Research Projects Agency Network (ARPANET), slowly emerged onto the general computing scene during the 1980s. Initially, access to the Internet was restricted to U.S. Government agencies and their contractors. ARPANET users introduced the concept of email as a convenient way to communicate and ex- change documents. Then, in 1989–1990, Sir Tim Berners-Lee conceived of the World Wide Web and the Web browser. This one concept produced a profound change in the Internet, greatly expanding its utility and creating an irresistible demand for access. During the 1990s, the U.S. Government relinquished its control, and the Internet be- came the gigantic, no-one-is-in-charge network of networks it is today. The explosive growth in participation in the global Internet is generally viewed as having started with the opening up of the .COM top-level domain to general use in 1993.

The Internet offers several important advantages: The cost is relatively low, connec- tions are available locally in most industrialized countries, and by adopting the Internet protocol, TCP/IP, any computer becomes instantly compatible with all other Internet users.

The World Wide Web technology made it easy for anyone to access remote data. Almost overnight, the Internet became the key to global networking. Internet service providers (ISPs) operate Internet-compatible computers with both dial-up and dedicated access. A computer may access an ISP directly as a stand-alone ISP client or via a gateway from a LAN or WAN. A large ISP may offer dial-up access at many locations, sometimes called points of presence or POPs, interconnected by its own network. ISPs establish links with one another through the national access points (NAPs) initially set

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE 1 · 13

up by the National Science Foundation. With this “backbone” in place, any node with access can communicate with another node, connected to a different ISP, located half way around the globe, without making prior arrangements.

The unrestricted access provided by the Internet created new opportunities for organizations to communicate with clients. A company can implement a Web server with a full-time connection to an ISP and open the Web server, and the WWW pages it hosts, to the public. A potential customer can access a Website, download product information and software updates, ask questions, and even order products. Commercial Websites, as they evolved from static “brochure-ware” to online shopping centers, stock brokerages, and travel agencies, to name just a few of the uses, became known as e-businesses.

1.2.21 Virtualization and the Cloud. As far back as the late 1960s, software was available to create encapsulated versions of an operating system on mainframe computers. Users interacted with what appeared to be their own, private mainframe environment. By the late 1980s, vendors created simulations of operating environments that could run under different operating systems (e.g., one could run DOS programs on UNIX machines). The trend continued throughout the succeeding years so that it is commonplace now to run programs under hypervisors that simulate complete or functionally limited versions of required operating systems on shared hardware.11

Today it is possible to provide users with instances of an operating environment on shared hardware, often at a distance, so that incremental increases in requirements can be satisfied at modest costs instead of having to purchase large-scale improvements in the hardware infrastructure. The situation is similar to what service bureaus offered in the decades when mainframe time-sharing was popular.

Another development in the last decade has been the availability of cloud computing, which refers to computer services, including storage (see Chapters 36 and 68), software as a service (SAAS), and infrastructure or platform as a service (IAAS and PAAS). See Chapter 68 for more details of managing and securing cloud computing.

1.2.22 Supervisory Control and Data Acquisition. The use of computers to control production of goods and services through supervisory control and data acqui- sition (SCADA) software and hardware has been growing throughout the four decades since this Handbook was first published in 1973. SCADA systems for critical infras- tructure have been of great concern because contrary to initial design specifications, many of them have been connected to the general Internet, opening the systems they govern to subversion. For more about SCADA in information warfare, see Chapter 14 in this Handbook.

1.3 GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE. Certain major events in the history of information assurance (IA) center on govern- ment initiatives. In particular, IA has been strongly influenced by the development of security standards starting in the 1980s, by the publication of the landmark publication Computers and Risk in 1991, and by the establishment of the InfraGard program in the late 1990s for protection of the U.S. critical infrastructure.

1.3.1 IA Standards. In the late 1970s, the U.S. Department of Defense “estab- lished a Computer Security Initiative to foster the wide-spread availability of trusted

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 14 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

computer systems.”12 The author of the initial report that later became the Trusted Computer Systems Evaluation Criteria (TCSEC), DoD Standard 5200.28, wrote,

Trusted computer systems are operating systems capable of preventing users from accessing more information than that to which they are authorized. Such systems are in great demand as more processing is entrusted to computers, while less information should be shared by all the system’s users. With this demand comes a need to ascertain the integrity of computer systems on the market …

The TCSEC was issued with a bright orange cover and became known as the “Orange Book.” Under the direction of National Computer Security Center (NCSC) director Patrick Gallagher and others, the National Security Agency (NSA) issued a “Rainbow Series” of books that profoundly affected the direction of IA in the USA and globally.13

The Rainbow Series led to similar efforts in other countries, culminating in the Common Criteria Evaluation and Validation Scheme (CCEVS), which has become the international standard for defining security levels for systems and software and for determining acceptable methods for testing and certifying system compliance with such standards.14

For details of the evolution of security standards, see Chapter 51 in this Handbook.

1.3.2 Computers at Risk.15 In 1988, the Defense Advanced Research Projects Agency (DARPA) asked the Computer Science and Technology Board (renamed the Computer Science and Telecommunications Board of the NRC in 1990) for a study of computer and communications security issues affecting U.S. Government and industry. The NRC’s System Security Study Committee published its results in a readable and informative book, Computers at Risk: Safe Computing in the Information Age.16

The Committee included experts with impeccable credentials, including executives from major computer vendors such as HP, DEC, and IBM; from high-technology com- panies such as Shearson, Lehman, Hutton Inc., and Rockwell International; universities such as Harvard and MIT; and think tanks like the RAND Corporation.

A public misconception is the supposed divergence in focus of the military and of commerce: The military is usually described as concerned with external threats and the problem of disclosure, whereas businesses are said to worry more about insider threats to data integrity. On the contrary, the military and commerce need to protect data in similar ways. The differences arise primarily from (1) the sophistication and resources available to governments that try to crack foreign military systems; (2) the relatively strong military emphasis on prevention compared with commercial need for proof that can be used in legal proceedings; and (3) the availability to the military of deep background checks on personnel, contrasted with the limits imposed on the invasion of privacy in the commercial sector.

Some of the more interesting points raised by the NRC Committee assert that:

� Because of the rapid and discontinuous pace of innovation in the computer field, “with respect to computer security, the past is not a good predictor of the future”;

� Embedded systems (those where the microprocessor is not accessible to repro- gramming by the user; e.g., medical imaging systems) open us to greater risks from inadequate quality assurance (e.g., a software bug in a Therac 25 linear accelerator killed three patients by irradiating them with more than 100 times the intended radiation dosage);

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE 1 · 15

� Networking makes it possible to harm many more systems: “Interconnection gives an almost ecological flavor to security; it creates dependencies that can harm as well as benefit the community …”

The Committee proposed major recommendations, summarized as follows:

1. Push for implementation of generally accepted system security principles including: � Quality assurance standards that address security considerations; � Access control for operations as well as data (e.g., any of the menu systems which preclude access to the operating system);

� Unambiguous user identification (ID) and authentication (e.g., personal profiles and hand-held password generators)

� Protection of executable code (e.g., flags to show that certain object mod- ules are “production” or “installed” and thus apply strict access control that would prevent unauthorized modification—as found in configuration control systems);

� Security logging (e.g., logging failed file-open attempts and logon password violations);

� Assigning a security administrator to each enterprise; � Data encryption; � Operational support tools for verifying the state and effectiveness of security measures (e.g., audit tools);

� Independent audits of system security by people not directly involved in programming or system management of the audited system;

� Hazard analysis evaluating threats to safety from different malfunctions and breaches of security (e.g., consequences of tampering with patient data in hospitals).

2. Take specific short-term actions now: � Develop security policies for your organization before there’s a problem; � Form and train computer emergency response teams before a crisis to respond to security violations or attacks;

� Use the Orange Book’s (TCSEC, from the National Computer Security Center’s Rainbow series) C2 and B1 criteria to define guidelines on security;

� Improve software systems development by applying better quality-assurance methods;

� Contribute to voluntary industry groups developing modern security standards and implement those standards in commercial software;

� Make effective security the default in software and hardware (make the user explicitly disable security instead of having to enable it).

3. Learn and teach about security: � Build a repository of incident data; � Foster education in engineering secure systems, both by encouraging univer- sities to provide postgraduate training in security and by urging industry to include security training as part of software engineering projects;

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 16 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

� Teach beginners about security and ethics in computer usage and programming (e.g., the NCSA is working on a research and development project to study beliefs, attitudes, and behavior about ethical issues in computing in grade and high schools, colleges, and universities).

4. Clarify export control criteria and set up a forum for arbitration (hardware and software vendors have been complaining for years that the arbitrary imposition of severe export restrictions hampers American competitiveness in overseas markets without materially helping national security).

5. Fund and pursue needed research in such areas as: � Security modularity: the effects on security of combining modules with known security properties;

� Security policy models: more subtle requirements like integrity and availability are still not easily represented by control structures;

� Cost estimation: there should be better ways of measuring the costs and benefits of security mechanisms in particular applications;

� New technology: networking, in particular, leads to greater complexity (e.g., how to connect “mutually suspicious organizations”);

� Quality assurance for security: how to measure effectiveness; � Modeling tools: standards for graphical representations of security relation- ships analogous to the diagrams used in functional decomposition and object- oriented methodologies for program design;

� Automated procedures: audit and monitoring tools for the data center manage- ment team;

� Nonrepudiation: combining the need for detailed records of user actions with the values of privacy;

� Resource control: how to ensure that proprietary software and data are used legitimately (e.g., preventing more than the licensed number of users from accessing a system, preventing software theft);

� Security perimeters: how to reconcile the desire for network interconnection with limitations due to security requirements (“If, for example, a network permits mail but not directory services … less mail may be sent because no capability exists to look up the address of a recipient”).

Chapter 2 of the NRC report, Concepts of Information Security, is a 25-page primer on information systems security that could be handed to any manager who needs to be filled in on why you propose to spend so much money protecting the computer systems. The authors cover the fundamental aspects of information security (confidentiality, integrity, and availability); management controls (individual accountability, auditing, and separation of duties); risks (probabilities of attack or damage) and vulnerabilities (weak points); and privacy issues. In Appendix 2.2, the authors report an informal survey in April 1989 of 30 private companies in a variety of fields. The consensus among those polled included the following basic standards for information systems security (show these to your upper management if necessary):

� Unique IDs, block access after a maximum number of incorrect logon attempts, show last successful access at logon time, make passwords and IDs expire;

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GOVERNMENT RECOGNITION OF INFORMATION ASSURANCE 1 · 17

� Disallow embedded passwords during logon, make passwords invisible during entry, force minimum length (6), store passwords encrypted, scan proposed pass- words to eliminate easy words;

� Permit strict control over file access; � Detect and interdict viruses, certify software as virus-free, provide data encryption, overwrite deleted files to prevent recovery, force tight binding of production data to production programs;

� Automated time-out for inactive sessions, unique identification of terminals and workstations during logon;

� Networksecuritymonitoring, modemlocking, callback, automatic data encryption during transmission;

� Audit trails, including security violations; � Generally applicable security standards that could be used by vendors and users to evaluate different equipment and software for specific environments.

Twenty years later, focus among information assurance experts has shifted beyond the technical to emphasize organizational controls. For example, the 2003 survey of members of the Information Systems Security Association included these information security function practices among the respondents:

� Access controls: 73% � Written information security policy: 72% � Compliance with existing laws and regulations: 66% � Creation of organization and process to implement policy: 59% � Awareness and training program: 57% � Regular monitoring, reviewing, and auditing: 57% � Business continuity planning: 57% � Risk assessment and risk management: 56%

In 2007, Gary S. Miliefsky proposed the following seven priorities for corporate information security:

1. Policies 2. Awareness and training 3. Information security self-assessments 4. Regulatory compliance self-assessments 5. Corporate-wide encryption 6. Manage all corporate assets 7. Test Business Continuity Planning (BCP) and Disaster Recovery Planning

(DRP)17

The Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology issued a draft reference model that

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 18 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

included the following “programmatic, integration, and system security activities that are typically a part of an information security program”:

� Program Security Activities � Annual and Quarterly Review and Reporting of Information Security Program � Asset Inventory � Awareness and Specialized Security Training � Continuity of Operations � Incident Response � Periodic Testing and Evaluation � Plan of Action and Milestones � Policies and Procedures � Risk Management

� Integration Activities � Business Risk � Capital Planning and Investment Control (CPIC) � Configuration Management � Enterprise Architecture (EA) � Environmental Protection � Human Resources � Personnel Security � Physical Security � Privacy � Records Management � Strategic Plan � System Development Life Cycle (SDLC)

� System Security Activities � Categorize the Information System � Select Security Controls � Supplement Security Controls � Document Security Controls � Implement Security Controls � Assess Security Controls � Authorize the Information System � Monitor Security Controls

1.3.3 InfraGard.18 InfraGard is a nationwide program in the United States that brings together representatives from information technology departments in industry and academia for information sharing and analysis, especially to help protect criti- cal infrastructure against cyberattacks and also to support the FBI in its cybercrime investigations and education projects.19

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECENT DEVELOPMENTS 1 · 19

The organization started in the Cleveland Field Office of the FBI in 1996 and expanded rapidly until there are now over 11,000 members in over 40 chapters. Joining InfraGard is easy and free for U.S. citizens residing in the United States. Using the Website (www.infragard.org), you can locate a nearby local chapter (“Find Chapters”) and contact your chapter officers. You can get application forms online and then send them in to the FBI liaison officer for that chapter to be vetted for admission. The FBI conducts a background check to ensure that all members are likely to be trustworthy to participate in confidential discussions of threats and vulnerabilities. Chapters usually conduct regular local meetings and organize list-servers for exchange of information among members. Many have newsletters as well.

1.4 RECENT DEVELOPMENTS. In recent years, a key development has been the dramatic increase in availability of inexpensive portable data storage devices. At the time of writing (2013), flash drives the size of a lipstick or even of an antacid pill are available with capacities in the dozens of gigabytes for a few dollars. Such devices are available in a wide range of concealable formats such as pens, music players, watches, and (no joke) sushi. Pocket-sized hard disks and solid-state drives with capacities in the hundreds of gigabytes to terabytes are available for less than US$100. Digital cameras use storage cards that can be used for data transfers; mobile phones include cameras and recording capabilities. A 64 GB micro SD card for a phone costs about $50 and can hold 6,000 songs from iTunes—or the entire customer database being stolen by a disaffected soon-to-be-fired employee. Controlling data leakage through unauthorized connection of such devices has become a significant problem for security managers. Systems for restricting connection of devices and controlling data transfers to such storage media (data-loss prevention or DLP) are spreading through government and corporate environments (see Chapter 13 in this Handbook for a detailed discussion of DLP).

Another issue that increasingly concerns security managers is the protection of personally identifiable information (PII) from customers or data subjects. Many orga- nizations including government agencies, banks, and universities have suffered serious damage from loss of control over PII and the risks of identity theft resulting from exposure of such sensitive data. Legislators are responding to public concern by in- creasing legal requirements for protection of PII. The use of encryption on mobile data systems such as laptop computers, personal digital assistants (PDAs), mobile phones, and integrated systems that combine many functions (e.g., BlackBerries) has become a necessity. See Chapter 69 in thisHandbook for extensive discussion of protection of PII.

A consequence of the growing interconnectivity of storage and communications de- vices is that corporate networks are no longer insulated from less-secure systems. Users who connect poorly protected laptops (or other devices) to public networks such as hotel-supplied ISPs or wireless access points in coffee shops may return to their home offices with malware-infected systems that contaminate the entire network. Security managers are increasingly turning to integrated systems for controlling connectiv- ity via virtual private networks and supervisory software that monitors and restricts unauthorized connections, software installations, and downloads.

Another growing issue is the increasing speed and persistence of attacks on systems and networks by state-sponsored and criminal organizations engaged in industrial espionage and fraud. See Chapters 2, 14, 15, and 46, among many others in this Handbook, for further discussion of the changing threat profile for today’s information systems.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1 · 20 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

1.5 ONGOING MISSION FOR INFORMATION SYSTEM SECURITY. There is no end in sight to the continuing proliferation of Internet nodes, to the variety of applications, to the number and value of online transactions, and, in fact, to the rapid integration of computers into virtually every facet of our existence. Nor will there be any restrictions as to time or place. With 24/7/365, always-on operation, and with global expansion even to relatively undeveloped lands, both the beneficial effects and the security violations can be expected to grow apace.

Convergence, which implies computers, televisions, cell phones, and other means of communication combined in one unit, together with continued growth of information technology, will lead to unexpected security risks. Distributed denial- of-service (DDoS) attacks, copyright infringement, child pornography, fraud, theft of identity, and industrial espionage are all ongoing security threats. So far, no perfect defensive measures have been developed.

The situation is currently (2013) changing from identifying vulnerabilities and preventing penetrations to identifying compromises and minimizing damage from long-lasting subversion of protection mechanisms. Situational awareness and rapid response are becoming an increasingly important element in long-term defenses of our information.

This Handbook provides a foundation for understanding and blunting both the ex- isting vulnerabilities and those new threats that will inevitably arise in the future. Certainly, no one but the perpetrators could have foreseen the use of human-guided missiles to attack the World Trade Center. Besides its symbolic significance, the great concentration of resources within the WTC increased its attractiveness as a target. After 9/11, the importance of physical safety of personnel has become the dominant security issue, with disaster recovery of secondary, but still great, concern. This Handbook cannot foresee all possible future emergencies, but it does prescribe some preventa- tive measures, and it does recommend procedures and resources for mitigation and remediation.

1.6 NOTES 1. Many technical specialists tend to use the term “security” to refer to logical access

controls. A glance at the contents pages of this volume shows the much broader scope of information system security.

2. For further details, see, for example, www.cs.uiowa.edu/∼jones/cards. 3. See http://ei.cs.uiowa.edu/∼history/UNIVAC.Weston.html and inventors.about

.com/library/weekly/aa062398.htm 4. It is notable that the IBM 1401 computer was so named because the initial model

had 1,400 bytes of main memory. It was not long before memory size was raised to 8 kilobytes and then later to as much as 32 kilobytes. In 1980, the Series III minicomputer from Hewlett-Packard doubled its maximum memory from 1 megabyte to 2 megabytes at a cost of $64,000 (about $200,000 in 2008 dollars). This compares with today’s personal computers, typically equipped with no less than 512 megabytes and often a gigabyte or more.

5. The term “dumb” was used because the terminal had no internal storage or process- ing capability. It could only receive and display characters and accept and transmit keystrokes. Both the received characters and the transmitted ones were displayed on a cathode ray tube (CRT) much like a pre-color television screen. Consequently, these were also called “glass” terminals.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 1 · 21

6. “Multiprocessing,” “multiprogramming,” and “multitasking” are terms that are used almost interchangeably today. Originally, multitasking implied that several modules or subroutines of a single program could execute together. Multipro- gramming was designed to execute several different programs, and their subrou- tines, concurrently. Multiprocessing most often meant that two or more computers worked together to speed program execution by providing more resources.

7. Also known as ARPAnet and Arpanet. 8. First published in 1975; reissued by Mass Market Paperbacks in May 1990. 9. “Fixed,” in contrast with the removable disk packs common in large data centers. 10. See standards.ieee.org/getieee802/802.3.html 11. Sean P. Conroy, “History of Virtualization,” Everything VM, 2010. www.

everythingvm.com/content/history-virtualization 12. G. H. Nibaldi, Proposed Technical Evaluation Criteria for Trusted Computer

Systems. Publication M79-225 (Bedford, MA: MITRE Corporation, 1999). 13. For access to all the Rainbow Series documents, see www.fas.org/irp/nsa/

rainbow.htm 14. The CCEVS Website has extensive documentation; see www.niap-ccevs.org 15. This section is reprinted with slight modifications by permission of the author from

the original manuscript for M. E. Kabay, The NCSA Guide to Enterprise Security: ProtectingInformationAssets(New York: McGraw-Hill, 1996), Chapter 1, pp. 2–5.

16. National Research Council, Computers at Risk: Safe Computing in the Information Age (Washington, DC: National Academy Press, 1991). Available as searchable openbook at www.nap.edu/openbook.php?isbn=0309043883

17. G. S. Miliefsky, “The 7 Best Practices for Network Security in 2007,” NetworkWorld Website, 2007, www.networkworld.com/columnists/2007/ 011707miliefsky.html?t51hb

18. M. E. Kabay (2005). “InfraGard is not a Deodorant,” NetworkWorld Website, 2005, www.networkworld.com/newsletters/sec/2005/0905sec2.html

19. www.infragard.org

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2CHAPTER

HISTORY OF COMPUTER CRIME

M.E. Kabay

2.1 WHY STUDY HISTORICAL RECORDS? 2 · 2

2.2 OVERVIEW 2 · 2

2.3 1960S AND 1970S: SABOTAGE 2 · 3 2.3.1 Direct Damage to

Computer Centers 2·3 2.3.2 1970–1972: Albert

the Saboteur 2·4

2.4 IMPERSONATION 2 · 5 2.4.1 1970: Jerry Neal

Schneider 2·5 2.4.2 1980–2003: Kevin

Mitnick 2·5 2.4.3 Credit Card Fraud 2·6 2.4.4 Identity Theft Rises 2·7

2.5 PHONE PHREAKING 2 · 8 2.5.1 2600 Hz 2·8 2.5.2 1982–1991: Kevin

Poulsen 2·8

2.6 DATA DIDDLING 2 · 9 2.6.1 Equity Funding Fraud

(1964–1973) 2·9 2.6.2 1994: Vladimir Levin

and the Citibank Heist 2·10

2.7 SALAMI FRAUD 2 · 10

2.8 LOGIC BOMBS 2 · 11

2.9 EXTORTION 2 · 12

2.10 TROJAN HORSES 2 · 12

2.10.1 1988 Flu-Shot Hoax 2·12 2.10.2 Scrambler, 12-Tricks,

and PC Cyborg 2·12 2.10.3 1994: Datacomp

Hardware Trojan 2·13 2.10.4 Keylogger Trojans 2·13 2.10.5 Haephrati Trojan 2·14 2.10.6 Hardware Trojans

and Information Warfare 2·14

2.11 NOTORIOUS WORMS AND VIRUSES 2 · 15 2.11.1 1970–1990: Early

Malware Outbreaks 2·15 2.11.2 December 1987:

Christmas Tree Worm 2·16

2.11.3 November 2, 1988: Morris Worm 2·16

2.11.4 Malware in the 1990s 2·17

2.11.5 March 1999: Melissa 2·18

2.11.6 May 2000: I Love You 2·20

2.11.7 July 2010 Stuxnet 2·20

2.12 SPAM 2 · 20 2.12.1 1994: Green Card

Lottery Spam 2·20 2.12.2 Spam Goes Global 2·21

2.13 DENIAL OF SERVICE 2 · 21 2.13.1 1996: Unamailer 2·21 2.13.2 2000: MafiaBoy 2·22

2.14 HACKER UNDERGROUND 2 · 22 2.14.1 1981: Chaos

Computer Club 2·23

2 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 2 HISTORY OF COMPUTER CRIME

2.14.2 1982: The 414s 2·23 2.14.3 1984: Cult of the

Dead Cow 2·23 2.14.4 1984: 2600: The

Hacker Quarterly 2·24 2.14.5 1984: Legion of

Doom 2·24 2.14.6 1985: Phrack 2·25 2.14.7 1989: Masters of

Deception 2·25 2.14.8 1990: Operation

Sundevil 2·26 2.14.9 1990: Steve Jackson

Games 2·26 2.14.10 1992: L0pht Heavy

Industries 2·27

2.14.11 2004: Shadowcrew 2·27 2.14.12 Late 2000s: Russian

Business Network (RBN) 2·27

2.14.13 Anonymous 2·28 2.14.14 2013: Unlimited

Operations 2·28

2.15 INDUSTRIAL ESPIONAGE 2 · 29

2.16 CONCLUDING REMARKS 2 · 31

2.17 FURTHER READING 2 · 32

2.18 NOTES 2 · 33

2.1 WHY STUDY HISTORICAL RECORDS? Every field of study and expertise develops a common body of knowledge that distinguishes professionals from amateurs. One element of that body of knowledge is a shared history of significant events that have shaped the development of the field. Newcomers to the field benefit from learning the names and significant events associated with their field so that they can understand references from more senior people in the profession, and so that they can put new events and patterns into perspective. This chapter provides a brief overview of some of the more famous (or notorious) cases of computer crime (including those targeting computers and those mediated through computers) of the last four decades.1

2.2 OVERVIEW. This chapter illustrates several general trends from the 1960s through mid-2013:

� In the early decades of modern information technology (IT), computer crimes were largely committed by individual disgruntled and dishonest employees.

� Physical damage to computer systems was a prominent threat until the 1980s. � Criminals often used authorized access to subvert security systems as they modi- fied data for financial gain or destroyed data for revenge.

� Early attacks on telecommunications systems in the 1960s led to subversion of the long-distance phone systems for amusement and for theft of services.

� As telecommunications technology spread throughout the IT world, hobbyists with criminal tendencies learned to penetrate systems and networks.

� Programmers in the 1980s began writing malicious software, including self- replicating programs, to interfere with personal computers.

� As the Internet increased access to increasing numbers of systems worldwide, criminals used unauthorized access to poorly protected systems for vandalism, political action, and financial gain.

� As the 1990s progressed, financial crime using penetration and subversion of computer systems increased.

� The types of malware shifted during the 1990s, taking advantage of new vulner- abilities and dying out as operating systems were strengthened, only to succumb to new attack vectors.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

1960s AND 1970s: SABOTAGE 2 · 3

� Illegitimate applications of email grew rapidly from the mid-1990s onward, gen- erating torrents of unsolicited commercial and fraudulent email.

� Organized crime became increasingly involved in systematic penetration of finan- cial systems and targeted fraud.

� Chinese government-supported civilian and military agents increasingly used computer-based industrial espionage to gain significant economic advantages over industry and commerce in North America and Europe.

2.3 1960s AND 1970s: SABOTAGE. Early computer crimes often involved physical damage to computer systems and subversion of the long-distance telephone networks.

2.3.1 Direct Damage to Computer Centers. In February 1969, the largest student riot in Canada was set off when police were called in to put an end to a student occupation of several floors of the Hall Building. The students had been protesting against a professor accused of racism, and when the police came in, a fire broke out and computer data and university property were destroyed. The damages totaled $2 million, and 97 people were arrested.2

Thomas Whiteside cataloged a litany of early physical attacks on computer systems in the 1960s and 1970s3:

1968 Olympia, WA: An IBM 1401 in the state is shot twice by a pistol-toting intruder 1970 University of Wisconsin: Bomb kills one and injures three people and destroys

$16 million of computer data stored on site 1970 Fresno State College: Molotov cocktail causes $1 million damage to computer

system 1970 New York University: Radical students place fire-bombs on top of Atomic Energy

Commission computer in attempt to free a jailed Black Panther 1972 Johannesburg, South Africa: Municipal computer is dented by four bullets fired

through a window 1972 New York: Magnetic core in Honeywell computer attacked by someone with a

sharp instrument, causing $589,000 of damage 1973 Melbourne, Australia: Antiwar protesters shoot American firm’s computer with

double-barreled shotgun 1974 Charlotte, NC: Charlotte Liberty Mutual Life Insurance Company computer is shot

by a frustrated operator 1974 Dayton, OH: Wright Patterson Air Force Base: Four attempts are made to sabotage

computers, including by magnets, loosened wires, and gouges in equipment 1977 Rome, Italy: Four terrorists pour gasoline on university computer and burn it to

cinders 1978 Lompoc, CA: Vandenburg Air Force Base: A peace activist destroys an unused

IBM 3031 using a hammer, a crowbar, a bolt cutter, and a cordless power drill as a protest against the NAVSTAR satellite navigation system, claiming it gives the United States a first-strike capability

The incidents of physical abuse of computer systems did not stop as other forms of computer crime increased. For example, in 2001, NewsScan editors4 summarized a report from Wired Magazine:

A survey by British PC maker Novatech, intended to take a lighthearted look at techno-glitches, instead revealed the darker side of computing. One in every four computers has been physically assaulted by its owner, according to the 4,200 respondents.5

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 4 HISTORY OF COMPUTER CRIME

In April 2003, the National Information Protection Center and Department of Home- land Security reported:

Nothing brings a network to a halt more easily and quickly than physical damage. Yet as data transmission becomes the lifeblood of Corporate America, most big companies haven’t performed due diligence to determine how damage-proof their data lifelines really are. Only 20 percent of midsize and large companies have seriously sussed out what happens to their data connections after they go beyond the company firewall, says Peter Salus of MatrixNetSystems, a network-optimization company based in Austin, TX.6

By the mid-2000s, concerns over the physical security of electronic voting systems had risen to public awareness. For example:

A cart of Diebold electronic voting machines was delivered today to the common room of this Berkeley, CA, boarding house, which will be a polling place on Tuesday’s primary election. The machines are on a cart which is wrapped in plastic wrap (the same as the stuff we use in the kitchen). A few cable locks (bicycle locks, it seems) provide the appearance of physical security, but they aren’t threaded through each machine. Moreover, someone fiddling with the cable locks, I am told, announced after less than a minute of fiddling that he had found the three-digit combination to be the same small integer repeated three times.7

2.3.2 1970–1972: Albert the Saboteur. One of the most instructive early cases of computer sabotage occurred at the National Farmers Union Service Corpora- tion of Denver, where a Burroughs B3500 computer suffered 56 disk head crashes in the two years from 1970 to 1972. Downtime was as long as 24 hours per crash, with an average of 8 hours per incident. Burroughs experts were flown in from all over the United States at one time or another, and concluded that the crashes must be due to power fluctuations.

By the time all the equipment had been repaired and new wiring, motor generators, circuit breakers, and power-line monitors had been installed in the computer room, total expenditures for hardware and construction were over $500,000 (in 1970 dollars). Total expenses related to down time and lost business opportunities because of delays in providing management with timely information are not included in this figure. In any case, after all this expense, the crashes continued sporadically as before.

By this time, the experts were beginning to wonder about their analysis. For one thing, all the crashes had occurred at night. Could it be sabotage? Surely not! Old Albert, the night-shift operator, had been so helpful over all these years; he had unfailingly called in the crashes at once, gone out for coffee and donuts for the repair crews, and been meticulous in noting the exact times and conditions of each crash. However, all the crashes had in fact occurred on his shift.

Management installed a closed-circuit television (CCTV) camera in the computer room—without informing Albert. For some days, nothing happened. Then one night another crash occurred. On the CCTV monitor, security guards saw good ol’ Albert open up a disk cabinet and poke his car key into the read/write head solenoid, shorting it out and causing the 57th head crash.

The next morning, management confronted Albert with the film of his actions and asked for an explanation. Albert broke down in mingled shame and relief. He confessed to an overpowering urge to shut the computer down. Psychological investigation de- termined that Albert, who had been allowed to work night shifts for years without a change, had simply become lonely. He arrived just as everyone else was leaving; he left as everyone else was arriving. Hours and days would go by without the slightest human

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

IMPERSONATION 2 · 5

interaction. He never took courses, never participated in committees, never felt involved with others in his company. When the first head crashes occurred—spontaneously—he had been surprised and excited by the arrival of the repair crew. He had felt use- ful, bustling about, telling them what had happened. When the crashes had become less frequent, he had involuntarily, and almost unconsciously, re-created the friendly atmosphere of a crisis team. He had destroyed disk drives because he needed company.8

2.4 IMPERSONATION. Using the insignia and specialized language of officials as part of social engineering has a long history in crime; a dramatization of these techniques is in the popular movie CatchMeIfYouCan9 about Frank William Abagnale Jr., the teenage scammer and counterfeiter who pretended to be a pilot, a doctor, and a prosecutor before eventually becoming a major contributor to the U.S. Government’s anticounterfeiting efforts and then founding a major security firm.10

Several criminals involved in computer-mediated or computer-oriented crime be- came notorious for using impersonation.

2.4.1 1970: Jerry Neal Schneider. A notorious computer-related crime started in 1970, when teenager Jerry Neal Schneider used Dumpster R© diving to re- trieve printouts from the Pacific Telephone and Telegraph (PT&T) company in Los Angeles. After years of collection, he had enough knowledge of procedures that he was able to impersonate company personnel on the phone. He collected yet more detailed information on procedures. Posing as a freelance magazine writer, he even got a tour of the computerized warehouse and information about ordering procedures. In June 1971, he ordered $30,000 of equipment to be sent to a normal PT&T dropoff point—and promptly stole it and sold it. He eventually had a 6,000-square-foot warehouse and 10 employees. He stole over $1 million of equipment—and sold some of it back to PT&T. He was finally denounced by one of his own disgruntled employees and became a computer security consultant after his prison term.11

2.4.2 1980–2003: Kevin Mitnick. Born in 1963, Kevin Mitnick became in- volved in crime early, using a special punch for bus transfers to get free rides anywhere in the San Fernando Valley in California by the time he was a young teenager. His own autobiographical comments show him to have been involved in phone phreaking, malicious pranks, and breaking into computers at the Digital Equipment Corporation (DEC) using social engineering.12

In 1981, he and his friend Lewis De Payne used social engineering to gain unau- thorized access to an operations center for Pacific Bell; “the juvenile court ordered a diagnostic psychological study of Mitnick and sentenced him to a year’s probation.”13

In 1987, he was arrested for breaking into the computers of the Santa Cruz Operation, makers of SCO UNIX, and sentenced to three years’ probation.

In the summer of 1988, Mitnick and his accomplice and friend Lenny DiCicco cracked the University of Southern California computers again and misappropriated hundreds of Mb of disk space (a lot at the time) to store VAX VMS source files stolen from Digital Equipment Corporation (DEC). Mitnick was arrested by the Federal Bureau of Investigation (FBI) for having stolen the VAX VMS source code. During his trial, he was described as suffering from an impulse-control disorder. In July 1989, he was sentenced to a year in jail and six months’ rehabilitation. He later tried to become a private investigator and security specialist. He was generally treated with hostility by the established information security community.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 6 HISTORY OF COMPUTER CRIME

In November 1992, Mitnick went underground again when the FBI got a warrant for his arrest on charges of stealing computer time from a phone company. He was located two years later when he made the mistake of leaving insulting messages on the computer and voicemail systems of a physicist and Internet security expert Tsutomu Shimomura. Shimomura was so irritated that he helped law enforcement authorities track the fugitive to North Carolina, where Mitnick was arrested in February 1995 and imprisoned pending trial.

Mitnick was convicted in federal court for the Central District of California on August 9, 1999, and sentenced to 46 months imprisonment for “four counts of wire fraud, two counts of computer fraud, and one count of illegally intercepting a wire communication.”14 Mitnick was previously sentenced by Judge Pfaelzer to an additional 22 months in prison, this for possessing cloned cellular phones when he was arrested in North Carolina in 1995, and for violating terms of his supervised release imposed after being convicted of an unrelated computer fraud in 1989. He admitted to violating the terms of supervised release by hacking into PacBell voicemail and other systems, and to associating with known computer hackers, in this case codefendant Louis De Payne. Following his release from prison in September 2000, Mitnick was to be on three years’ parole, during which his access to computers was restricted15 and his profits from writing or speaking about his criminal career were to be turned over to reimburse his victims.

Mitnick earned a living on the talk circuit and eventually founded his own security consulting firm. In the years since his release from prison, he has collaborated in writing several books on social engineering.16

Perhaps his most significant position in the history of computer crime is that he became an icon in the criminal underground. “FREE KEVIN” was a popular compo- nent of Web vandalism for many years, and Eric Corley, the longtime editor of the criminal-hacking publication 2600: The Hacker Quarterly, even made a movie, Free- dom Downtime, about what the criminal underground describes as the grossly unfair treatment of Mitnick by the federal government and the news media.17

2.4.3 Credit Card Fraud. Credit at local businesses dates back into the undoc- umented past.18 In the United States, credit cards appeared in the mid-1920s when gasoline companies began issuing cards that were recognized at stations across the country.19 In 1950, Frank X. McNamara started the Diners Club, the first credit card company serving multiple types of businesses; the company began the practice of charg- ing a percentage fee for each transaction and also charged its clients a membership fee.20 The VISA card evolved from the 1951 BankAmericard from the Bank of Amer- ica, and a consortium of California banks established MasterCard shortly thereafter. American Express started its card program in 1958.

Card use rose and, unsurprisingly, credit card fraud was rampant. Mail theft also became widespread as unscrupulous individuals discovered that envelopes containing credit cards were just like envelopes full of cash. And there was little to stop card com- panies from sending out cards that customers had never asked for, were not expecting, and could not have known had been stolen, until the issuing company began demand- ing payment for the charges that had been run up. These crimes and other problems stemming from the relentless card-pushing by banks led directly to the passage of the Fair Credit Billing Act of 197421 as well as many other laws22 designed to protect the consumer.23

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

IMPERSONATION 2 · 7

By the mid-1990s, credit card fraud was a rapidly growing problem for consumers and for law enforcement. A 1997 FBI report stated:

Around the world, bank card fraud losses to Visa and Master-Card alone have increased from $110 million in 1980 to an estimated $1.63 billion in 1995 … . The United States has suffered the bulk of these losses—approximately $875 million for 1995 alone. This is not surprising because 71 percent of all worldwide revolving credit cards in circulation were issued in this country … . Law enforcement authorities continually confront new and complex schemes in- volving credit card frauds committed against financial institutions and bank card companies. Perpetrators run the gamut from individuals with easy access to credit card information—such as credit agency officials, airline baggage handlers, and mail carriers, both public and pri- vate, to organized groups, usually from similar ethnic backgrounds, involved in large-scale card theft, manipulation, and counterfeiting activities. Although current bank card fraud op- erations are numerous and varied, several schemes account for the majority of the industry’s losses by taking advantage of dated technology, customer negligence, and laws peculiar to the industry.24

2.4.4 Identity Theft Rises. By the late 1990s and in the decade following the year 2000, credit card fraud was subsumed into the broader category of identity theft. Instead of limiting their depredations to running up bills on stolen or forged credit card accounts, thieves, often in organized rings, created entire bogus parallel identities, initiating unpaid bank loans, buying cars with other people’s credit, and wreaking havoc with innocent victims’ credit ratings, financial situations, and even their daily life. Victims of extreme cases lost their ability to obtain mortgages, buy new homes, and accept new jobs. Worse, the burden of proof of innocence fell on the victims, in a bitter reversal of the assumption of innocence underlying British common law and its offshoot in the commonwealth and the United States.

In August 2008, the U.S. Department of Justice announced25 the single largest and most complex case of identity theft ever charged in this country. It involved eleven people from five different countries, including two from the United States and two from the People’s Republic of China, who had stolen more than 40,000,000 credit card records from a major U.S. retailer. They drove by, or loitered at, buildings in which wireless networks were housed, and installed sniffers that recorded passwords, card numbers, and account data. Unless adequate preventative measures are installed quickly, more such horrendous events will be sure to occur. For more on wireless network security, see Chapter 33 in this Handbook.

The 2011 report from the U.S. Bureau of Justice Statistics, Identity Theft Reported by Households, 2005–2010 provides additional details. The abstract includes these highlights:

� In 2010, 7.0 percent of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization.

� Among households in which at least one member experienced one or more types of identity theft, 64.1 percent experienced the misuse or attempted misuse of an existing credit card account in 2010.

� From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5 percent to 23.7 percent.26

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 8 HISTORY OF COMPUTER CRIME

A report from Javelin Strategy & Research covering identity fraud in 2012 included the following observation in the overview: “Identity fraud incidence increased in 2012 for the second consecutive year, affecting 5.26% of U.S. adults. This increase was driven by dramatic jumps in the two most severe fraud types, new account fraud (NAF) and account takeover fraud (ATF).”27

2.5 PHONE PHREAKING. Even in the earliest days of telephony, teenage boys played with the new technology to cause havoc. In the late 1870s, the new AT&T system in America had to stop using teenagers as switchboard operators:

The boys were openly rude to customers. They talked back to subscribers, saucing off, uttering facetious remarks, and generally giving lip. The rascals took Saint Patrick’s Day off without permission. And worst of all they played clever tricks with the switchboard plugs: disconnecting calls, crossing lines so that customers found themselves talking to strangers, and so forth.

This combination of power, technical mastery, and effective anonymity seemed to act like catnip on teenage boys.28

2.5.1 2600 Hz. In the late 1950s, AT&T began switching its telephone networks to direct-dial long distance, using specific frequency tones to communicate among its switches. Around 1957, a blind seven-year-old child named Josef Engressia with perfect pitch and an emotional fixation on telephones learned to whistle the 2600-Hz pitch that interrupted long-distance telephone calls and allowed him to place a free long-distance call to anywhere in the world.29 This emotionally disturbed person eventually renamed himself “Joybubbles” and is often described as the founder of phone phreaking—the manipulation of the phone system for unauthorized access to services.

John Draper was in the U.S. Air Force in 1964 when he began helping his colleagues place free phone calls. At the suggestion of Joybubbles, he used the whistles in Cap’n Crunch cereal boxes to generate the 2600-Hz tone and then, calling himself Captain Crunch, went on to create electronic tone synthesizers called blue boxes.30 In the 1970s, Apple founders Steve Wozniak and Steve Jobs built blue boxes and, using the devices, perpetrated such pranks as calling the Vatican while pretending to be Henry Kissinger.31

A significant contributor to the growth of phreaking in the 1970s was the publication in 1971 of an article about phreaking in Esquire Magazine, which attracted the attention of many young technophiles.32

2.5.2 1982–1991: Kevin Poulsen. As the phone system shifted to greater reliance on computers, the border between phreaking and hacking began to blur. One of the important names from the 1980s period of fascination with everything phone-related was Kevin Poulsen.

Kevin Poulsen’s autobiographical sketch is shown next.

Kevin Poulsen first gained notoriety in 1982, when the Los Angeles County District Attorney’s Office raided him for gaining unauthorized access to a dozen computers on the ARPANET, the forerunner of the modern Internet. Seventeen years old at the time, he was not charged, and went on to work as a programmer and computer security supervisor for SRI International in Menlo Park, California, then as a network administrator at Sun Microsystems.

In 1987, Pacific Bell security agents discovered that Poulsen and his friends had been penetrating telephone company computers and buildings. After learning that Poulsen had also worked for a defense contractor where he’d held a SECRET level security clearance, the FBI began building an espionage case against the hacker.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DATA DIDDLING 2 · 9

Confronted with the prospect of being held without bail, Poulsen became a fugitive. While on the run, he obtained information on the FBI’s electronic surveillance methods, and supported himself by hacking into Pacific Bell computers to cheat at radio-station phone-in contests, winning a vacation to Hawaii and a Porsche 944-S2 Cabriolet in the process.

After surviving two appearances on NBC’s Unsolved Mysteries, Poulsen was finally cap- tured on April 10th, 1991, in a Van Nuys grocery store, by a Pacific Bell security agent acting on an informant’s tip. On December 4th, 1992, Poulsen became the first hacker to be indicted under U.S. espionage laws when the Justice Department charged him with stealing classified information. (18 U.S.C. 793).

Poulsen was held without bail while he vigorously fought the espionage charge. The charge was dismissed on March 18th, 1996.

Poulsen served five years, two months, on a 71-month sentence for the crimes he committed as a fugitive, and the phone hacking that began his case. He was freed June 4th, 1996, and began a three-year period of supervised release, barred from owning a computer for the first year, and banned from the Internet for the next year and a half.

Since his release, Poulsen has appeared on MSNBC, and on ABC’s Nightline, and he was the subject of Jon Littman’s flawed book, “The Watchman—the Twisted Life and Crimes of Serial Hacker Kevin Poulsen.” His case has earned mention in several computer security and infowar tracts—most of which still report that he broke into military computers and stole classified documents.33

After his release from prison, Kevin Poulsen turned to journalism. He became an editor for SecurityFocus and then was hired as a senior editor at Wired News. He is a serious investigative reporter (e.g., he broke the story of sexual predators in MySpace)34

and a frequent contributor to the “Threat Level” blog.35

2.6 DATA DIDDLING. One of the most common forms of computer crime since the start of electronic data processing is data diddling—illegal or unauthorized data alteration. These changes can occur before and during data input, or before output. Data-diddling cases have included bank records, payrolls, inventory data, credit records, school transcripts, telephone switch configurations, and virtually all other applications of data processing.

2.6.1 Equity Funding Fraud (1964–1973). One of the classic early data- diddling frauds was the Equity Funding case, which began with computer problems at the Equity Funding Corporation of America, a publicly traded and highly successful firm with a bright idea. The idea was that investors would buy insurance policies from the company and also invest in mutual funds at the same time, with profits to be redistributed to clients and to stockholders. Through the late 1960s, Equity’s shares rose dizzyingly in price, and there were news magazine stories about this wunderkind of the Los Angeles business community.

The computer problems occurred just before the close of the financial year in 1964. An annual report was about to be printed, yet the final figures simply could not be extracted from the mainframe. In despair, the head of data processing told the president the bad news; the report would have to be delayed. Nonsense, said the president expansively (in the movie, anyway); simply make up the bottom line to show about $10 million in profits and calculate the other figures so it would come out that way. With trepidation, the DP chief obliged. He seemed to rationalize it with the thought that it was just a temporary expedient, and could be put to rights later in the real financial books.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 10 HISTORY OF COMPUTER CRIME

The expected profit did not materialize, and some months later, it occurred to the executives at Equity that they could keep the stock price high by manufacturing false insurance policies that would make the company look good to investors. They therefore began inserting false information about nonexistent policyholders into the computerized records used to calculate the financial health of Equity.

In time, Equity’s corporate staff got even greedier. Not content with jacking up the price of their stock, they decided to sell the policies to other insurance companies via the redistribution system known as reinsurance. Reinsurance companies pay money for policies they buy and spread the risk by selling parts of the liability to other insurance companies. At the end of the first year, the issuing insurance companies have to pay the reinsurers part of the premiums paid in by the policyholders. So in the first year, selling imaginary policies to the reinsurers brought in large amounts of real cash. However, when the premiums came due, the Equity crew “killed” imaginary policyholders with heart attacks, car accidents, and, in one memorable case, cancer of the uterus—in a male imaginary policyholder.

By late 1972, the head of DP calculated that by the end of the decade, at this rate, Equity Funding would have insured the entire population of the world. Its assets would surpass the gross national product of the planet. The president merely insisted that this showed how well the company was doing.

The scheme fell apart when an angry operator who had to work overtime told the authorities about shenanigans at Equity. Rumors spread throughout Wall Street and the insurance industry. Within days, the Securities and Exchange Commission had informed the California Insurance Department that they had received information about the ultimate form of data diddling: Tapes were being erased. The officers of the company were arrested, tried, and condemned to prison terms.36

2.6.2 1994: Vladimir Levin and the Citibank Heist. In February 1998, Vladimir Levin was sentenced to three years in prison by a court in New York City. Levin masterminded a major conspiracy in 1994 in which the gang illegally transferred $12 million in assets from Citibank to a number of international bank accounts. The crime was spotted after the first $400,000 was stolen in July 1994, and Citibank cooperated with the FBI and Interpol to track down the criminals. Levin was ordered to pay back $240,000, the amount he actually managed to withdraw before he was arrested.37 The incident led to Citibank’s hiring of Stephen R. Katz as the banking industry’s first chief information security officer (CISO).

2.7 SALAMI FRAUD. In the salami technique, criminals steal money or resources a bit at a time. Two different etymologies are circulating about the origins of this term. One school of security specialists claim that it refers to slicing the data thin—like a salami. Others argue that it means building up a significant object or amount from tiny scraps—like a salami.

There were documented cases of salami frauds in the 1970s and 1980s, but one of the more striking incidents came to light in January 1993, when four executives of a Value Rent-a-Car franchise in Florida were charged with defrauding at least 47,000 customers using a salami technique. The federal grand jury in Fort Lauderdale claimed that the defendants modified a computer billing program to add five extra gallons to the actual gas tank capacity of their vehicles. From 1988 through 1991, every customer who returned a car without topping it off ended up paying inflated rates for an inflated

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LOGIC BOMBS 2 · 11

total of gasoline. The thefts ranged from $2 to $15 per customer—rather thick slices of salami but nonetheless difficult for the victims to detect.

Unfortunately, salami attacks are designed to be difficult to detect. The only hope is that random audits, especially of financial data, will pick up a pattern of discrepancies and lead to discovery. As any accountant will warn, even a tiny error must be tracked down, since it may indicate a much larger problem. For example, Cliff Stoll’s famous adventures tracking down spies in the Internet began with an unexplained $0.75 dis- crepancy between two different resource accounting systems on UNIX computers at the Keck Observatory of the Lawrence Berkeley Laboratories. Stoll’s determination to understand how the problem could have occurred revealed an unknown user; investi- gation led to the discovery that resource-accounting records were being modified to remove evidence of system use. The rest of the story is told in Clifford Stoll’s book The Cuckoo’s Egg.

2.8 LOGIC BOMBS. A logic bomb is a program that has deliberately been written or modified to produce results when certain conditions are met that are unexpected and unauthorized by legitimate users or owners of the software. Logic bombs may be within standalone programs, or they may be part of worms (programs that hide their existence and spread copies of themselves within a computer systems and through networks) or viruses (programs or code segments which hide within other programs and spread copies of themselves).

Time bombs are a subclass of logic bombs that “explode” at a certain time. According to a National Security Council employee, the United States Government

authorized insertion of a time bomb in software to control the Trans-Siberian natural gas pipeline that they knew would be stolen from U.S. sources by the Soviet government. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” said Thomas C. Reed.38

The infamous Jerusalem virus (also known as the Friday the 13th virus) of 1988 was a time bomb. It duplicated itself every Friday and on the thirteenth of the month, causing system slowdown; on every Friday the 13th after May 13, 1988, it also corrupted all available disks on the infected systems.

Other examples of notorious time bombs include:

� A common PC virus from the 1980s, Cascade, made all the characters fall to the last row of the display during the last three months of every year.

� The Michelangelo virus of 1992 was designed to damage hard disk directories on the sixth of March every year.

� In 1992, computer programmer Michael Lauffenburger was fined $5,000 for leaving a logic bomb at General Dynamics. His intention was to return after his program had erased critical data and be paid to fix the problem.39

The most famous time bomb of recent years was the Y2K (year 2000) problem. In brief, old programs used two-digit year codes that were based on the assumption that they applied to the twentieth century. As the twenty-first century approached, analysts warned of catastrophic consequences if the programs were not corrected to use four-digit years or otherwise adapt to the change of century.40 In the event, the corrective measures worked and there were no disasters. Later analysis showed a positive correlation between investments in Y2K remediation and later profitability.41

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 12 HISTORY OF COMPUTER CRIME

2.9 EXTORTION. Computer data can be held for ransom. For example, according to Whiteside, in 1971, two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return. The owners ignored the threat of destruction because they had adequate backup copies.

Other early cases of extortion involving computers:

� In 1973, a West German computer operator stole 22 tapes and received $200,000 for their return. The victim did not have adequate backups.

� In 1977, a programmer in the Rotterdam offices of Imperial Chemical Industries, Ltd. (ICI) stole all his employer’s tapes, including backups. Luckily, ICI in- formed Interpol of the extortion attempt. As a result of the company’s forthright- ness, the thief and an accomplice were arrested in London by officers from Scotland Yard.

In the 1990s, one of the most notorious cases of extortion was the 1999 theft of 300,000 records of customer credit cards from the CD Universe Web site by “Maxus,” a 19-year-old Russian. He sent an extortion note that read: “Pay me $100,000 and I’ll fix your bugs and forget about your shop forever … or I’ll sell your cards [cus- tomer credit data] and tell about this incident in news.” Refused by CD Universe owners, he promptly released 25,000 credit card numbers via a Web site that be- came so popular with criminals that Maxus had to limit access to one stolen number per visit.

2.10 TROJAN HORSES. Trojans are programs that pretend to be useful but that also contain harmful code or are just plain harmful.

2.10.1 1988 Flu-Shot Hoax. One of the nastiest tricks played on the shell- shocked world of early microcomputer users was the FLU-SHOT-4 incident of March 1988. With the publicity given to damage caused by destructive, self-replicating virus programs distributed through electronic bulletin board systems (BBSs), it seemed natu- ral that public-spirited programmers would rise to the challenge and provide protective screening.

Flu-Shot-3 was a useful program for detecting viruses. Flu-Shot-4 appeared on BBSs and looked just like version 3; however, it actually destroyed critical areas of hard disks and any floppies present when the program was run. The instructions that caused the damage were not present in the program file until it was running; this self-modifying code technique makes it especially difficult to identify Trojans by simple inspection of the assembler-level code.

2.10.2 Scrambler, 12-Tricks, and PC Cyborg. Other early and notorious PC Trojans from the late 1980s that are still remembered in the industry included:

� The Scrambler (also known as the KEYBGR Trojan), which pretended to be a key- board driver (KEYBGR.COM), but actually made a smiley face move randomly around the screen

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

TROJAN HORSES 2 · 13

� The 12-Tricks Trojan, which masqueraded as CORETEST.COM, a program for testing the speed of a hard disk, but actually caused 12 different kinds of damage (e.g., garbling printer output, slowing screen displays, and formatting the hard disk).

� The PC Cyborg Trojan (or “AIDS Trojan”), which claimed to be an AIDS informa- tion program but actually encrypted all directory entries, filled up the entire C disk, and simulated COMMAND.COM, but produced an error message in response to nearly all commands.

2.10.3 1994: Datacomp Hardware Trojan. On November 8, 1994, a cor- respondent reported to the RISKS Forum Digest that he had been victimized by a curious kind of Trojan:

I recently purchased an Apple Macintosh computer at a “computer superstore,” as separate components—the Apple CPU, and Apple monitor, and a third-party keyboard billed as coming from a company called Sicon.

This past weekend, while trying to get some text-editing work done, I had to leave the computer alone for a while. Upon returning, I found to my horror that the text “welcome datacomp” had been inserted into the text I was editing. I was certain that I hadn’t typed it, and my wife verified that she hadn’t, either. A quick survey showed that the “clipboard” (the repository for information being manipulated via cut/paste operations) wasn’t the source of the offending text.

As usual, the initial reaction was to suspect a virus. Disinfectant, a leading anti-viral application for Macintoshes, gave the system a clean bill of health; furthermore, its descriptions of the known viruses (as of Disinfectant version 3.5, the latest release) did not mention any symptoms similar to my experiences.

I restarted the system in a fully minimal configuration, launched an editor, and waited. Sure enough, after a (rather long) wait, the text “welcome datacomp” once again appeared, all at once, on its own.

Further investigation revealed that someone had put unauthorized code in the ROM chip used in several brands of keyboard. The only solution was to replace the keyboard. Readers will understand the possible consequences of a keyboard that inserts unau- thorized text into, say, source code. Winn Schwartau, the renowned computer security expert, has coined the word “chipping” to refer to such unauthorized modification of firmware.

2.10.4 Keylogger Trojans. By the mid-2000s, software and hardware Trojans designed to capture logs of keystrokes and sometimes to transmit those logs via covert Internet connections had become a well-known tool of industrial espionage. The United States Department of Homeland Security issued a warning in December 2005 that included this overview:

According to industry security experts, the biggest security vulnerability facing computer users and networks is email with concealed Trojan Horse software—destructive programs that masquerade as benign applications and embedded links to ostensibly innocent websites that download malicious code. While firewall architecture blocks direct attacks, email provides a vulnerable route into an organization’s internal network through which attackers can destroy or steal information.

Attackers try to circumvent technical blocks to the installation of malicious code by using social engineering—getting computer users to unwittingly take actions that allow the code to be installed and organization data to be compromised.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 14 HISTORY OF COMPUTER CRIME

The techniques attackers use to install Trojan Horse programs through email are widely available, and include forging sender identification, using deceptive subject lines, and embed- ding malicious code in email attachments.

Developments in thumb-sized portable storage devices and the emergence of sophisticated keystroke logging software and devices make it easy for attackers to discover and steal massive amounts of information surreptitiously.42

2.10.5 Haephrati Trojan. A case that made the news in the mid-2000s began when Israeli author Amon Jackont was upset to find parts of the manuscript on which he was working posted on the Internet. Then someone tried to steal money from his bank account. Suspicion fell on his stepdaughter’s ex-husband, Michael Haephrati. Police discovered a keystroke logger on Jackont’s computer. It turned out that Haephrati had also sold spy software to clients; the Trojan was concealed in what appeared to be confidential email. Once installed on the victims’ computers, the software sent surveillance data to a server in London, England.

Haephrati was detained by U.K. police and investigations began in Germany and Israel. Twelve people were detailed in Israel; eight others were under house arrest. Suspects included private investigators and top executives from industrial firms. Victims included Hewlett-Packard, Ace hardware stores, and a cable-communications company.

Michael and Ruth Haephrati were extradited from Britain for trial in Israel on January 31, 2006. They were accused of installing the Trojan horse program that activated a key logger with remote-reporting capabilities.43

In March 2006, the couple were indicted in Tel Aviv for corporate espionage.44

They pleaded guilty to the charges45 and were sentenced to four and two years of jail, respectively, as well as punished with fines.46

The story did not end there, however. Two years later, “Four members of the Israeli Modi’in Ezrahi private investigation firm were sentenced on Monday after they were found guilty of using Trojan malware to steal commercially sensitive information from their clients’ competitors.”47 The report continues:

Asaf Zlotovsky, a manager at the Modi’in Ezrahi detective firm, was jailed for 19 months. Two other employees, Haim Zissman and Ron Barhoum, were sent to prison for 18 and nine months respectively. The firm’s former chief exec, Yitzhak Rett, the victim of an apparent accident when he fell down a stairwell during a break in police questioning back in 2005, escaped a jail sentence under a plea bargaining agreement. Rett was fined 250,000 Israeli Shekels (£36,500) and ordered to serve ten months’ probation over his involvement in the scam.

However, an article in April 2008 reported that Michael Haephrati “claimed that there was no jail time, and that he was completely free. As a matter of fact he was going to continue to offer his Trojan Horse service but this time he would only work with ‘law enforcement agencies.’ ”48

2.10.6 Hardware Trojans and Information Warfare. In the late 2000s, a flurry of news stories discussed the dangers of growing reliance on Chinese- manufactured computing components.

U.S. Defense Department sources say privately that the level of Chinese cyberattacks obliges them to avoid Chinese-origin hardware and software in all classified systems and as many unclassified systems as fiscally possible. The high threat of Chinese cyberpenetrations into U.S. defense networks will be magnified as the Pentagon increasingly loses domestic sources of “trusted and classified” microchips.49

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTORIOUS WORMS AND VIRUSES 2 · 15

The discovery of counterfeit Cisco routers worsened concerns about the reliability of Chinese-manufactured network equipment.50 The FBI, Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), and the Royal Canadian Mounted Police (RCMP) worked together to track a massive pattern of counterfeit network hardware including Cisco routers; these investigations and seizures raised questions about the reliability and trustworthiness of such equipment, much of which was manufactured in the People’s Republic of China. Although Cisco scientists exam- ined some of the counterfeit equipment and found no back doors, concern was serious enough that government agencies created test chips to challenge quality assurance processes at military contractors:

In April [2008], the Defense Advanced Research Projects Agency, part of the Defense De- partment, began distributing chips with hidden Trojan horse circuitry to military contractors participating in an agency program, Trusted Integrated Circuits. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive. The agency is not yet ready to announce the results of the test, said Jan Walker, a spokeswoman for the agency.51

A 2011 report on hearings before the U.S. House Oversight and Government Reform Committee about the issue of Trojan backdoors in imported software and hardware included this assertion with references for each topic:

… [E]mbedded malware lurking in consumer tech is not a new development. Since it’s been happening for years and is hardly a national security secret, it’s unclear why Schaffer hesitated so long before answering. There have been many incidents of malware-infected products being shipped to consumers, from hardware, to software, and even tainted peripheral devices. Mal- ware has been sent pre-loaded in products like USBs, microchips, cameras, battery chargers, digital photo frames, webcams, printers, cell phones, motherboards or system boards, and hard drives.52

2.11 NOTORIOUS WORMS AND VIRUSES. The next sections briefly de- scribe some of the outstanding incidents that are often mentioned in discussions of the history of malware.53

2.11.1 1970–1990: Early Malware Outbreaks. The ARPANET was the precursor of the Internet.54 According to several reports:

Sometime in the early 1970s, the Creeper virus was detected on ARPANET, a US military computer network which was the forerunner of the modern Internet. Written for the then- popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, “I’M THE CREEPER: CATCH ME IF YOU CAN.”

Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.55

By 1981, the Apple II computer was a popular system among hobbyists; the Elk Cloner virus spread via infected floppy disks and is regarded as “the first large-scale computer virus outbreak in history.”56

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 16 HISTORY OF COMPUTER CRIME

In 1986, the Brain boot-sector virus was the first IBM-PCs malware to spread around the world. It was created by two brothers from Lahore, Pakistan, and included this text:

Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er…VIRUS: this program is catching program follows after these messages….$#@%@!!

The Lehigh Virus appeared at Lehigh University in Pennsylvania in 1987 and damaged the files of several professors and students. This early program-infector targeted only command.com and was therefore extremely limited in its spread.

In 1988, the Jerusalem virus, a file infector that reproduced by inserting its code into EXE and COM files, caused a global PC epidemic.

Another noteworthy infection of 19988 came from the self-encrypting Cascade virus of 1988, which confused many naive users who interpreted the falling symbols on their screen as part of an unexpected screen saver. This virus was one of the earliest examples of the attempts to counter signature-based antivirus products.

2.11.2 December 1987: Christmas Tree Worm. In December 1987, users of IBM mainframe computers connected to the European Academic Research Network (EARN), BITNET, and the IBM company VNET were flooded with email bearing a character-based representation of a Christmas tree. A student at Technische Universität Clausthal57 in Germany launched “a worm, written in an IBM-specific language called REXX.”58 The worm used the victim’s list of correspondents to send copies of itself to everyone on the list.59

2.11.3 November 2, 1988: Morris Worm. On November 2, 1988, the Internet was rocked by the explosive appearance of unauthorized code on systems all over the world. At 17:00 EST on November 2, 1988, Robert T. Morris, a student at Cornell University in Ithaca, New York, released a worm into the Internet. By midnight, it had attacked VAX computers running 4 BSD UNIX and SUN Microsystems Sun 3 computers throughout the United States. One of the most interesting aspects of the worm’s progress through the Internet was the almost complete independence of its path from normal geographical constraints. It sometimes leaped from coast to coast faster than it reached physically neighboring computer systems. The worm graphically demonstrated that cyberspace has its own geography.

The worm often superinfected its hosts, leading to slowdowns in overall processing speed. The first Internet warning (“We are under attack”) was posted at 02:38 on November 3 to the TCP-IP list by a scientist at University of California at Berkeley. At 03:34, Andy Sudduth, a friend of Morris’s at Harvard, posted a warning message (“There may be a virus loose on the internet”) anonymously and included a few comments on how to stop the worm. Unfortunately, Spafford writes, the Internet was so severely impeded by the worm that this message was not widely distributed for over 24 hours.

By 6:00 on the morning of November 3, messages were creeping through the Internet with details of how the worm worked. The news spread via news groups such as the TCP-IP list, Usenix 4bsd-ucb-fixes, and the Usenet news.announce.important group. Spafford and his friends and colleagues on the Internet collaborated feverishly on providing patches against the worm.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTORIOUS WORMS AND VIRUSES 2 · 17

Meanwhile, as word spread of the attack, some systems administrators began cutting their networks out of the Internet. The Defense Communications Agency isolated its Milnet and Arpanet networks from each other around 11:30 on November 3. At noon, machines in the science and technology center at the Stanford Research Institute were shut down.

By late on November 4, a comprehensive set of patches was posted on the Internet to defend systems against the worm. That evening, a New York Times reporter told Spafford that the author of the worm had been found.

By November 8, the Internet seemed to be back to normal. A group of concerned computer scientists met at the National Computer Security Center to study the incident and think about preventing recurrences of such attacks. Spafford put the incident into perspective with the comment that the affected systems were no more than 5 percent of the hosts on the Internet. It would be foolish to dismiss Morris’s electronic vandalism as a prank or to claim that the worm alerted managers to weak security on their systems. Nonetheless, it is true that the incident contributed to the establishment of the Computer Emergency Response Team at the Software Engineering Institute of Carnegie-Mellon University. For these blessings, however, we owe no gratitude to Robert T. Morris.

In 1990, Morris was found guilty under the Computer Fraud and Abuse Act of 1986. The maximum penalties included five years in prison, a $250,000 fine, and restitution costs. Morris was ordered to perform 400 hours of community service, sentenced to three years probation, and required to pay $10,000 in fines. He was expelled from Cornell University.

His lawyers appealed the conviction to the Supreme Court of the United States. Their arguments included lack of evil intent (he did not mean to cause harm, honest—even though his worm took extraordinary precautions to conceal itself) and they deplored the scandalous behavior of Cornell University authorities, who had the temerity to search their own electronic mail message system to locate evidence that incriminated Morris. The lawyers also argued that sending a mail message might become a crime if Morris’s conviction were upheld.

The Supreme Court upheld the decision by declining to hear the appeal.60

Robert T. Morris eventually became an associate professor in the Electrical Engineer- ing and Computer Science Department of the Massachusetts Institute of Technology and a member of the Computer Science and Artificial Intelligence Laboratory.61

2.11.4 Malware in the 1990s. The most significant malware development of the 1990s was the release in July 1995 of the world’s first widely distributed macro-language virus. The macro.concept virus made its appearance in MS-Word for Windows documents. It demonstrated how to use the macro programming language, common to many Microsoft products, to generate self-reproducing macros that spread from document to document. Within a few months, clearly destructive versions of this demonstration virus appeared.

Macro viruses were a dangerous new development. As explained in a recent history of viruses and antiviruses:

� Putting self-reproducing code in easily and frequently exchanged files, such as documents, greatly increased the infectiousness of the viruses.

� Virus writers shifted their attention to a much easier programming language than assembly.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 18 HISTORY OF COMPUTER CRIME

� Email exchanges of infected documents were a far more effective mechanism for virus infection than exchanges of infected programs or disks.

� “[M]acro viruses were neither platform-specific, nor OS-specific. They were application-based.”62

In the latter half of the 1990s, macro viruses replaced boot sector viruses and file infector viruses as a major type of malicious self-reproducing malware; during that period, additional types of script-based, network worms also increased.

Exhibit 2.1 shows the rise and fall of prevalence of macro viruses over the decade from discovery to extinction using data from the WildList archives. The WildList shows malware identified on user systems by at least two virus researchers.63

Roger Thompson summarizes the developments in malware in the 1990s in this way:

By around 2000, macro viruses ceased to be a problem because the new version of MS-Office 2000 included features that blocked macro viruses. The next step in the evolution of malware was the mass mailers like the ILOVEYOU worm and then the network worms. These were easy to write and easy to obfuscate by varying the text contents, thus defeating signature scanners. These worms spread very quickly until the release of Windows XP Service Pack 2, which forced the Windows Firewall to be on by default. After that extinction-level event, criminals moved onward to creating mass mailers and bots which could spread malware and spam or cause distributed denial-of-service through communication via the trusted Web sites accessed through browsers that created a tunnel through the firewall.64

2.11.5 March 1999: Melissa. On Friday, March 26, 1999, the CERT/CC received initial reports of a fast-spreading new MS-Word macro virus. “Melissa” was written to infect such documents; once loaded, it uses the victim’s MAPI-standard email address book to send copies of itself to the first 50 people on the list. The virus attaches an infected document to an email message with subject line “Subject: Important Message From <name>“ where <name> is that of the inadvertent sender. The email message reads: “Here is that document you asked for … don’t show anyone else;-)” and includes a MS-Word file as an infected attachment. The original infected document, “list.doc,” was a compilation of URLs for pornographic Websites. However, as the virus spread, it was capable of sending any other infected document created by the victim.

Because of this high replication rate, the virus spread faster than any previous virus in history. On many corporate systems, the rapid rate of internal replication saturated email servers with outbound automated junk email. Initial estimates were in the range of 100,000 downed systems. Antivirus companies rallied immediately, and updates for all the standard products were available within hours of the first notices from CERT/CC.

The search for the originator of the Melissa email computer virus/worm began immediately after the outbreak. Initial findings traced the virus to Access Orlando, a Florida Internet Service Provider (ISP), whose servers were shut down by order of the FBI for forensic examination; the systems were then confiscated. That occurrence was then traced back to Source of Kaos, a free-speech Website where the virus may have lain dormant for months in a closed but not deleted virus-distributor’s pages. Investigators discovered a serial number in the vector document, written with MS- Word; the undocumented serial number helped law enforcement when investigators circulated it on the Net to help track down the perpetrator.

The next steps turned to the value-added network AOL, where the virus was released to the public. The giant ISP’s information helped to identify a possible suspect and

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTORIOUS WORMS AND VIRUSES 2 · 19

EXHIBIT 2.1 Rise and Fall in Macro Viruses in the WildList, 1996–2008

Year Macro Viruses Total Entries Percentage Macro Virus

1996a 1 183 0.6% 1997b 27 239 11% 1998c 77 258 30% 1999d 46 129 36% 2000e 108 175 62% 2001f 145 228 64% 2002g 103 198 52% 2003h 68 205 33% 2004i 51 261 20% 2005j 22 399 6% 2006k 19 804 2% 2007l 5 797 0.6% 2008m 0 590 0.0% aWildList Organization International, “PC Viruses in the Wild—January 10, 1996,” www.wildlist.org/WildList199601.htm. bWildList Organization International, “PC Viruses in the Wild—February, 1997,” www.wildlist.org/WildList199702.htm. cWildList Organization International, “PC Viruses in the Wild—January, 1998,” www.wildlist.org/WildList199801.htm. dWildList Organization International, “PC Viruses in the Wild—January 1999,” www.wildlist.org/WildList199001.htm. eWildList Organization International, “PC Viruses in the Wild—January, 2000,” www.wildlist.org/WildList200001.htm. fWildList Organization International, “PC Viruses in the Wild—January, 2001,” www.wildlist.org/WildList200101.htm. gWildList Organization International, “PC Viruses in the Wild—January, 2002,” www.wildlist.org/WildList200201.htm. hWildList Organization International, “PC Viruses in the Wild—January, 2003,” www.wildlist.org/WildList200301.htm. iWildList Organization International, “PC Viruses in the Wild—January, 2004,” www.wildlist.org/WildList200401.htm. jWildList Organization International, “PC Viruses in the Wild—January, 2005,” www.wildlist.org/WildList200501.htm. kWildList Organization International, “PC Viruses in the Wild—January, 2006,” www.wildlist.org/WildList200601.htm. lWildList Organization International, “PC Viruses in the Wild—January, 2007,” www.wildlist.org/WildList200701.htm. mWildList Organization International, “PC Viruses in the Wild—January, 2008,” www.wildlist.org/WildList200801.htm.

by April 2, the FBI arrested David L. Smith (age 30) of Aberdeen, New Jersey. Smith apparently panicked when he heard the FBI was on the trail of the Melissa spawner and he threw away his computer—stupidly, into the trash at his own apartment building.

Smith was charged with second-degree offenses of interruption of public com- munication, conspiracy to commit the offense and attempt to commit the offense, third-degree theft of computer service, and third-degree damage or wrongful access to computer systems. If convicted, Smith faced a maximum penalty of $480,000 in fines and 40 years in prison. On December 10, 1999, Smith pleaded guilty to all federal charges and agreed to every particular of the indictment, including the estimates by the International Computer Security Association of at least $80 million of consequential damages due to the Melissa infections.65

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 20 HISTORY OF COMPUTER CRIME

2.11.6 May 2000: I Love You. Starting around May 4, 2000, email users opened messages from familiar correspondents with the subject line “I love you”; many then opened the attachment, LOVE-LETTER-FOR-YOU.txt.vbs, which infected the user’s email address book and initiated mass mailing of itself to all the contacts. The “Love Bug” was the fastest-spreading worm to that time, infecting computers all over the world, starting in Asia, then Europe.66

On May 11, Filipino computer science student Onel de Guzman of AMA Computer College in Manila admitted to authorities that he may “accidentally have launched the destructive Love Bug virus out of youthful exuberance.” He did not admit that he had created the malware himself; however, the name GRAMMERSoft appeared in the computer code of the virus, and that was the name of a computer group to which the 23-year-old de Guzman belonged.67

In September 2000, de Guzman participated in a live chat hosted by CNN.com; he vigorously defended virus-writing and blamed the creators of vulnerable systems for releasing poorly designed software. He refused to take responsibility for writing the worm.68

Philippine authorities tried to prosecute de Guzman but had to drop their attempts in August 2000 for lack of sufficient evidence. Due to the lack of computer crime laws at the time, it was impossible for other countries such as the United States to extradite the suspect: International principles of dual criminality require equivalent laws in both jurisdictions before extradition can proceed.

By October 2000, de Guzman had refused to take responsibility for writing the worm and publicly stated, “‘I admit I create viruses, but I don’t know if it’s one of mine… . If the source code was given to me, I could look at it and see. Maybe it is somebody else’s, or maybe it was stolen from me.”69

The “I Love You” case was a wake-up call for the international community to think about standardizing computer crime laws around the globe.70

2.11.7 July 2010 Stuxnet. In July 2010, reports surfaced of a zero-day threat to SCADA systems using Siemens AG’s Simatic WinCC and PCS 7 software. Analysts found that the Stuxnet worm was designed for industrial espionage; however, the same techniques could have been used for sabotage. Experts expressed concern that the worm was signed using valid digital certificates from Taiwanese companies and that the complex code implied considerable knowledge of the SCADA software.71 Further analysis of the malware code suggested that the software was developed by the United States and Israel and used at least as early as November 2007.72

2.12 SPAM. Chapter 20 in this Handbook includes a detailed history of unso- licited commercial email and the reason it is called spam. This section looks solely at a seminal abuse of the USENET in 1994 and trends in spam over the next decade.

2.12.1 1994: Green Card Lottery Spam. On April 2, 1994, Laurence A. Canter and Marthas S. Siegel posted an advertisement for legal services connected to the U.S. Government’s Green Card Lottery to over 6,000 USENET groups. Instead of cross-posting their commercial message, they used a script to post a copy of the message separately to every group. The former method would have shown the message to USENET users once; Canter and Siegel’s abuse of the USENET made their ad show up in every affected group to which users subscribed.73

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DENIAL OF SERVICE 2 · 21

Reaction worldwide was massive. Automated cancelbots trolled the USENET delet- ing the unwanted messages; the attorneys’ ISP was so overloaded with email complaints that its servers crashed. Canter and Siegel were reviled in postings and newspaper articles.74 Their unsavory backgrounds were posted in discussion groups, including details of disciplinary hearings before the Florida Bar and accusations of dishonesty and unprofessional behavior.75

Unfazed, the couple published a book about how to abuse the Internet using spam and defended their actions in interviews as an expression of freedom of speech; they dismissed critics as “wild-eyed zealots” or as commercial interests intent on controlling the Internet for their own gain.76

Canter was eventually disbarred in Tennessee, in part for his spamming.77 He re- mained unrepentant; in 2002, he spammed 50,000 K–12 teachers with an advertise- ment for a book whose title he liked so he could harvest payments for referrals from Amazon.78

2.12.2 Spam Goes Global. Over the next decade, the incidence of spam grew explosively. By 2007, spam watchers and anti-spam companies reported that around 88 percent of all email traffic on the Internet was spam. Spammers caused so much irritation that companies developed software and hardware solutions for filtering email by content. Spammers responded by increasing the number of images in their spam, making content filtering more difficult. At one point, the amount of spam grew 17 per- cent between one day and the next as spammers began pumping PDF files into spam pipelines.79

Botnets spawned through infected zombie machines established rogue SMTP nodes using innocent (and ignorant) PC users’ computers and persistent high-speed Internet connections.80 Spam currently provides a major vector for fraud by deceit, including in particular 4-1-9 advance fee fraud and phishing attacks.81 Advance-fee fraud usually consists of enticements to participate in the theft of ill-gotten gains such as bank deposits belonging to dead people or stolen from poor countries; the dupes who agree to participate in such illegality are promised millions of dollars—only to be told that they suddenly have to send cash for unexpected bribes or fees. If they do so, they are asked for more … and more … and more. Phishing involves sending email messages that are supposed to look like official, usually alarming, warnings from banks and other institutions; victims click on links that look like one thing but actually go to the criminals’ Websites. There the victims cheerfully type in their user identification, passwords, bank account numbers, and all manner of other confidential information useful for identity theft.82 Advance-fee fraud and phishing are discussed in Chapter 20 in this Handbook.

2.13 DENIAL OF SERVICE. Denial of service results from exhaustion or de- struction of necessary resources and is thoroughly discussed in Chapter 18. However, a couple of denial-of-service attackers stand out among all the others in the last two decades: the Unamailer and Mafiaboy.

2.13.1 1996: Unamailer. In August 1996, someone using the pseudonym “johnny [x]chaotic” claimed the blame for a massive mail-bombing run based on fraudulently subscribing dozens of victims to hundreds of mailing lists. The denial of service was the result in part of the naı̈veté of list managers who accepted subscriptions for any email address from any other email address. In a rambling and incoherent letter posted on the Net, (s)he made rude remarks about famous and not-so-famous

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 22 HISTORY OF COMPUTER CRIME

people, whose capacity to receive meaningful email was then obliterated by up to thousands of unwanted messages a day.83 “The first attack, in August, targeted more than 40 individuals, including Bill Clinton and Newt Gingrich and brought a torrent of complaints from the people who found their names sent as subscribers to some 3,000 E-mail lists.”84

Someone claiming to be the same “Unamailer” (as the news media labeled him or her in reference to the Unabomber) launched a similar mass-subscription mail-bombing run in late December.

This attack is estimated to involve 10,139 listservs groups, 3 times greater than the one that took place in the summer, also at xchaotic’s instigation. If each mailing list in this attack sent the targeted individuals just a modest 10 letters to the subscribers’ computers those individuals would receive more than 100,000 messages. If each listing system sent 100 messages—and many do—then the total messages could tally 1,000,000.85

In December, the attacker(s) sneered at list administrators for failing to use authen- tication before allowing subscriptions and wrote that they would continue their attacks until practices changed.86

Partly as a result of the Unamailer’s depredations, list administrators did in fact change their practices—not that anyone thanked Johnny [x]chaotic for his method of persuasion.

2.13.2 2000: MafiaBoy. On February 8, 2000, Yahoo.com suffered a three- hour flood from a distributed denial-of-service (DDoS) attack and lost its capacity to serve Web pages to visitors. The next day, the same technique was extended to Amazon.com, eBay.com, Buy.com, and CNN.com.87 Later information also showed that Charles Schwab, the online stock brokerage, had been seriously impeded in serving its customers because of the DDoS. Buy.com managers were particularly disturbed because the attack occurred on the day of their initial public offering. As a result of the attacks, a number of firms formed a consortium to fight DDoS attacks.88

Investigation by the RCMP and the FBI located a 15-year-old child in west-end Montreal who used a modem to control zombies in his DDoS escapade:

On April 15, 2000, the RCMP arrested a Canadian juvenile known as Mafiaboy for the February 8th DDoS attack on CNN in Atlanta, Georgia. On August 3, 2000, Mafiaboy was charged with 64 additional counts. On January 18, 2001, Mafiaboy appeared before the Montreal Youth Court in Canada and pleaded guilty to 56 counts. These counts included mischief to property in excess of $5,000 against Internet sites, including CNN.com, in relation to the February 2000 attacks. The other counts related to unauthorized access to several other Internet sites, including those of several US universities. On September 12, 2001, Mafiaboy appeared before the Montreal Youth Court in Canada and was sentenced to eight months “open custody,” one year probation, and restricted use of the Internet.89

MafiaBoy’s name was not released by Canadian authorities because of Canadian laws protecting juveniles, although several U.S. reporters distributed his identity in their publications. His chief contribution to the history of computer crime was to demonstrate asymmetric warfare in cyberspace.90 His actions showed that even an ignorant child with little knowledge of computing could use low-tech hardware and tools available to anyone on the Internet to cripple major organizations.

2.14 HACKER UNDERGROUND. Newcomers to the field of information as- surance will encounter references to the computer underground in texts, articles, and

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

HACKER UNDERGROUND 2 · 23

discussions. The sections that follow provide thumbnail sketches of some of the key groups and events in the shadowy world of criminal hacking (known as black hats, in contrast to white hats, who are law enforcement and establishment security experts), and the intermediate range of well-intentioned rebels who use unorthodox means to challenge corporations and governments over what they see as security failings (these people are often called gray hats).

2.14.1 1981: Chaos Computer Club. On September 12, 1981, a group of German computer enthusiasts with a strong radical political orientation formed the Chaos Computer Club (CCC) in Hamburg.91 One of their first achievements was to demonstrate a serious problem in the Bundespost’s (German post office) new Bilschirmtext (BTX) interactive videotext service in 1984, not long after the ser- vice was announced.92 The CCC used security flaws in BTX to transfer a sizable amount of money into their own bank account through a script that ran overnight as a demonstration to the press (returning the money publicly).

After the Legion of Underground (LoU) announced on January 1, 1999, that they would attack and disable the computer systems of the People’s Republic of China and of Iraq, a coalition of hacker organizations including the CCC announced opposition to the move. “We strongly oppose any attempt to use the power of hacking to threaten or destroy the information infrastructure of a country, for any reason,” the coalition said. “Declaring war against a country is the most irresponsible thing a hacker group could do. This has nothing to do with hacktivism or hacker ethics and is nothing a hacker could be proud of,” the coalition said in the statement.

The CCC has, in general, challenged the general view that “hacker” necessarily means “criminal hacker.”93 Their annual Chaos Communications Conferences have proven to be a site of technology exchange and serious discussion of information security issues. Their continued commitment to the rule of law (except where their own activities are concerned), and their willingness to engage authorities in the courts when necessary has gained them an unusual degree of credibility and acceptance in the information security community as relatively pale-gray hats.94

2.14.2 1982: The 414s. One morning in June 1982, a system administrator for a DEC VAX 11/780 minicomputer at the Memorial Sloan-Kettering Cancer Center in Manhattan found his system down. Investigation led to the discovery that his and dozens of other systems around the country were being hacked by Milwaukee-area teenagers and others aged 15 to 22. The youths called themselves the 414s after the Milwaukee area code.

Using home computers connected to ordinary telephone lines, they had been breaking into computers across the U.S. and Canada, including one at a bank in Los Angeles, another at a cement company in Montreal and, ominously, an unclassified computer at a nuclear weapons laboratory in Los Alamos, [New Mexico].95

In March 1984, “two members of Milwaukee’s 414 Gang … pleaded guilty to misdemeanor charges of making obscene or harassing phone calls. Maximum sentence for each charge: six months in jail and a $500 fine.”96

2.14.3 1984: Cult of the Dead Cow. Another influential criminal-hacker group is the Cult of the Dead Cow (cDc), which used to sport amusing (although intentionally offensive to some) cartoons such as that of a crucified cow.97 The cDc

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 24 HISTORY OF COMPUTER CRIME

was noted for its consistent use of humor and parody; for example, “Swamp Rat’s” 1985 article on building “The infamous … GERBIL FEED BOMB” included instructions such as “Light the fuse if you put one in. If you dropped a match into it, then go to the nearest phone, dial ‘911’ and tell the nice people that you have a large number of glass shards embedded in your lower body. An ambulance should be there soon.”98

The cDc became important proponents of hactivism in the 1990s—the use of crimi- nal hacking techniques for political purposes. They also released a number of hacking tools, of which Back Orifice (BO) and especially Back Orifice 2000 (BO2K) were notorious examples. BO2K was ostensibly a remote administration tool but was in fact a Trojan that ran in stealth mode and allowed remote control of infected machines.99

Some observers felt that presenting BO2K as a legitimate tool was another instance of cDc’s satirical bent: The idea that anyone would consider software written by criminal hackers as a trustworthy administration tool struck them as ludicrous.

2.14.4 1984: 2600: The Hacker Quarterly. Eric Corley founded 2600: The Hacker Quarterly in 1984. This publication has become a standard-bearer for proponents of criminal hacking. The magazine has published a steady stream of expla- nations of how to exploit specific vulnerabilities in a wide range of operating systems and application environments. In addition, the editor’s political philosophy has influ- enced more than one generation of black-hat and gray-hat hackers:

In the worldview of 2600, the tiny band of technocrat brothers (rarely, sisters) are a besieged vanguard of the truly free and honest. The rest of the world is a maelstrom of corporate crime and high-level governmental corruption, occasionally tempered with well-meaning ignorance. To read a few issues in a row is to enter a nightmare akin to Solzhenitsyn’s, somewhat tempered by the fact that 2600 is often extremely funny.100

2.14.5 1984: Legion of Doom. The DC Comics empire created an animated cartoon series called Super Friends that appeared in 1973; it starred various DC Comics heroes, such as Superman, Aquaman, Wonder Woman, and Batman.101 In a follow- up series called Challenge of the Super Friends that ran from 1978 through 1979, the archenemies of these heroes were a group known as the Legion of Doom, which included Lex Luthor, archenemy of Superman.102 A group of phone phreakers who later turned to criminal hacking called themselves the Legion of Doom (LOD); their founder called himself “Lex Luthor.” Another major member was Loyd Blankenship (“The Mentor”).

Bruce Sterling describes the LOD as an influential hacker underground group of the 1980s and one of the earliest to capitalize on regular publication of their findings of vulnerabilities and exploits in the phone system and then in computer networks:

LOD members seemed to have an instinctive understanding that the way to real power in the underground lay through covert publicity. LOD were flagrant. Not only was it one of the earliest groups, but the members took pains to widely distribute their illicit knowledge. Some LOD members, like “The Mentor,” were close to evangelical about it. Legion of Doom Technical Journal began to show up on boards throughout the underground.

LOD Technical Journal was named in cruel parody of the ancient and honored AT&T Technical Journal. The material in these two publications was quite similar—much of it, adopted from public journals and discussions in the telco community. And yet, the predatory attitude of LOD made even its most innocuous data seem deeply sinister; an outrage; a clear and present danger.103

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

HACKER UNDERGROUND 2 · 25

In the later 1980s, the LOD actually helped law enforcement on occasion by re- straining malicious hackers.

One of the best-known members was Chris Goggans, whose handle was “Erik Bloodaxe”; he was also an editor of Phrack and later became part of the Masters of Deception (MOD), which was involved in a conflict with LOD in 1990 and 1991 known in hacker circles as “The Great Hacker War.”104

Another well-known hacker who started in LOD and moved to MOD was Mark Abene (“Phiber Optik”), who was eventually imprisoned for a year after pleading guilty in federal court to conspiracy and unauthorized access to federal-interest computers (a violation of 18 USC 1030(a), the Computer Fraud and Abuse Act of 1986).105 Abene’s punishment was the subject of much protest in the hacker community and elsewhere.106

2.14.6 1985: Phrack. Phrack began publishing in November 1985. With a new issue every month or two at first, the electronic magazine continued uninterrupted distribution of technical information and rants. The uncensored commentary provided a fascinating glimpse of some of the personalities and worldviews of its contribu- tors and editors, including Taran King and Craig Neidorf (later to become famous as “Knight Lightning” and for his involvement in an abortive prosecution involving Bell- South documents). For example, Phrack published what became known as the “Hacker Manifesto”—held up by criminal hackers as a light unto the nations (“Written almost 15 years ago by The Mentor, this should be taped up next to everyone’s monitor to re- mind them who we are, this rang true with Hackers, but it now rings truth to the internet generation.”107), but viewed with skepticism by security professionals. It read in part:

This is our world now … the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore … and you call us criminals. We seek after knowledge … and you call us criminals. We exist without skin color, without nationality, without religious bias … and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all … after all, we’re all alike.108

In the 1990s, publication frequency faltered, falling to once every three to six months until the editors announced the final issue, #63, for August 2005. However, publication resumed under new editorial leadership in May 2007 with issue 64; given that issue 65 did not come out until April 2008, the magazine’s heyday is presumably past.

2.14.7 1989: Masters of Deception. The Masters of Deception (MOD) were a New York hacker group active from about 1989 through 1992.109 Among the most notorious criminal hackers in the group was “Phiber Optik” (Mark Abene, born in 1972), who was unusually visible in the media:

Phiber Optik in particular was to seize the day in 1990. A devotee of the 2600 circle and stalwart of the New York hackers’ group “Masters of Deception,” Phiber Optik was a splendid exemplar of the computer intruder as committed dissident. The eighteen-year-old Optik, a high-school dropout and part-time computer repairman, was young, smart, and ruthlessly obsessive, a sharp- dressing, sharp-talking digital dude who was utterly and airily contemptuous of anyone’s rules

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 26 HISTORY OF COMPUTER CRIME

but his own. By late 1991, Phiber Optik had appeared in Harper’s, Esquire, the New York Times, in countless public debates and conventions, even on a television show hosted by Geraldo Rivera.110

2.14.8 1990: Operation Sundevil. After two years of investigation, on May 7, 8, and 9, 1990, 150 FBI agents, aided by state and local authorities, raided presumed criminal-hacker organizations allegedly involved in credit-card abuse and theft of telephone services. They seized 42 computers and 23,000 disks from locations in 14 cities. Targets were principally sites running discussion boards, some of which were classified as “hacker boards.” However, two years after the raid, there were only three indictments (resulting in three guilty pleas). Evidence began to accumulate that much of the evidence seized in the raids was useless.111 Bruce Sterling spent a year and a half researching the operation and concluded that it was largely a propaganda effort:

… An unprecedented action of great ambition and size, Sundevil’s motives can only be described as political. It was a public-relations effort, meant to pass certain messages, meant to make certain situations clear: both in the mind of the general public, and in the minds of various constituencies of the electronic community.

First—and this motivation was vital—a “message” would be sent from law enforcement to the digital underground. This very message was recited in so many words by Garry M. Jenkins, the Assistant Director of the US Secret Service, at the Sundevil press conference in Phoenix on May 9, 1990, immediately after the raids. In brief, hackers were mistaken in their foolish belief that they could hide behind the “relative anonymity of their computer terminals.” On the contrary, they should fully understand that state and federal cops were actively patrolling the beat in cyberspace—that they were on the watch everywhere, even in those sleazy and secretive dens of cybernetic vice, the underground boards.112

2.14.9 1990: Steve Jackson Games. Two months before the Operation Sundevil raids, but (contrary to popular conflation of the two) in a completely separate operation, a role-playing game company called Steve Jackson Games in Austin, Texas, was raided on March 1, 1990. The Secret Service seized computers and disks at the company’s offices and also at the home of one of their employees, Loyd Blankenship— “The Mentor,” formerly of the LOD. Blankenship was writing a role-playing game called GURPS Cyberpunk, which the agents interpreted as “a handbook for computer crime.” Some of the equipment seized in the raid was returned four weeks later; most but not all was returned four months later. The company nearly went bankrupt as a result of the sequestration of critical resources.113

Outrage in the computing community spread beyond the underground. Mitch Kapor, John Barlow, and John Gilmore founded the Electronic Frontier Foundation in part because of their outrage over the treatment of Steve Jackson Games:

… We got the attorneys involved, and then we asked them to look into what was going on with a variety of government investigations and prosecutions. We identified a couple of particular legal situations, like Craig Neidorf in Chicago and Steve Jackson Games, where there seemed to us to have been a substantial overstepping of bounds by the government and an infringement on rights of free speech and freedom of the press. We were in the process of deciding how to intervene when we also realized very clearly that we didn’t want to be a legal defense fund as that was too narrow. What was really needed was to somehow improve the discourse about how technology is going to be used by society; we need to do things in the area of public education and policy development.114

SteveJacksonGamessuedtheSecretServicefordamagesandwereawarded$50,000 in damages and more than $25,000 in attorney’s fees.115 The case had a lasting effect

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

HACKER UNDERGROUND 2 · 27

on how law enforcement officials carried investigations of computer crimes and seizure of electronic evidence.

2.14.10 1992: L0pht Heavy Industries. In 1992, a group of computer en- thusiasts arranged to store their spare equipment in some rented space in Boston. They collaborated on analysis of vulnerabilities, especially Microsoft product vulnerabilities, and gained a reputation for contributing serious research to the field and for appearing at security conferences. Their “L0phtCrack” program was adopted by many system administrators for testing password files to locate easy-to-guess passwords; members even testified before a Senate Subcommittee on Government Cybersecurity in 1998 (saying they could take down the Internet in half an hour).116 Famous handles from the group included “Brian Oblivion,” “Kingpin,” “Mudge,” “Space Rogue,” “Stefan von Neumann,” “Tan,” and “Weld Pond.”117

The group caused ripples in both the underground and aboveground security com- munities when their company, L0pht Heavy Industries, was purchased by security services firm @stake, Inc. in 2000. @stake was eventually bought by Symantec in 1994.118

2.14.11 2004: Shadowcrew. Stealing physical credit cards and creating fake ones are part of the criminal technique called “carding.” One of the significant suc- cessful investigations and prosecutions of an international credit card fraud ring of the 2000 decade began with the U.S. Secret Service’s Operation Firewall in late 2004. The investigators discovered a network of more than 4,000 members communicating through the Internet and conspiring to use phishing, spamming, forged identity docu- ments (e.g., fake driver’s licenses), creation of fake plastic credit cards, resale of gift cards bought with fake credit cards, fencing of stolen goods via eBay, and interstate or international funds transfers using electronic money such as E-Gold and Web Money.

In October 2004, the Department of Justice indicted 19 of the leaders of Shadowcrew.119 By November 2005, 12 of these people had already pleaded guilty to charges of conspiracy and trafficking in stolen credit card numbers with losses of more than $4 million.120

In February 2006, Shadowcrew leader Kenneth J. Flury, 41, of Cleveland Ohio, was sentenced to 32 months in prison with three years of supervised release and $300,000 in restitution to Citibank.121 In June 2006, cofounder Andrew Mantovani, 24, of Scottsdale, Arizona, was fined $5,000 and also received 32 months of prison with three years of supervised release. Five other indicted Shadowcrew criminals were sentenced with him. By that time, a total of 18 of 28 indicted suspects had already pleaded guilty.122

2.14.12 Late 2000s: Russian Business Network (RBN). The Russian Business Network (RBN) may have originated as a legitimate Web hosting company in 2006:

According to internet security company Verisign, which in June published an extensive inves- tigation into the Russian outfit (tinyurl.com/ywvgpg), RBN was registered as an internet site in 2006.

Initially, much of its activity was legitimate. But apparently the founders soon discovered that it was more profitable to host illegitimate activities and started hiring its services to criminals. Verisign says simply that it is now “entirely illegal.” Since then its activities have been monitored by a number of organisations, including the London-based anti-spam group Spamhaus. “RBN is among the world’s worst spammer, child-pornography, malware, phishing

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 28 HISTORY OF COMPUTER CRIME

and cybercrime hosting networks,” says a spokesman. “It provides ‘bulletproof’ hosting, but is probably involved in the crime too.”123

A researcher for the Internet Storm Center, “David Bizeul, spent the past three months researching the Russian Business Network (RBN). The RBN is a virtual safe house for Russian criminals responsible for malicious code attacks, phishing at- tacks, child pornography, and other illicit operations …” Bizeul’s study is a 70-page report with extensive documentation about the criminal activities of the RBN.124 The group has supported malware diffusion, spam, phishing, denial of service, distribution of cyberattack tools, pornography, and child pornography.

A 2011 report by David Goldman included the following useful insights:

“It’s not like the Mafia, it is a Mafia running these operations,” said Karim Hijazi, CEO of botnet monitoring company Unveillance. “The Russian Mafia are the most prolific cybercriminals in the world.”

Organized cybercrime is a truly international affair, but the most advanced attacks tend to stem from Russia. The Russian mob is incredibly talented for a reason: After the Iron Curtain lifted in the 1990s, a number of ex-KGB cyberspies realized they could use their expert skills and training to make money off of the hacked information they had previously been retrieving for government espionage purposes.

Former spies grouped together to form the Russian Business Network, a criminal enterprise that is capable of some truly scary attacks. It’s just one of many organized cybercriminal organizations, but it’s one of the oldest and the largest.

“The Russians have everyone nailed cold in terms of technical ability,” said Greg Hoglund, CEO of cybersecurity company HBGary. “The Russian crime guys have a ridiculous toolkit. They’re targeting end users in many cases, so they have to be sophisticated.”125

2.14.13 Anonymous. In 2003, political activists with a penchant for computer skills formed a loose association calling itself Anonymous for collaboration in a range of cyberattacks on targets its members disliked. The philosophy of the group explicitly rejects any centralized controls; anyone can claim to be a member of Anonymous.

In 2008, self-identified members of the movement labeling their efforts Chanol- ogy126 attacked the Church of Scientology (readers interested in following the refer- ence provided in the end note should be aware that the site is loaded with pornographic advertisements for pornography sites). Members also harassed organizations attempt- ing to strengthen intellectual property laws and enforcement or antipiracy restrictions. Other targets of the nonorganization include the Epilepsy Foundation, hip-hop Web- sites, Sarah Palin’s political campaign, the government of Iran, the government of Australia, and the Tea Party chapter in Oregon.

One of the most publicized campaigns was in support of Julian Assange, leader of the WikiLeaks Foundation, whose group made public more than a million docu- ments classified by the United States and other governments as restricted or secret and revealing embarrassing details of several wars and internal communications among diplomats.

In January 2013, members announced that they would release large amounts of U.S. Government–restricted information. They let the world know about their plans by posting their messages on a hacked U.S. Government Website.127

2.14.14 2013: Unlimited Operations. In May 2013, eight criminal hack- ers, New York City area members of a much larger worldwide ring of cybercrimi- nals calling themselves Unlimited Operations, were charged with theft of more than $45 million from automated teller machines (ATMs) around the planet. The gang “used

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INDUSTRIAL ESPIONAGE 2 · 29

sophisticated intrusion techniques to hack into the systems of global financial institu- tions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe …”

In the first phase, the criminals broke into National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates. Using these compromised data, the criminal network completed more than 4,500 ATM transactions in 20 hours and stole more than $5 million.

The second phase began “… on the afternoon of February 19 and lasted into the early morning of February 20, 2013. This operation again breached the network of a credit card processor that serviced MasterCard prepaid debit cards, this time issued by the Bank of Muscat, located in Oman.” Total losses from 36,000 transactions in 24 countries netted $40 million in cash from ATMs.128

2.15 INDUSTRIAL ESPIONAGE. Why spend money developing competitive products when you can steal the work once it’s ready to apply? Many firms in countries with little or no rule of law have taken advantage of poor security, outsourcing, and liberal immigration policies to steal intellectual property and compete at a discount with the originators of the ideas.

� In 2001, Junsheng Wang of Bell Imaging Technologies pled guilty to violation of 18 USC 132(a)(2) by stealing trade secrets fom Acuson Corporation. The Coun- terintelligence News and Developments (CIND) report noted, “In pleading guilty, Wang admitted that prior to August 24, 2000, that he took without authorization and copied for Bell Imaging a document providing the architecture for the Se- quoia ultrasound machine that contained the trade secrets of Acuson Corporation. According to Wang’s plea agreement, he had been able to obtain access to the Acuson trade secret materials because his wife was employed as an engineer at that company and because she had brought that document into their home. After he had copied the document, he took it with him on business trips to the People’s Republic of China, turning it over to Bell Imaging during 2000.”129

� In May 2001, Federal authorities arrested two Lucent scientists and a third man described as their business partner on May 4, charging them with stealing source code for software associated with Lucent’s PathStar Access Server and sharing it with Datang Telecom Technology Co., a Beijing firm majority-owned by the Chinese government. The software is considered a “crown jewel” of the company. Chinese nationals Hai Lin and Kai Xu were regarded as “distinguished members” of Lucent’s staff up until their arrests. The motivation for the theft, according to court documents, was to build a networking powerhouse akin to the “Cisco of China.” The men faced charges of conspiracy to commit wire fraud, punishable by a maximum five years in prison and a $250,000 fine.130 In April 2002, the two were also charged with stealing secrets from four companies in addition to Lucent: Telenetworks, NetPlane Systems, Hughes Software Systems, and Ziatech. An additional Chinese national, Yong-Qing Cheng was also charged. They developed a joint venture with the Datang Telecom Technology Company of Beijing to sell a clone of Lucent’s Path Star data and voice transmission system to Internet providers in China.131

� In September 2002, the 3DGeo company in Mountain View, CA accused Shan Yanming, an employee of the China National Petroleum Corporation on loan to

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 30 HISTORY OF COMPUTER CRIME

the company, of industrial espionage for trying to steal the software designed for using seismic data to map oil deposits. He was caught trying to download corporate data to his personal computer and was arrested by FBI agents.132

� In April 2003, the United States Attorney’s Office for the Northern District of California announced that Tse Thow Sun pled guilty on April 9, 2003, to theft of trade secrets. He admitted that in early 2002, while working for a language translationcompany, he delivereda laptopcomputer anda harddrive that contained trade secrets and confidential proprietary information to a competitor and asked for $3 million in payment. Mr. Sun, 32, a citizen of Singapore, was indicted by a federal Grand Jury on April 9, 2002. He was charged with theft of trade secrets, in violation of 18 U.S.C. §1832(a)(3); attempted theft of trade secrets, in violation of 18 U.S.C. §1832(a)(4); and interstate transportation of stolen goods, in violation of 18 U.S.C. §2314. Under the plea agreement, Mr. Sun pled guilty to theft of trade secrets.133

� In May 2003, three Swedish employees of LM Ericsson were charged with espi- onage for allegedly stealing intellectual property and sending it to Russian spies. “[Afshin] Bavand was arrested Nov. 5, 2002, while talking to a Russian intel- ligence agent in a Stockholm suburb. Police searched the Russian, who wasn’t identified, and found $4,000 in cash and Ericsson documents.”134

� The series of attacks codenamed Titan Rain was discovered by Shawn Carpenter in late 2003. Carpenter noticed a flood of expert hacker activity focusing on data theft from a wide range of “the country’s most sensitive military bases, defense contractors and aerospace companies.” Carpenter discovered that “the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet.” Carpenter worked with U.S. Army and FBI investigators to learn more about the attacks and the attackers. According to Thornburgh, various analysts judge that “Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced.”135

� In July 2004, an Indian software engineer employed by a U.S. company’s software development center in India was accused of “zipping up” proprietary software source code for printing identification cards and uploading it to her personal e-mail account. Jolly Technologies shut down its Mumbai operations as a result of the breach of security.136

� In 2005 and 2006, EMC filed lawsuits against several employees for allegedly stealing trade secrets.137

� In December 2006, two Chinese nationals, Fei Ye and Ming Zhong, pleaded guilty in December 2006 to charges of economic espionage on behalf of the People’s Republic of China. They were arrested in November 2001 with stolen trade secrets in their luggage; the information was taken from Sun Microsystems and Transmeta Corporation. The agents were planning to design a competing microprocessor using the stolen designs; profits were to have been shared with the City of Hangzhou and the Province of Zhejiang. The agents’ company was funded in part by the National High Technology Research and Development Program of China.138

� In April 2008, sleeper agent Chi Mak, a naturalized U.S. citizen who lived peace- fully in Los Angeles for 20 years, was sentenced to 24.5 years in federal prison for industrial espionage. He stole detailed plans for U.S. Navy equipment including

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CONCLUDING REMARKS 2 · 31

submarine propulsion systems and tried to send them to China via his brother and sister-in-law.139

� In 2009, Siobhan Gorman, writing in The Wall Street Journal, reported as follows:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.” The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”140

� The Office of the National Counterintelligence Executive (ONCIX) published its Report to Congress on Foreign Economic Collection and Industrial Espionage 2009–2011 with the title “Foreign Spies Stealing U.S. Economic Secrets in Cy- berspace.” The Executive Summary included this commentary:

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

� Chinese actors are the world’s most active and persistent perpetrators of eco- nomic espionage. U.S. private-sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

� Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.

� Some U.S. allies and partners use their broad access to U.S. institutions to acquire sensitive U.S. economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.141

� A March 2012 report detailed how a successful supervisory control and data acquisition (SCADA) software company, American Superconductor Corporation (AMSC), was practically destroyed economically by its major customer, the Chi- nese Sinovel company, which stole its proprietary wind-turbine software and then stopped paying for any further software services.142

� By early 2013, Symantec’s 2012 Internet Security Threat Report, Vol. 18 reported that small businesses were increasingly targeted for cyberattacks and industrial espionage: “In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.”143

2.16 CONCLUDING REMARKS. At some point, history becomes current events. At the time of writing (May 2013), the trends we were seeing dimly when the fifth edition of this work was published have become clearer. As the second decade

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 32 HISTORY OF COMPUTER CRIME

of the 21st century reaches its midpoint, organized crime has become an integral part of the computer-crime scene—and vice versa. The Russian criminal underworld has increasingly invested in high-technology forms of fraud and also relies on high-tech communications for marketing of criminal undertakings, such as international traffic in drugs, armaments, and slaves. Information warfare has become a real issue as China advances in technology by stealing industrial secrets and capitalizing on the savings in research and development—and seeks growing global power. Terrorist groups cannot ignore the power of asymmetric warfare and must be presumed to be planning attacks on critical infrastructures worldwide. As the global communications network spreads throughout the world, governments, corporations, and individuals will have to increase their collaboration and vigilance to defeat the growing army of computer criminals of every type.

2.17 FURTHER READING Anderson, N. The Internet Police: How Crime Went Online, and the Cops Followed.

W. W. Norton & Company, 2013. Banks, M. A. Web Psychos, Stalkers and Pranksters: How to Protect Yourself in

Cyberspace. Coriolis Group Books, 1997. Bequai, A. Technocrimes: The Computerization of Crime and Terrorism. Lexington

Books, 1987. Freedman, D. H., and C. C. Mann. @Large: The strange case of the world’s biggest

Internet invasion. Simon & Schuster, 1997. Goodell, J. The Cyberthief and the Samurai: The True Story of Kevin Mitnick—and the

Man Who Hunted Him Down. Dell, 1996. Hafner, K., and J. Markoff. Cyberpunk: Outlaws and Hackers on the Computer Fron-

tier. Simon & Schuster, 1991. Hitchcock, J. A. True Crime Online: Shocking Stories of Scamming, Stalking, Murder,

and Mayhem. Information Today, 2012. Johnson, M. Cyber Crime, Security and Digital Intelligence. Gower Publishing, 2013. Levy, S. Hackers: Heroes of the Computer Revolution. Doubleday, 1984. Littman, J. The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin

Poulson. Little, Brown, 1997. Menn, J. Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing

Down the Internet. PublicAffairs, 2010. Mitnick, K. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Little, Brown, 2011. Mungo, P. Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers,

Virus Writers, and Keyboard Criminals. Random House, 1993. Parker, D. B. FightingComputerCrime:ANewFrameworkforProtectingInformation.

John Wiley & Sons, 1998. Poulson, K. Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime

Underground. Crown, 2011. Power, R. Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace.

Indianapolis: Que, 2000. Shackelford, S. J. Managing Cyber Attacks in International Law, Business, and Rela-

tions: In Search of Cyber Peace. Cambridge University Press, 2013. Shimomura, T., and J. Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick,

America’s Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion, 1996.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 2 · 33

Slatalla, M., and J. Quittner. Masters of Deception: The Gang that Ruled Cyberspace. HarperCollins, 1995.

Sterling, B. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Doubleday Dell, 1992.

Stoll, C. The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage. Simon & Schuster, 1989.

Taylor, R. W., E. J. Fritsch, J. R. Liederbach, and T. J. Holt. Digital Crime and Digital Terrorism, 2nd ed. Prentice-Hall, 2010.

Webb, W. You’ve Been Hacked: 15 Hackers You Hope Your Computer Never Meets. CreateSpace Independent Publishing Platform, 2013.

Wells, J. T. Computer Fraud Casebook: The Bytes that Bite. Wiley, 2009.

2.18 NOTES 1. Some of the materials in this chapter use text from the author’s prior publications,

to which he holds the copyright. However, specific attributions or quotation marks in such cases are generally avoided, because changes are extensive and the typographical notations marking the changes would have been intrusive and disruptive.

2. Concordia University, “Who We Are: History,” 2008, www.concordia.ca/about/ whoweare/ourhistory/sgw.php

3. T. Whiteside, Computer Capers: Tales of Electronic Thievery, Embezzlement, and Fraud (New York: New American Library, 1978).

4. J. Gehl and S. Douglas, “Survey Reveals Epidemic of Battered PCs,” NewsScan, June 5, 2001.

5. M. Delio, “Battered Computers: An Epidemic,” Wired, June 5, 2001, www.wired .com/culture/lifestyle/news/2001/06/44284

6. NIPC/DHS, “Physical Attack Still the Biggest Threat,” DailyOpen-SourceThreat Report, April 11, 2003.

7. T. Fricke, “Physical Security of Electronic Voting Terminals,” RISKS 23, No. 20 (2004), http://catless.ncl.ac.uk/Risks/23.30.html

8. Whiteside, Computer Capers. 9. S. Spielberg, director, Catch Me If You Can, 2002, www.imdb.com/title/

tt0264464/ 10. R. Bell, Skywayman: The Story of Frank W. Abagnale, Jr. (Crime Library: Crim-

inal Minds and Methods, 2008), www.trutv.com/library/crime/criminal mind/ scams/frank abagnale/index.html

11. Whiteside, Computer Capers. 12. T. C. Greene, “Chapter One: Kevin Mitnick’s Story.” The Register, January 13,

2003, www.theregister.co.uk/2003/01/13/chapter one kevin mitnicks story/ 13. J. Littman, The Fugitive Game: Online with Kevin Mitnick—The Inside Story of

the Great Cyberchase (Boston: Little, Brown, 1996), p. 30. 14. A. N. Mayorkas and T. Mrozek, “Kevin Mitnick Sentenced to Nearly Four Years

in Prison; Computer Hacker Ordered to Pay Restitution to Victim Companies Whose Systems Were Compromised,” Press Release, U.S. Department of Justice, United States Attorney’s Office, Central District of California, August 9, 1999, www.usdoj.gov/criminal/cybercrime/mitnick.htm

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 34 HISTORY OF COMPUTER CRIME

15. P. Jacobus, “Mitnick Released from Prison,” CNET News, September 21, 2000, http://news.cnet.com/Mitnick-released-from-prison/2100-1023 3-235933.html

16. K. D. Mitnick and W. L. Simon, The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers (New York: John Wiley & Sons, 1995). K. D. Mitnick and W. L. Simon, The Art of Deception: Controlling the Human Element of Security (Hoboken, NJ: John Wiley & Sons, 2003). J. Long, J. Wiles, and K. D. Mitnick, No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (Syngress, 2008).

17. E. Corley, director (as “Emmanuel Goldstein”), Freedom Downtime (2002), www.imdb.com/title/tt0309614/

18. R. Davies, “Origins of Money and of Banking,” 2005, www.projects.ex.ac.uk/ RDavies/arian/origins.html

19. “Origin and History of Credit Cards,” Financial Web: Credit Cards, 2008, www .finweb.com/banking-credit/origin-and-history-of-credit-cards.html or http:// tinyurl.com/5c2yhj

20. J. Rosenberg, “The First Credit Card,” About.com: 20th-Century History, 2008, http://history1900s.about.com/od/1950s/a/firstcreditcard.htm or tinyurl.com/ 6en9kg

21. B. Hutchins, “Notes on the Fair Credit Billing Act (FCBA),” 2002, www.ftc .gov/os/comments/dncpapercomments/04/lsap7.pdf

22. L. S. Fox, ed., The Federal Reserve System: Purposes & Functions, 9th ed. (Washington, DC: Board of Governors of the Federal Reserve System, 2005), www.federalreserve.gov/pf/pdf/pf 1.pdf; Chapter 2, “Consumer and Community Affairs,” p. 78 (p. 4 of PDF file). www.federalreserve.gov/pf/pdf/pf 6.pdf

23. “Origin and History of Credit Cards.” 24. K. Shorter, “Plastic Payments: Trends in Credit Card Fraud,” FBI Law Enforce-

ment Bulletin (June 1997), www.fbi.gov/publications/leb/1997/june971.htm 25. www.usdoj.gov, news release of August 5, 2008. 26. Lynn Langton, “Identity Theft Reported by Households, 2005–2010,” Bureau

of Justice Statistics, November 30, 2011, www.bjs.gov/index.cfm?ty=pbdetail& iid=2207

27. Javelin Strategy & Research, “2013 IDENTITY FRAUD REPORT: Data Breaches Becoming a Treasure Trove for Fraudsters.” Javelin, 2013, www .javelinstrategy.com/brochure/276

28. B. Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (New York: Bantam, 1992). Available free online: www.mit.edu/hacker/ hacker.html

29. E. McCracken, “Dial-Tone Phreak,” New York Times, December 30, 2007, www .nytimes.com/2007/12/30/magazine/30joybubbles-t.html?ex=1356584400& en=8d26486125a53d83&ei=5124&partner=permalink&exprod=permalink or http://tinyurl.com/5s49cu

30. John T. Draper home page, www.webcrunchers.com 31. S. Wozniak and G. Smith, iWoz: Computer Geek to Cult Icon: How I Invented

the Personal Computer, Co-Founded Apple, and Had Fun Doing It (New York: Norton, 2006).

32. R. Rosenbaum, “Secrets of the Little Blue Box,” Esquire Magazine (October 1971). Reprinted at www.slate.com/articles/technology/the spectator/2011/10/ the article that inspired steve jobs secrets of the little blue .html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 2 · 35

33. The text displayed was available on Poulsen’s Website until at least April 5, 2001, according to the Internet Archive. Sometime after that date, the biography was shortened and then sometime on or before December 4, 2002, it disappeared altogether and was replaced by a redirect to search for the string “By Kevin Poulsen” in Google.

34. K. Poulsen, “MySpace Predator Caught by Code,” Wired, October 16, 2006, www.wired.com/science/discoveries/news/2006/10/71948

35. Wired magazine, “Threat Level” blog, www.wired.com/threatlevel 36. B. Trumbore, “Ray Dirks and the Equity Funding Scandal,” Wall Street His-

tory, February 6, 2004, www.stocksandnews.com/wall-street-history.php?aid= MTU3M19XUw==

37. M. Kabay, “Crime, Use of Computers in.” In H. Bidgoli, ed., Encyclopedia of Information Systems, vol. 1 (New York: Academic Press, 2003), www2 .norwich.edu/mkabay/overviews/crime use of computers in.pdf or http://tinyurl .com/3wqfxc

38. D. E. Hoffman, “CIA Slipped Bugs to Soviets: Memoir Recounts Cold War Technological Sabotage,” Washington Post, February 27, 2004, www.msnbc.msn .com/id/4394002

39. E. D. Shaw, K. G. Ruby, and J. M. Post, “The Insider Threat to Information Systems,” Security Awareness Bulletin No. 2-98, Department of Defense Se- curity Institute (September 1998), www.ntc.doe.gov/cita/CI Awareness Guide/ Treason/Infosys.htm

40. CNN.com, Y2K Archive, “Looking at the Y2K Bug,” 2000, www.cnn.com/ TECH/specials/y2k/ (URL inactive)

41. Gardica-Feijóo, L., and J. R. Wingender, “Y2K: Myth or Reality.” Quarterly Journal of Business and Economics (Summer 2007), http://findarticles.com/ p/articles/mi qa5466/is 200707/ai n21295780/pg 1 or http://tinyurl.com/ 64w5jm (URL inactive)

42. United States Department of Homeland Security, “Look Before You Click: Trojan Horses and Other Attempts to Compromise Networks,” Joint Information Bul- letin, December 21, 2005, www.us-cert.gov/reading room/JIB-Trojan122105.pdf or http://tinyurl.com/6zwmes (URL inactive)

43. D. Izenberg, “Trojan Horse Masterminds Being Extradited to Israel,” Jerusalem Post, January 18, 2006. Available for purchase online: http://pqasb.pqarchiver .com/jpost/access/972012371.html?dids=972012371:972012371&FMT=ABS &FMTS=ABS:FT&type=current&date=Jan+18%2C+2006&author=DAN+ IZENBERG&pub=Jerusalem+Post&edition=&startpage=04&desc=%27 Trojan+horse%27+heads+extradited+to+Israel or http://tinyurl.com/5wlsgz (URL inactive)

44. W. K. Haskins, “Married Couple Indicted for Corporate Espionage,” SCI-TECH TODAY.com, March 7, 2006, www.sci-tech-today.com/story.xhtml?story id= 12100DICT7FG&page=1 or http://tinyurl.com/3qantt (URL inactive)

45. L. Leyden, “Spyware-for-Hire Couple Plead Guilty: Israeli Prison Looms for Haephratis,” The Register, March 15, 2006, www.theregister.co.uk/2006/03/15/ spyware trojan guilty plea/

46. “Court Hands Hefty Fine and Jail Sentence to Israeli Spyware Couple, Reports Sophos,” Sophos, March 27, 2006, www.sophos.com/pressoffice/news/articles/ 2006/03/israelspyduo.html or http://tinyurl.com/4gx38p

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 36 HISTORY OF COMPUTER CRIME

47. J. Leyden, “Israeli Spyware-for-Hire PIs Jailed,” The Register, April 29, 2008, www.theregister.co.uk/2008/04/29/spyware-for-hire/

48. R. Stiennon, “Four Private Investigators in the Israeli Trojan Fiasco Sen- tenced. Finally,” Network World, “Stiennon on Security,” April 30, 2008, www .networkworld.com/community/node/27387

49. J. L. Tkacik, “Trojan Dragon: China’s Cyber Threat,” Heritage Founda- tion Backgrounder #2106, February 8, 2008, www.heritage.org/Research/ asiaandthepacific/bg2106.cfm

50. T. Claburn, “Operation ‘Cisco Raider’ Nets $76 in Fake Gear: The Multiyear Effort to Curb the Flow of Counterfeit Network Hardware into the U.S. and Canada Reflects a Steady Escalation in the War on Intellectual Property Crime,” InformationWeek, February 29, 2008, www.informationweek.com/operation- cisco-raider-nets-76-million-i/206901053

51. J. Markoff, “Trojan Horse Threat Stalks Pentagon after Bogus Hardware Pur- chase,” CIO TODAY, May 12, 2008, www.cio-today.com/story.xhtml?story id= 103006ROXFYH or http://tinyurl.com/5tvz32 (URL inactive)

52. “Ms Smith,” “DHS: Imported Tech Tainted with Backdoor Attack Tools,” NetworkWorld | Privacy and Security Fanatic, July 12, 2011, www.networkworld .com/community/blog/dhs-imported-tech-tainted-backdoor-attack-too

53. For a detailed and personal view of malware history, see virus expert Roger Thompson’s “Malicious Code,” Chapter 2 in S. Bosworth and M. E. Kabay, eds. Computer Security Handbook, 4th ed. (Hoboken, NJ: John Wiley & Sons, 2002). Also, see Chapter 16 in this Handbook.

54. R. H. Zakon, “Hobbes’ Internet Timeline v8.2,” 1996, www.zakon.org/robert/ internet/timeline/

55. “Virus Encyclopedia: History of Malware.” Viruslist.com, 2008, www.viruslist .com/en/viruses/encyclopedia?chapter=153310937

56. “Virus Encyclopedia: History of Malware.” 57. Clausthal University of Technology homepage (English), www.tu-clausthal.de/

Welcome.php.en (URL inactive) 58. Thompson, “Malicious Code.” 59. R. Patterson, “Re: IBM Christmas Virus,” Risks Forum Digest 5, No. 80

(December 21, 1987):1.1, catless.ncl.ac.uk/Risks/5.80.html∼subj1.1 60. C. Schmidt and T. Darby “The What, Why and How of the 1988 Internet Worm,”

1995, snowplow.org/tom/worm/worm.html 61. Robert Morris MIT faculty biography, www.csail.mit.edu/user/972 62. D. Emm, “Changing Threats, Changing Solutions: A History of Viruses and

Antivirus,” Viruslist.com (now Securelist.com), April 14, 2008, www.securelist .com/en/analysis?pubid=204791996

63. “The WildList Organization International: Frequently Asked Questions.” WildList Organization International, 2008, www.wildlist.org/faq.htm

64. R. Thompson, personal communication, May 25, 2008. 65. M. E. Kabay, “INFOSEC Year in Review 1999,” 1999, www2.norwich.edu/

mkabay/iyir/1999.PDF (URL inactive) 66. CERT Advisory CA-2000-04 Love Letter Worm. CERT/CC, May 9, 2000,

www.cert.org/advisories/CA-2000-04.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 2 · 37

67. D. I. Hopper, “Focus of ‘ILOVEYOU’ Investigation Turns to Owner of Apartment,” CNN.com, May 10, 2000, http://archives.cnn.com/2000/TECH/ computing/05/10/i.love.you.03/index.html or http://tinyurl.com/4elq2l

68. “Suspected Creator of ‘ILOVEYOU’ Virus Chats Online,” CNN.com chat transcript, September 26, 2000, http://archives.cnn.com/2000/TECH/computing/ 09/26/guzman.chat/

69. M. Landler, “A Filipino Linked to ‘Love Bug’ Talks about His License to Hack,” New York Times, October 21, 2000, http://query.nytimes.com/gst/fullpage .html?res=990DE5D8113EF932A15753C1A9669C8B63 or http://tinyurl.com/ 4b826p

70. R. G. Smith, “Impediments to the Successful Investigation of Transnational High Tech Crime,” Trends & Issues in Crime and Criminal Justice, No. 285 (December 13, 2004), www.crime-research.org/articles/trends-and-issues-in- criminal-justice/ or http://tinyurl.com/44pn4s

71. Jaikumar Vijayan, “Stuxnet Renews Power Grid Security Concerns: First Known SCADA Malware Program to Target Control Systems Prompts New Questions about Security of U.S. Power Grid,” NetworkWorld, July 26, 2010, www.networkworld.com/news/2010/072610-stuxnet-renews-power-grid- security.html

72. Jim Finkle, “Researchers say Stuxnet was deployed against Iran in 2007.” Reuters, February 26, 2013, www.reuters.com/article/2013/02/26/us-cyberwar- stuxnet-idUSBRE91P0PP20130226

73. A. Lawrence, “Internet Growing Pains—The Canter & Siegel Story,” Com- puter Business Review (June 1994), www.coin.org.uk/roadshow/presentation/ canter.html

74. K. K. Campbell, “A NET.CONSPIRACY SO IMMENSE… . Chatting with Martha Siegel of the Internet’s Infamous Canter & Siegel,” 1994, http://lcs.www .media.mit.edu/people/foner/Essays/Civil-Liberties/Project/green-card-lawyers .html or http://tinyurl.com/45f3fe (URL inactive)

75. D. R. Hilton, “Green Card Lottery—Last Call,” 1994, http://groups.google.com/ group/misc.legal/msg/3416cd3d6cfcdebe (URL inactive)

76. L. Flynn, “‘Spamming’ on the Internet,” New York Times, October 16, 1994, www .nytimes.com/1994/10/16/business/sound-bytes-spamming-on-the-internet .html

77. A. Craddock, “Spamming Lawyer Disbarred,” Wired, July 10, 1997, www.wired .com/politics/law/news/1997/07/5060

78. N. Swidey, “Spambusters: Cyberwarriors of many stripes have joined the bat- tle against junk email. But the enemy is wily, elusive—and multiplying,” Boston Globe, October 5, 2003, www.boston.com/news/globe/magazine/articles/ 2003/10/05/spambusters?mode=PF or http://tinyurl.com/4y3chj

79. C. Garretson, “The Summer of Spam: Record Growth, Record Irritation,” Network World, August 16, 2007, www.networkworld.com/news/2007/081607- spam-summer.html or http://tinyurl.com/6xoda3 (URL inactive)

80. J. Leyden, “Most Spam Comes from Just Six Botnets,” The Register, February 29, 2008, www.theregister.co.uk/2008/02/29/botnet spam deluge/

81. See NetworkWorld’s “Security Research Center” for up-to-date news about spam and phishing: www.networkworld.com/topics/security.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 38 HISTORY OF COMPUTER CRIME

82. T. Espiner, “Police Maintain Uneasy Relations with Cybervigilantes,” CNET News, January 17, 2007, http://news.cnet.com/Police-maintain-uneasy-relations- with-cybervigilantes/2100-7348 3-6150817.html or http://tinyurl.com/6fjykr

83. “The Net’s Most Wanted,” CNET News, August 16, 1996, http://news.cnet.com/ 2100-1023-221580.html

84. L. Z. Koch, “Jacking in from the ‘Spam in the Stocking’ Port: Unamailer Delivers Christmas Grief,” CyberWire Dispatch, December 26, 1996, www .petting-zoo.net/∼deadbeef/archive/2122.html

85. Koch, “Jacking in from the ‘Spam in the Stocking’ Port.” 86. “Unamailer Explains Bombings,” CNET News, December 30, 1996, http://news

.cnet.com/Unamailer-explains-bombings/2100-1017 3-258247.html or http:// tinyurl.com/422kgc

87. M. Richtel and S. Robinson, “Several Web Sites Are Attacked on Day after Assault Shut Yahoo,” New York Times, February 9, 2000, www.nytimes.com/ library/tech/00/02/biztech/articles/09hack.html

88. E. Messmer, “Web Sites Unite to Fight Denial-of-Service War,” NetworkWorld, September 25, 2000, www.networkworld.com/news/2000/0925userdefense .html?nf& ref=858966935 or http://tinyurl.com/4cuvsf

89. “Today’s FBI: Facts and Figures,” 2003, www.fbi.gov/libref/factsfigure/ factsfiguresapri2003.htm

90. See “The RMA Debate” for resources about “The Revolution in Military Affairs,” www.comw.org/rma/fulltext/asymmetric.html (URL inactive)

91. For German-speakers or those with automated translation programs, see “FAQ—Über den Chaos Computer Club,” May 27, 2004, www.ccc.de/de/faq

92. T. von Randow, “Bildschirmtext: A Blow against the System,” translation from Die Zeit, November 30, 1984, www.textfiles.com/news/boh-20f8.txt

93. H. Nissenbaum, “Hackers and the Battle for Cyberspace,” Dissent (Fall 2002), www.dissentmagazine.org/article/hackers-and-the-battle-for-cyberspace

94. Chaos Computer Club press release, “Chaos Computer Club Takes Legal Pro- ceedings against the Voting Computer in Hesse,” January 7, 2008, www.ccc.de/ updates/2008/wahlcomputer-hessen

95. P. Elmer-Dewitt, “The 414 Gang Strikes Again: Pranksters disrupt a hospital, and nobody is laughing,” Time (August 29, 1983), www.time.com/time/magazine/ article/09171949797,00.html

96. P. Elmer-Dewitt, “Cracking Down: Hackers face tough new laws,” Time (May 14, 1984), www.time.com/time/magazine/article/09171955290,00.html

97. At the time of writing (May 2008), the group’s site (www.cultdeadcow.com) simply showed the words “BE BACK REAL SOON! / -xXx- cDc loves you with the fervor of a THOUSAND SUNS!! –xXx-” and a link to a YouTube video of a teenager playing a ukulele and singing. Consult the Internet Archive for historical snapshots of the site; web.archive.org/web/∗/www.cultdeadcow.com/ (URL inactive)

98. S. Rat, “The infamous … GERBIL FEED BOMB: Striking fear into the hearts of model citizens everywhere …” cDc communications, 1985, http://web.archive .org/web/20050212092311/www.cultdeadcow.com/cDc files/cDc-0001.html or http://tinyurl.com/44yyth

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 2 · 39

99. E. Messmer, “Bad Rap for Back Orifice 2000?” CNN.com, July 21, 1999, www.cnn.com/TECH/computing/9907/21/badrap.idg/

100. Sterling, Hacker Crackdown. 101. Hanna-Barbera, Super Friends, 1973, Internet Movie Database, www.imdb.com/

title/tt0069641/ 102. Hanna-Barbera, Challenge of the Super Friends, 1978, Internet Movie Database,

www.imdb.com/title/tt0076994/ 103. Sterling, Hacker Crackdown. 104. M. Slatalla and J. Quittner, “Gang War in Cyberspace,” Wired, 2.12 (December

1994), www.wired.com/wired/archive/2.12/hacker.html 105. Datastream Cowboy, “MOD Indicted,” Phrack 4, No. 40 (July 8, 1992): 13,

www.phrack.com/issues.html?issue=40&id=13 106. J. Dibbell, “The Prisoner: Phiber Optik Goes Directly to Jail,” Village Voice

(January 12, 1994), www.juliandibbell.com/texts/phiber.html 107. J. Barone, “Manifesto.” TechnoZen.com, 2000, www.technozen.com/

manifesto.htm 108. The Mentor, “The Conscience of a Hacker,” Phrack 1, No. 7(1986): 3;

www.phrack.com/issues.html?issue=7&id=3#article 109. M. Slatalla and J. Quittner, Masters of Deception: The Gang that Ruled

Cyberspace (New York: HarperCollins, 1995). 110. Sterling, Hacker Crackdown. 111. D. Charles, “‘Innocent’ Hackers Want Their Computers Back,” New Scien-

tist, No. 1820, May 9, 1992, p. 9; www.newscientist.com/article/mg13418201. 400-innocent-hackers-want-their-computers-back-.html or http://tinyurl.com/ 3vw26e

112. Sterling, Hacker Crackdown. 113. S. Jackson, “SJ Games vs. the Secret Service,” 2008, www.sjgames.com/SS/ 114. D. Gans and K. Goffman, “Mitch Kapor & John Barlow Interview,” Elec-

tronic Frontier Foundation, August 5, 1990, http://w2.eff.org/Misc/Publications/ John Perry Barlow/HTML/barlow and kapor in wired interview.html or http:// tinyurl.com/4pgskr

115. S. Sparks, “Judge’s Decision in Steve Jackson Games v. United States Secret Service,” March 12, 1993, www.sjgames.com/SS/decision-text.html

116. D. Fisher, “The Long, Strange Trip of the L0pht,” SearchSecurity.com, March 17, 2008, http://searchsecurity.techtarget.com/news/1305880/The-long-strange- trip-of-the-L0pht

117. M. Fitzgerald, “L0pht in Transition,” CSO, April 17, 2007, www.csoonline.com/ article/print/221192

118. Symantec News Release, “Symantec to Acquire @stake,” September 16, 2004, www.symantec.com/press/2004/n040916b.html

119. United States Department of Justice, Computer Crime & Intellectual Property Section, “Shadowcrew Organization Called ‘One-Stop Online Marketplace for Identity Theft’: Nineteen Individuals Indicted in Internet ‘Carding’ Conspiracy,” October 28, 2004, www.usdoj.gov/criminal/cybercrime/mantovaniIndict.htm (URL inactive)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

2 · 40 HISTORY OF COMPUTER CRIME

120. United States Department of Justice, Computer Crime & Intellectual Prop- erty Section, “Six Defendants Plead Guilty in Internet Identity Theft and Credit Card Fraud Conspiracy,” November 17, 2005, www.usdoj.gov/criminal/ cybercrime/mantovaniPlea.htm (URL inactive)

121. G. A. White and R. W. Kern, “Cleveland, Ohio Man Sentenced to Prison for Bank Fraud and Conspiracy,” U.S. Department of Justice, Eastern District of Pennsylvania, February 28, 2006, www.usdoj.gov/criminal/cybercrime/ flurySent.htm

122. United States Attorney’s Office, District of New Jersey, “‘Shadowcrew’ Identity Theft Ringleader Gets 32 Months in Prison,” June 29, 2006, www.usdoj.gov/ usao/nj/press/files/mant0629 r.htm (URL inactive)

123. Peter Warren, “Hunt for Russia’s Web Criminals: The Russian Business Network—Which Some Blame for 60% of All Internet Crime—Appears To Have Gone To Ground. But, Asks Peter Warren, Has It Really Disappeared?” The Guardian, November 15, 2007, www.guardian.co.uk/technology/2007/nov/ 15/news.crime

124. Bizuel, David. “Russian Business Network study,” bizuel.org, November 20, 2007, www.bizeul.org/files/RBN study.pdf

125. David Goldman, “TheCyber Mafia Has Already Hacked You,” CNNMoney, July 7, 2011, http://money.cnn.com/2011/07/27/technology/organized cybercrime/ index.htm

126. Anonymous, “Portal: Anonymous/Chanology,” Encyclopedia Dramatica, Octo- ber 29, 2012, https://encyclopediadramatica.se/Portal:Anonymous/Chanology

127. Gregory Ferenstein,”Anonymous Threatens Massive WikiLeaks-Style Ex- posure, Announced On Hacked Gov Site,” TechCrunch, January 26, 2013. http://techcrunch.com/2013/01/26/anonymous-threatens-massive-wikileaks- style-exposure-announced-on-hacked-gov-site/

128. U.S. Department of Justice, “Eight Members of New York Cell of Cybercrime Organization Indicted in $45 million Cybercrime Campaign,” U.S. Department of Justice | Eastern District of New York, May 9, 2013, www.justice.gov/usao/nye/pr/ 2013/2013may09.html

129. “Guilty Pleas in Trade Secret Case,” San Francisco Business Times, April 27, 2001, www.bizjournals.com/eastbay/stories/2001/04/23/daily42.html

130. Andrew Backover, “Feds: Trio Stole Lucent’s Trade Secrets,” USA Today, May 3, 2001, http://usatoday30.usatoday.com/life/cyber/tech/2001-05-03-lucent- scientists-china.htm

131. “Trade-Secret Case Is Expanded,” New York Times, April 12, 2002, www .nytimes.com/2002/04/12/technology/12LUCE.html

132. John Markoff, “Silicon Valley Concern Says It Thwarted Software Theft,” New York Times, September 20, 2002, www.nytimes.com/2002/09/20/technology/ 20SOFT.html

133. U.S. Department of Justice, “Chicago, Illinois Man Pleads Guilty to Theft of Trade Secrets, Offered to Sell Online Interpreter’s Information,” U.S. Department of Justice | Northern District of California, April 11, 2003, www.justice.gov/criminal/cybercrime/press-releases/2003/sunPlea.htm

134. “Three Charged in Ericsson Spy Investigation in Sweden,” USA Today, May 8, 2003, http://usatoday30.usatoday.com/tech/news/2003-05-08-ericsson x.htm

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 2 · 41

135. Nathan Thornburgh, “Inside the Chinese Hack Attack,” Time, August 25, 2005, www.time.com/time/nation/article/085991098371,00.html

136. John Ribeiro, “Source Code Stolen from U.S. Software Company in India: Jolly Technologies Blamed an Insider for the Theft,” Computerworld, August 5, 2004, www.computerworld.com/s/article/95045/Source code stolen from U.S. software company in India?taxonomyId=082

137. Todd Wallack, “EMC Sues Ex-Employees To Guard Trade Secrets,” Boston Business Journal, October 9, 2006, www.bizjournals.com/boston/stories/2006/ 10/09/story4.html?page=all

138. U.S. Department of Justice, “Two Men Plead Guilty to Stealing Trade Secrets from Silicon Valley Companies to Benefit China,” U.S. Department of Justice | Northern District of California, December 14, 2006, www.justice.gov/criminal/ cybercrime/press-releases/2006/yePlea.htm

139. Joby Warrick and Carrie Johnson, “Chinese Spy ‘Slept’ In U.S. for 2 Decades: Espionage Network Said To Be Growing,” Washington Post, April 3, 2008, www.washingtonpost.com/wp-dyn/content/story/2008/04/02/ ST2008040204050.html

140. Siobhan Gorman, “Electricity Grid in U.S. Penetrated By Spies,” WallStreetJour- nal, April 8, 2009, http://online.wsj.com/article/SB123914805204099085.html

141. Office of the National Counterintelligence Executive (ONCIX), “Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Eco- nomic Collection and Industrial Espionage, 2009–2011,” Office of the National Counterintelligence Executive, November 3, 2011, www.ncix.gov/publications/ reports/fecie all/Foreign Economic Collection 2011.pdf

142. Michael Riley and Ashlee Vance, “Inside the Chinese Boom in Corporate Espionage,”BloombergBusinessweek, March 15, 2012, www.businessweek.com/ articles/2012-03-14/inside-the-chinese-boom-in-corporate-espionage

143. Symantec, “Internet Security Threat Report 2013,” Symantec, April 15, 2013, www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v18 2012 21291018.en-us.pdf

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3CHAPTER

TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY∗

Donn B. Parker, CISSP

3.1 PROPOSAL FOR A NEW INFORMATION SECURITY FRAMEWORK 3 · 1

3.2 SIX ESSENTIAL SECURITY ELEMENTS 3 · 3 3.2.1 Loss Scenario 1:

Availability 3·4 3.2.2 Loss Scenario 2: Utility 3·4 3.2.3 Loss Scenario 3: Integrity 3·5 3.2.4 Loss Scenario 4:

Authenticity 3·5 3.2.5 Loss Scenario 5:

Confidentiality 3·6 3.2.6 Loss Scenario 6:

Possession 3·7 3.2.7 Conclusions about the

Six Elements 3·8

3.3 WHAT THE DICTIONARIES SAY ABOUT THE WORDS WE USE 3 · 9

3.4 COMPREHENSIVE LISTS OF SOURCES AND ACTS CAUSING INFORMATION LOSSES 3 · 10

3.4.1 Complete List of Information Loss Acts 3·11

3.4.2 Examples of Acts and Suggested Controls 3·14

3.4.3 Physical Information and Systems Losses 3·17

3.4.4 Challenge of Complete Lists 3·18

3.5 FUNCTIONS OF INFORMATION SECURITY 3 · 19

3.6 SELECTING SAFEGUARDS USING A STANDARD OF DUE DILIGENCE 3 · 20

3.7 THREATS, ASSETS, VULNERABILITIES MODEL 3 · 20

3.8 CONCLUSION 3 · 20

3.9 FURTHER READING 3 · 23

3.1 PROPOSAL FOR A NEW INFORMATION SECURITY FRAMEWORK. Information security, historically, has been limited by the lack of a comprehensive, complete, and analytically sound framework for analysis and improvement. The persis- tence of the classic triad of CIA (confidentiality, integrity, availability) is inadequate to describe what security practitioners include and implement when doing their jobs. We need a new information security framework that is complete, correct, and consistent

∗This chapter is a revised excerpt from Donn B. Parker, Fighting Computer Crime (New York: John Wiley & Sons, 1998), Chapter 10, “A New Framework for Information Security,” pp. 229–255.

3 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 2 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

to express, in practical language, the means for information owners to protect their information from any adversaries and vulnerabilities.

The current focus on computer systems security is attributable to the understandable tendency of computer technologists to protect what they know best—the computer and network systems rather than the application of those systems. With a technological hammer in hand, everything looks like a nail. The primary security challenge comes from people misusing or abusing information, and often—but not necessarily—using computers and networks. Yet the individuals who currently dominate the in- formation security folk art are neither criminologists nor computer application specialists.

This chapter presents a comprehensive new information security framework that resolves the problems of the existing models. The chapter demonstrates the need for six security elements—availability, utility, integrity, authenticity, confidentiality, and possession—to replace incomplete CIA security (which does not even seem to include security for information that is not confidential) in the new security framework. This new framework is used to list all aspects of security at a basic level. The framework is also presented in another form, the Threats, Assets, Vulnerabilities Model, which includes detailed descriptors for each topic in the model. This model supports the new security framework, demonstrating its contribution to advance information security from its current technological stage, and as a folk art, into the basis for an engineering and business art in cyberspace.

The new security framework model incorporates six essential parts:

1. Security elements of information to be preserved are: � Availability � Utility � Integrity � Authenticity � Confidentiality � Possession

2. Sources of loss of these security elements of information: � Abusers and misusers � Accidental occurrences � Natural physical forces

3. Acts that cause loss: � Destruction � Interference with use � Use of false data � Modification or replacement � Misrepresentations or repudiation � Misuse or failure to use � Location � Disclosure � Observation � Copying

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SIX ESSENTIAL SECURITY ELEMENTS 3 · 3

� Taking � Endangerment

4. Safeguard functions to protect information from these acts: � Audit � Avoidance � Deterrence � Detection � Prevention � Mitigation � Transference � Investigation � Sanctions and rewards � Recovery

5. Methods of safeguard selection: � Use due diligence � Comply with regulations and standards � Enable business � Meet special needs

6. Objectives to be achieved by information security: � Avoid negligence � Meet requirements of laws and regulations � Engage in successful commerce � Engage in ethical conduct � Protect privacy � Minimize impact of security on performance � Advance an orderly and protected society

In summary, this model is based on the goal of meeting owners’ needs to protect the desired security elements of their information from sources of loss that engage in harmful acts and events by applying safeguard functions that are selected by accepted methods to achieve desired objectives. The sections of the model are explained next. It is important to note that security risk, return on security investment (ROSI), and net present value (NPV) based on unknown future losses and enemies and their inten- tions are not identified in this model, since they are not measurable and, hence, not manageable.

3.2 SIX ESSENTIAL SECURITY ELEMENTS. Six security elements in the pro- posed framework model are essential to information security. If any one of them is omitted, information security is deficient in protecting information owners. Six sce- narios of information losses, all derived from real cases, are used to demonstrate this contention. We show how each scenario involves violation of one, and only one, ele- ment of information security. Thus, if we omit that element from information security, we also remove that scenario from the concerns of information security, which would

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 4 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

be unacceptable. It is likely that information security professionals will agree that all of these scenarios fall well within the range of the abuse and misuse that we need to protect against.

3.2.1 Loss Scenario 1: Availability. A rejected contract programmer, intent on sabotage, removed the name of a data file from the file directories in a credit union’s computer. Users of the computer and the data file no longer had the file available to them, because the computer operating system recognizes the existence of information available for users only if it is named in the file directories. The credit union was shut down for two weeks while another programmer was brought in to find and correct the problem so that the file would be available. The perpetrator was eventually convicted of computer crime.

Except for availability, the other elements of information security—utility, integrity, authenticity, confidentiality, and possession—do not address this loss, and their state does not change in the scenario. The owner of the computer (the credit union) retained possession of the data file. Only the availability of the information was lost, but it is a loss that clearly should have been prevented by information security. Thus, the preservation of availability must be accepted as a purpose of information security.

It is true that good security practice might have prevented the disgruntled pro- grammer from having use of the credit union application system, and credit union management could have monitored his work more carefully. They should not have de- pended on the technical capabilities and knowledge of only one person, and they should have employed several controls to preserve or restore the availability of data files in the computer, such as by maintaining a backup directory with the names of erased files and pointers to their physical location. The loss might have been prevented, or minimized, through good backup practices, good usage controls for computers and specific data files, use of more than one name to identify and find a file, and the availability of utility programs to search for files by content or to mirror file storage. These safeguards would at least have made the attack more difficult and would have confronted the programmer with the malfeasance of his act.

The severity of availability loss can vary considerably. A perpetrator may destroy copies of a data file in a manner that eliminates any chance of recovery. In other situations, the data file may be partially usable, with recovery possible for a moderate cost, or the user may have inconvenienced or delayed use of the file for some period of time, followed by complete recovery.

3.2.2 Loss Scenario 2: Utility. In this case, an employee routinely encrypted the only copy of valuable information stored in his organization’s computer and then accidentally erased the encryption key. The usefulness of the information was lost and could be restored only through difficult cryptanalysis.

Although this scenario can be described as a loss of availability or authenticity of the encryption key, the loss focuses on the usefulness of the information rather than on the key, since the only purpose of the key was to facilitate encryption. The information in this scenario is available, but in a form that is not useful. Its integrity, authenticity, and possession are unaffected, and its confidentiality, unfortunately, is greatly improved.

To preserve utility of information in this case, management should require manda- tory backup copies of all critical information and should control the use of powerful protective mechanisms such as cryptography. Management should require security walk-through tests during application development to limit unusable forms of informa- tion. It should minimize the adverse effects of security on information use and should

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SIX ESSENTIAL SECURITY ELEMENTS 3 · 5

control the types of activities that enable unauthorized persons to reduce the usefulness of information.

The loss of utility can vary in severity. The worst-case scenario would be the total loss of usefulness of the information, with no possibility of recovery. Less severe cases may range from a partially useful state with the potential for full restoration of usefulness at moderate cost.

3.2.3 Loss Scenario 3: Integrity. In this scenario, a software distributor pur- chased a copy (on DVD) of a program for a computer game from an obscure publisher. The distributor made copies of the DVD and removed the name of the publisher from the DVD copies. Then, without informing the publisher or paying any royalties, the distributor sold the DVD copies in a foreign country. Unfortunately, the success of the program sales was not deterred by the lack of an identified publisher on the DVD or in the product promotional materials.

Because the DVD copies of the game did not identify the publisher that created the program, the copies lacked integrity. (“Integrity” means a state of completeness, wholeness, and soundness, or adhering to a code of moral values.) However, the copies did not lack authenticity, since they contained the genuine game program and only lacked the identity of the publisher, which was not necessary for the successful use of the product. Information utility of the DVD was maintained, and confiden- tiality and availability were not at issue. Possession also was not at issue, since the distributor bought the original DVD. But copyright protection was violated as a con- sequence of the loss of integrity and unauthorized copying of the otherwise authentic program.

Several controls can be applied to prevent the loss of information integrity, includ- ing using and checking sequence numbers, checksums, and/or hash totals to ensure completeness and wholeness for a series of items. Other controls include perform- ing manual and automatic text checks for required presence of records, subprograms, paragraphs, or titles, and testing to detect violations of specified controls.

The severity of information integrity loss also varies. Significant parts of the informa- tion can be missing or misordered (but still available), with no potential for recovery. Or missing or misordered information can be restored, with delay and at moderate cost. In the least severe cases, an owner can recover small amounts of misordered or mislocated information in a timely manner at low cost.

3.2.4 Loss Scenario 4: Authenticity. In a variation of the preceding scenario, another software distributor obtained the program (on DVD) for a computer game from an obscure publisher. The distributor changed the name of the publisher on the DVD and in title screens to that of a well-known publisher, then made copies of the DVD. Without informing either publisher, the distributor then proceeded to distribute the DVD copies in a foreign country. In this case, the identity of a popular publisher on the DVDs and in the promotional materials significantly added to the success of the product sales.

Because the distributor misrepresented the publisher of the game, the program did not conform to reality: It was not an authentic game from the well-known publisher. Availability and utility are not at issue in this case. The game had integrity because it identified a publisher and was complete and sound. (Certainly the distributor lacked personal integrity because his acts did not conform to ethical practice, but that is not the subject of the scenario.) The actual publisher did not lose possession of the game, even though copies were deceptively represented as having come from a different publisher.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 6 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

And, although the distributor undoubtedly tried to keep his actions secret from both publishers, confidentiality of the content of the game was not at issue.

What if someone misrepresents your information by claiming that it is his? Violation of CIA does not include this act. A stockbroker in Florida cheated his investors in a Ponzi (pyramid sales) scheme. He stole $50 million by claiming that he used a super- secret computer program on his giant computer to make profits of 60 percent per day by arbitrage, a stock trading method in which the investor takes advantage of a small difference in prices of the same stock in different markets. He showed investors the mainframe computer at a Wall Street brokerage firm and falsely claimed that it and the information stored therein were his, thereby lending believability to his claims of successful trading.

This stockbroker’s scheme was certainly a computer crime, but the CIA elements do not address it as such because its definition of integrity does not include misrepresen- tation of information. “Integrity” means only that information is whole or complete; it does not address the validity of information. Obviously, confidentiality and availability do not cover misrepresentation either. The best way to extend CIA to include misrepre- sentation is to use the more general term “authenticity.” We can then assign the correct English meaning to the phrase “integrity of information”: wholeness, completeness, and good condition. Dr. Peter Neumann at SRI International is correct when he says that information with integrity means that the information is what you expect it to be. This does not, however, necessarily mean that the information is valid (you may expect it to be invalid). “Authenticity” is the word that means conformance to reality.

A number of controls can be applied to ensure authenticity of information. These include confirming transactions, names, deliveries, and addresses; validating products; checking for out-of-range or incorrect information; and using digital signatures and watermarks to authenticate documents.

The severity of authenticity loss can take several forms, including lack of confor- mance to reality with no recovery possible; moderately false or deceptive information with delayed recovery at moderate cost; or factually correct information with only annoying discrepancies. If the CIA elements included authenticity, with misrepresen- tation of information as an important associated threat, Kevin Mitnick (the notorious criminal hacker who used deceit as his principal tool for penetrating security barriers) might have faced a far more difficult challenge in perpetrating his crimes. The computer industry might have understood the need to prove computer operating system updates and Web sites genuine, to avoid misrepresentation with fakes before their customers used those fakes in their computers.

3.2.5 Loss Scenario 5: Confidentiality. A thief deceptively obtained infor- mation from a bank’s technical maintenance staff. He used a stolen key to open the maintenance door of an automated teller machine (ATM) and secretly inserted a radio transmitter that he purchased from a Radio Shack store. The radio received signals from the touch-screen display in the ATM that customers use to enter their personal identification numbers (PINs) and to receive account balance information. The radio device broadcast the information to the thief’s radio receiver in his nearby car, which recorded the PINs and account balances on tape in a modified videocassette recorder. The thief used the information to loot the customers’ accounts from other ATMs. The police and the Federal Bureau of Investigation caught the thief after elaborate detective and surveillance efforts. He was sentenced to 10 years in a federal prison.

The thief violated the secrecy of the customers’ PINs and account balances, and he violated their privacy. Availability, utility, integrity, and authenticity were unaffected in

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SIX ESSENTIAL SECURITY ELEMENTS 3 · 7

this violation of confidentiality. The customers’ and the bank’s exclusive possession of the PINs and account balance information was lost, but not possession per se, because they still held and owned the information. Therefore, this was primarily a case of lost confidentiality.

According to most security experts, confidentiality deals with disclosure, but con- fidentiality also can be lost by observation, whether that observation is voluntary or involuntary, and whether the information is disclosed or not disclosed. For example, if you leave sensitive information displayed on an unattended computer monitor screen, you have disclosed it and it may or may not lose its confidentiality. If you turn the monitor off, leaving a blank screen, you have not disclosed sensitive information, but if someone turns the monitor on and reads its contents without permission, then confi- dentiality is lost by observation. We must prevent both disclosure and observation in order to protect confidentiality.

Controls to maintain confidentiality include using cryptography, training employees to resist deceptive social engineering attacks intended to obtain their technical knowl- edge, and controlling the use of computers and computer devices. Good security also requires that the cost of resources for protection not exceed the value of what may be lost, especially with low incidence. For example, protecting against radio frequency emanations in ATMs (as in this scenario) is probably not advisable, considering the cost of shielding and the paucity of such high-tech attacks.

The severity of loss of confidentiality can vary. The worst-case scenario loss is when a party with the intent and ability to cause harm observes a victim’s sensitive information. In this case, unrecoverable damage may result. But information also may be known to several moderately harmful parties, with a moderate loss effect, or be known to one harmless, unauthorized party with short-term recoverable effect.

3.2.6 Loss Scenario 6: Possession. A gang of burglars aided by a disgrun- tled, recently fired operations supervisor broke into a computer center and stole tapes and disks containing the company’s master files. They also raided the backup facility and stole all backup copies of the files. They then held the materials for ransom in an extortion attempt against the company. The burglary resulted in the company’s losing possession of all copies of the master files as well as the media on which they were stored. The company was unable to continue business operations. The police eventually captured the extortionists with help from the company during the ransom payment, and they recovered the stolen materials. The burglars were convicted and served long prison sentences.

Loss of possession occurred in this case. The perpetrators delayed availability, but the company could have retrieved the files at any time by paying the ransom. Alternatively, the company could have re-created the master files from paper documents, but at great cost. Utility, integrity, and authenticity were not issues in this situation. Confidentiality was not violated because the burglars had no reason to read or disclose the files. Loss of ownership and permanent loss of possession would have been accomplished if the perpetrators had never returned the materials or if the company had stopped trying to recover them.

The security model must include protecting the possession of information so as to prevent theft, whether the information is confidential or not. Confidentiality, by definition, deals only with secret information that people may possess. Our increasing use of computers magnifies this difference; huge amounts of information are possessed for automated use and not necessarily held confidentially for only specified people to know. Computer object programs are examples of proprietary but not confidential

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 8 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

information we do not know but possess by selling, buying, bartering, giving, receiving, and trading until we ultimately control, transport, and use them. We have incorrectly defined possession if we include only the protective efforts for confidential material.

We protect the possession of information by preventing people from unauthorized taking, from making copies, and from holding or controlling it—whether confidentiality is involved or not. The loss of possession of information also includes the loss of control of it, and may allow the new possessor to violate its confidentiality at will. Thus, loss of confidentiality may accompany loss of possession. But we must treat confidentiality and possession separately to determine what actions criminals might take and what controls we need to apply to prevent their actions. Otherwise, we may overlook a particular threat or an effective control. The failure to anticipate a threat and vulnerability is one of the greatest dangers we face in security.

Controls that can protect the possession of information include using copyright laws, implementing physical and logical usage limitations, preserving and examining computer audit logs for evidence of stealing, inventorying tangible and intangible assets, using distinctive colors and labels on media containers, and assigning ownership to enforce accountability of organizational information assets.

The severity of loss of possession varies with the nature of the offense. In a worst- case scenario, a criminal may take information, as well as all copies of it, and there may be no means of recovery—either from the perpetrator or from other sources such as paper documentation. In a less harmful scenario, a criminal might take information for some period of time but leave some opportunity for recovery at a moderate cost. In the least harmful situation, an owner could possess more than one copy of information, leaving open the possibility of recovery from other sources (e.g., backup files) within a reasonable period of time.

3.2.7 Conclusions about the Six Elements. We need to understand some important differences between integrity and authenticity. For one, integrity deals with the intrinsic condition of information, while authenticity deals with the extrinsic value or meaning relative to external sources and uses. Integrity does not deal with the mean- ing of the information with respect to external sources, that is, whether the information is timely and not obsolete. Authenticity, in contrast, concerns the question of whether information is genuine or valid and not out of date with respect to its potential use. A user who enters false information into a computer possibly has violated authenticity, but as long as the information remains unchanged, it has integrity. An information security technologist who designs security into computer operating systems is con- cerned only with application information integrity because the designer cannot know if any user is entering false information. In this case, the security technologist’s job is to ensure that both true and false information remain whole and complete. It is the information owner, with guidance from an information security advisor, who has the responsibility of ensuring that the information conforms to reality—in other words, that it has authenticity.

Some types of loss that information security must address require the use of all six elements of the framework model to determine the appropriate security to apply. Each of the six elements can be violated independently of the others, with one important exception: A violation of confidentiality always results in loss of exclusive posses- sion, at the least. Loss of possession, however—even exclusive possession—does not necessarily result in loss of confidentiality.

Other than that exception, the six elements are unique and independent, and often require different security controls. Maintaining the availability of information does

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

WHAT THE DICTIONARIES SAY ABOUT THE WORDS WE USE 3 · 9

not necessarily maintain its utility; information may be available but useless for its intended purpose, and vice versa. Maintaining the integrity of information does not necessarily mean that the information is valid, only that it remains the same or, at least, whole and complete. Information can be invalid and, therefore, without authenticity, yet it may be present and identical to the original version and, thus, have integrity. Finally, who is allowed to view and know information and who possesses it are often two very different matters.

Unfortunately, the written information security policies of many organizations do not acknowledge the need to address many kinds of information loss. This is because their policies are limited to achieving CIA. To define information security completely, the policies must address all six elements presented. Moreover, to eliminate (or at least reduce) security threats adequately, all six elements need to be considered to ensure that nothing is overlooked in applying appropriate controls. These elements are also useful for identifying and anticipating the types of abusive actions that adversaries may take—before such actions are undertaken.

For simplification and ease of reference, we can pair the six elements into three double elements, which should be used to identify threats and select proper controls, and we can associate them with synonyms so as to facilitate recall and understanding:

availability and utility → usability and usefulness integrity and authenticity → completeness and validity confidentiality and possession → secrecy and control

Availability and utility fit together as the first double element. Controls common to these elements include secure location, appropriate form for secure use, and usability of backup copies. Integrity and authenticity also fit together; one is concerned with internal structure and the other with conformance to external facts or reality. Controls for both include double entry, reasonableness checks, use of sequence numbers and checksums or hash totals, and comparison testing. Control of change applies to both as well. Finally, confidentiality and possession go together because, as discussed, they are interrelated. Commonly applied controls for both include copyright protection, cryptography, digital signatures, escrow, and secure storage.

The order of the elements here is logical, since availability and utility are necessary for integrity and authenticity to have value, and these first four elements are necessary for confidentiality and possession to have material meaning.

3.3 WHAT THE DICTIONARIES SAY ABOUT THE WORDS WE USE. CIA would be adequate for security purposes if the violation of confidentiality were defined to be anything done with information, if integrity were defined to be anything done to information, and if availability were to include utility, but these definitions would be incorrect and are not understood by many people. Information professionals are already defining the term “integrity” incorrectly, and we would not want to make matters worse. These definitions of security and the elements are relevant abstractions from Webster’s Third New International Dictionary and Webster’s Collegiate Dictionary, 10th edition.

Security—freedom from danger, fear, anxiety, care, uncertainty, doubt; basis for confidence; measures taken to ensure against surprise attack, espionage, obser- vation, sabotage; resistance of a cryptogram to cryptanalysis usually measured by the time and effort needed to solve it.

Availability—present or ready for immediate use.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 10 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

Utility—useful, fitness for some purpose. Integrity—unimpaired or unmarred condition; soundness; entire correspondence

with an original condition; adherence to a code of moral, artistic or other values; the quality or state of being complete or undivided; material wholeness.

Authenticity—quality of being authoritative, valid, true, real, genuine, worthy of acceptance or belief by reason of conformity to fact and reality.

Confidentiality—quality or state of being private or secret; known only to a limited few, containing information whose unauthorized disclosure could be prejudi- cial to the national interest.

Possession—act or condition of having or taking into one’s control or holding at one’s disposal; actual physical control of property by one who holds for himself, as distinguished from custody; something owned or controlled.

We lose credibility and confuse information owners if we do not use words pre- cisely and consistently. When defined correctly, the six words are independent (with the exception that information possession is always violated when confidentiality is violated). They are also consistent, comprehensive, and complete. In other words, the six elements themselves possess integrity and authenticity, and therefore they have great utility. This does not mean that we will not find new elements or replace some of them as our insights develop and technology advances. (I first presented this demon- stration of the need for the six elements in 1991 at the 14th U.S. National Security Agency/National Institute of Standards and Technology National Computer Security Conference in Baltimore.)

My definitions of the six elements are considerably shorter and simpler than the dictionary definitions, but appropriate for information security.

Availability—usability of information for a purpose Utility—usefulness of information for a purpose Integrity—completeness, wholeness, and readability of information and quality

being unchanged from a previous state

Authenticity—validity, conformance, and genuineness of information Confidentiality—limited observation and disclosure of knowledge Possession—holding, controlling, and having the ability to use information

3.4 COMPREHENSIVE LISTS OF SOURCES AND ACTS CAUSING INFOR- MATION LOSSES. The losses that we are concerned about in information security come from people who engage in unauthorized and harmful acts against information, communications, and systems, such as embezzlers, fraudsters, thieves, saboteurs, and criminal hackers. They engage in harmful using, taking, misrepresenting, observing, and every other conceivable form of human misbehavior. Natural physical forces such as air and earth movements, heat and cold, electromagnetic energy, living organisms, gravity and projectiles, and water and gases also are threats to information, as are inadvertent human errors.

Extensive lists of losses found in information security often include fraud, theft, sabotage, and espionage, along with disclosure, usage, repudiation, and copying. The first four losses in this list are criminal justice terms at a different level of abstraction from the last four and require an understanding of criminal law, which many information owners and security specialists lack. For example, fraud includes theft only if it is

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPREHENSIVE LISTS OF SOURCES AND ACTS 3 · 11

performed using deception, and larceny includes burglary and theft from a victim’s premises. What constitutes “premises” in an electronic network environment? This is a legal issue.

Many important types of information-related acts, such as false data entry, failure to perform, replacement, deception, misrepresentation, prolongation of use, delay of use, and even the obvious taking copies of information, are frequently omitted from lists of adverse incidents. Each of these losses may require different prevention and detection controls. This may be easily overlooked if our list of potential acts is incomplete—even though the acts that we typically omit are among the most common reported in actual loss experience. The people who cause losses often are aware that information owners have not provided adequate security and have not considered the full array of possible acts. It is, therefore, essential to include all types of potential harmful acts in our lists, especially when unique safeguards are applicable. Otherwise, we are in danger of being negligent, and those to whom we are accountable will view information security as incomplete or poorly conceived and implemented when a loss does occur.

The complete list of information loss acts in the next section is a comprehensive, nonlegalistic list of potential acts resulting in losses to or with information that I com- piled from my 35 years in research about computer crime and security. I have simplified it to a single, low level of abstraction to facilitate understanding by information owners and to enable them to select effective controls. The list makes no distinction among the causes of the losses; as such, it applies equally well to accidental and intentional acts. Cause is largely irrelevant at this level of security analysis, as is the underlying intent or lack thereof. (Identifying cause is important at another level of security analysis. We need to determine the sources and motivation of threats in order to identify appropriate avoidance, deterrence, correction, and recovery controls.) In addition, the list makes no distinction between electronic and physical causes of loss, or among spoken, printed, or electronically recorded information.

The acts in the list are grouped to correspond to the six elements of information security outlined previously (e.g., availability and utility, etc.). Some types of acts in one element grouping may have a related effect in another grouping as well. For example, if no other copies of information exist, destroying the information (under availability) also may cause loss of possession, and taking (under possession) may cause loss of availability. Yet loss of possession and loss of availability are quite different, and may require different controls. I have placed acts in the most obvious categories, where a loss prevention analyst is likely to look first.

Here is an abbreviated version of the complete loss list for convenient use in the information security framework model:

� Destroy � Interfere with use � Introduce false data � Modify or replace � Misrepresent or repudiate

3.4.1 Complete List of Information Loss Acts

Availability and Utility Losses � Destruction, damage, or contamination � Denial, prolongation, acceleration, or delay in use or acquisition

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 12 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

� Movement or misplacement � Conversion or obscuration

Integrity and Authenticity Losses � Insertion, use, or production of false or unacceptable data � Modification, replacement, removal, appending, aggregating, separating, or re- ordering

� Misrepresentation � Repudiation (rejecting as untrue) � Misuse or failure to use as required

Confidentiality and Possession Losses � Locating � Disclosing � Observing, monitoring, and acquiring � Copying � Taking or controlling � Claiming ownership or custodianship � Inferring � Exposing to all of the other losses � Endangering by exposing to any of the other losses � Failure to engage in or to allow any of the other losses to occur when instructed to do so

Users may be unfamiliar with some of the words in the lists of acts, at least in the context of security. For example, “repudiation” is a word that we seldom hear or use outside of the legal or security context. According to dictionaries, it means to refuse to accept acts or information as true, just, or of rightful authority or obligation. Informa- tion security technologists became interested in repudiation when the Massachusetts Institute of Technology (MIT) developed a secure network operating system for its internal use. The system was named Kerberos, taking the name of the three-headed dog that guarded the underworld in Greek mythology. Kerberos provides a means of forming secure links and paths between users and the computers serving them. Un- fortunately, however, in early versions it allowed users to falsely deny using the links. This did not present any particular problems in the academic environment, but it did make Kerberos inadequate for business, even though its other security aspects were attractive. As the use of Kerberos spread into business, repudiation became an issue, and nonrepudiation controls became important.

Repudiation is an important issue in electronic transactions such as in electronic banking, purchases, and auctions used by so many people to automate their purchasing functions and Internet commerce, which require digital signatures, escrow, time stamps, and other authentication controls. I could, for example, falsely claim that I never ordered merchandise and that the order form or electronically transmitted ordering information that the merchant possesses is false. Repudiation is also a growing problem because of the difficulty of proving authorship or the source of electronic missives. And the inverse of repudiation—claiming that an act that did not happen actually did happen, or claiming that false information is true—is also important to security, although it

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPREHENSIVE LISTS OF SOURCES AND ACTS 3 · 13

is often overlooked. Repudiation and its inverse are both types of misrepresentation, but I include both “repudiation” and “misrepresentation” on the list because they may require different types of controls.

Other words in the list of acts may seem somewhat obscure. For example, we seldom think of prolonging or delaying use as a loss of availability or a denial of use, yet they are losses that are often inflicted by computer virus attacks.

I use the word “locate” in the list rather than “access” because access can be con- fusing with regard to information security. Although it is commonly used in computer terminology, its use frequently causes confusion, as it did in the trial of Robert T. Morris for releasing the Internet worm of November 2, 1988, and in computer crime laws. For example, access may mean just knocking on a door or opening the door but not going in. How far “into” a computer must you go to “access” it? A perpetrator can cause a loss simply by locating information, because the owner may not want to divulge possession of such information. In this case, no access is involved. For these reasons, I prefer to use the terms “entry,” “intrusion,” and “usage”—as well as “locate”—to refer to a computer as the object of the action. I have a similar problem with the use of the word “disclosure” and ignoring observation as I indicated earlier. “Disclose” is a verb that means to divulge, reveal, make known, or report knowledge to others. We can disclose knowledge by:

� Broadcasting � Speaking � Displaying � Showing � Leaving it in the presence and view of another person � Leaving it in possible view where another person is likely to be � Handing or sending it to another person

Disclosure is what an owner or potential victim might do inadvertently or intention- ally, not what a perpetrator does, unless it is the second act after stealing, such as selling stolen intellectual property to another person. Disclosure can be an abuse if a person authorized to know information discloses it to an unauthorized person, or if an unautho- rized person discloses knowledge to another person without permission. In any case, confidentiality is lost or is potentially lost, and the person disclosing the information may be accused of negligence, violation of privacy, conspiracy, or espionage.

Loss of confidentiality also can occur by observation, whether the victim or owner disclosedknowledge, resisteddisclosure, or didnothingeither toprotect or todisclose it. Observing is an abuse of listening, spying by eavesdropping, shoulder surfing (looking over another person’s shoulder or overhearing), looking at or listening to a stolen copy of information, or even by tactile feeling, as in the case of reading Braille. We should think about loss of confidentiality as a loss caused by inadvertent disclosure by the victim, observation by the perpetrator, and disclosure by the perpetrator who passes information to a third party. Disclosure and observation of information that is not knowledge converts it into knowledge if cognition takes place. Disclosure always results in loss of confidentiality by putting information into a state where there is no longer any secrecy, but observation results in loss of confidentiality only if cognition or use to the detriment of the owner takes place. Privacy is a right that is a whole other topic that I do not cover here. (This issue is discussed in Chapter 69.)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 14 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

Loss of possession of information (including knowledge) is the loss from the unin- tended or regretful giving or taking of information. At a higher level of crime descrip- tion, we call it larceny (theft or burglary) or fraud (when deceit is involved). Possession seems to be most closely associated with confidentiality. The two are placed together in the list because they share the common losses of taking and copying (loss of exclusive possession). I could have used “ownership” of information, since it is a synonym for possession, but “ownership” seems to be not as broad, because someone may rightly or wrongly possess information that is rightfully owned by another. The concepts of owner or possessor of information, along with user, provider, or custodian of infor- mation, are important distinctions in security for assigning asset accountability. This provides another reason for including possession in the list.

The act of endangerment is quite different from, but applies to, the other losses. It means putting information in harm’s way, or that a person has been remiss (and possibly negligent) by not applying sufficient protection to information, such as leaving sensitive or valuable documents in an unlocked office or open trash bin. Leaving a computer unnecessarily connected to the Internet is another example. Endangerment of information may lead to charges of negligence or criminal negligence and civil liability suits that may be more costly than direct loss incidents. My objectives of security in the framework model invoke a standard of due diligence to deal with this exposure.

The last act in the list—failure to engage in or allow any of the other acts when instructed to do so—may seem odd at first glance. It means that an information owner may require an act resulting in any of the other acts to be carried out. Or the owner may wish that an act be allowed to occur, or information to be put into danger of loss. There are occasions when information should be put in harm’s way for testing purposes or to accomplish a greater good. For example, computer programmers and auditors often create information files that are purposely invalid for use as input to a computer to make sure that the controls to detect or mitigate a loss are working correctly. A programmer bent on crime might remove invalid data in a test input file to avoid testing a control that the perpetrator has neutralized or has avoided implementing for nefarious purposes. The list would surely be incomplete without this type of loss, yet I have never seen it included or discussed in any other information security text.

The acts in the list are described at the appropriate level for deriving and identifying appropriate security controls. At the next lower level of abstraction (e.g., read, write, and execute), the losses would not be so obvious and would not necessarily suggest impor- tant controls. At the level that I choose, there is no attempt to differentiate acts that make no change to information from those that do, since these differences are not important for identifying directly applicable controls or for performing threat analyses. For exam- ple, an act of modification changes the information, while an act of observation does not, but encryption is likely to be employed as a powerful primary control against both acts.

3.4.2 Examples of Acts and Suggested Controls. The next examples il- lustrate the relationships between acts and controls in threat analysis. Groups of acts are followed by examples of the losses and applicable controls.

3.4.2.1 Destroy, Damage, or Contaminate. Perpetrators or harmful forces can damage, destroy, or contaminate information by electronically erasing it, writing other data over it, applying high-energy radio waves to damage delicate electronic circuits, or physically damaging the media (e.g., paper, flash memory, or disks) con- taining it.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPREHENSIVE LISTS OF SOURCES AND ACTS 3 · 15

Controls include disaster prevention safeguards such as locked facilities, safe storage of backup copies, and write-usage authorization requirements.

3.4.2.2 Deny, Prolong, Delay Use or Acquisition. Perpetrators can make information unavailable by hiding it or denying its use through encryption and not revealing the means to restore it, or by keeping critical processing units busy with other work, such as in a denial-of-service attack. Such actions would not necessarily destroy the information. Similarly, a perpetrator may prolong information use by making program changes that slow the processing in a computer or by slowing the display of the information on a screen. Such actions might cause unacceptable timing for effective use of the information. Information acquisition may be delayed by requiring too many passwords to retrieve it or by slowing retrieval. These actions can make the information obsolete by the time it becomes available.

Controls include making multiple copies available from different sources, preventing overload of processing by selective allowance of input, or preventing the activation of harmful mechanisms such as computer viruses by using antiviral utilities.

3.4.2.3 Enter, Use, or Produce False Data. Data diddling, my term for false data entry and use, is a common form of computer crime, accounting for much of the financial and inventory fraud. Losses may be either intentional, such as those resulting from the use of Trojan horses (including computer viruses), or unintentional, such as those from input errors.

Most internal controls such as range checks, audit trails, separation of duties, du- plicate data entry detection, program proving, and hash totals for data items protect against these threats.

3.4.2.4 Modify, Replace, or Reorder. These acts are often intelligent changes rather than damage or destruction. Reordering, which is actually a form of modification, is included separately because it may require specific controls that could otherwise be overlooked. Similarly, replacement is included because users might not otherwise include the idea of replacing an entire data file when considering modifica- tion. Any of these actions can produce a loss inherent in the threats of entering and modifying information, but including all of them covers modifying data both before entry and after entry, since each requires different controls.

Cryptography, digital signatures, usage authorization, and message sequencing are examples of controls to protect against these acts, as are detection controls to identify anomalies.

3.4.2.5 Misrepresent. The claim that information is something different from what it really is or has a different meaning from what was intended arises in counter- feiting, forgery, fraud, impersonation (of authorized users), and many other deceptive activities. Hackers use misrepresentation in social engineering to deceive people into revealing information needed to attack systems. Misrepresenting old data as new in- formation is another act of this type.

Controls include user and document authentication methods such as passwords, digital signatures, and data validity tests. Making trusted people more resistant to deception by reminders and training is another control.

3.4.2.6 Repudiate. This type of loss, in which perpetrators generally deny hav- ing made transactions, is prevalent in electronic data interchange (EDI) and Internet

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 16 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

commerce. Oliver North’s denial of the content of his email messages is a notable example of repudiation, but as I mentioned earlier, the inverse of repudiation also represents a potential loss.

Repudiation can be controlled most effectively through the use of digital signatures and public key cryptography. Trusted third parties, such as certificate authorities with secure computer servers, provide the independence of notary publics to resist denial of truthful information as long as they can be held liable for their failures.

3.4.2.7 Misuse or Fail to Use as Required. Misuse of information is clearly an act resulting in many information losses. Misuse by failure to perform duties such as updating files or backing up information is not so obvious and needs explicit identi- fication. Implicit misuse by conforming exactly to inadequate or incorrect instructions is a sure way to sabotage systems.

Information usage control and internal application controls that constrain the mod- ification or use of trusted software help to avoid these problems. Keeping secure logs of routine activities can help catch operational vulnerabilities.

3.4.2.8 Locate. Unauthorized use of someone’s computer or data network to locate and identify information is a crime under most computer crime statutes—even if there is no overt intention to cause harm. Such usage is a violation of privacy, and trespass to engage in such usage is a crime under other laws.

Log-on and usage controls are major features in many operating systems such as Microsoft Windows and some versions of UNIX as well as in add-on security utilities such as RACF and ACF2 for large IBM computers and many security products for personal computers.

3.4.2.9 Disclose. Preventing information from being revealed to people not au- thorized to know it is the purpose of business, personal, and government secrecy. Disclosure may be verbal, by mail, or by transferring messages or files electronically or on disks, flash memories, or tape. Disclosure can result in loss of privacy and trade secrets.

Military organizations have advanced protection of information confidentiality to an elaborate art form.

3.4.2.10 Observe or Monitor. Observation, which requires action on the part of a perpetrator, is the inverse of disclosure, which results from actions of a possessor. Workstation display screens, communication lines, and monitoring devices such as recorders and audit logs are common targets of observation and monitoring. Obser- vation of output from printers is another possible source, as is shoulder surfing—the technique of watching screens of other computer users.

Physical entry protection for input and output devices represents the major control to prevent this type of loss. Preventing wiretapping and eavesdropping is also important.

3.4.2.11 Copy. Copy machines and the software copy command are the major sources of unauthorized copying. Copying is used to violate exclusive possession and privacy. Copying can destroy authenticity, as when used to counterfeit money or other business instruments.

Location and use controls are effective against copying, as are unique markings such as those used on U.S. currency and watermarks on paper and in computer files.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPREHENSIVE LISTS OF SOURCES AND ACTS 3 · 17

3.4.2.12 Take. Transferring data files in computers or networks constitutes tak- ing. So does taking small computers and DVDs or documents for the value of the information stored in them. Perpetrators can easily take copies of information without depriving the owner of possession or confidentiality.

A wide range of physical and logical location controls applies to these losses; most are based on common sense and a reasonable level of due care.

3.4.2.13 Endanger. Putting information into locations or conditions in which others may cause loss in any of the previously described ways clearly endangers the information, and the perpetrator may be accused of negligence, at least.

Physical and logical means of preventing information from being placed in dan- ger are important. Training people to be careful, and holding them accountable for protecting information, may be the most effective means of preventing endangerment.

3.4.3 Physical Information and Systems Losses. Information also can suffer from physical losses such as those caused by floods, earthquakes, radiation, and fires. Although these losses may not directly affect the information itself (e.g., knowledge of operating procedures held in the minds of operators), they can damage or destroy the media and the environment that contain representations of the information. Water, for example, can destroy printed pages and damage magnetic disks; physical shaking or radio frequency radiation can short-out electronic circuits, and fires can destroy all types of media. Overall, physical loss may occur in seven natural ways by application of:

1. Extreme temperature 2. Gases 3. Liquids 4. Living organisms 5. Projectiles 6. Movements 7. Energy anomalies

Each way, of course, comes from specific sources of loss (e.g., smoke or water). And the various ways can be broken down further, to identify the underlying cause of the source of loss. For example, the liquid that destroys information may be water flowing from a plumbing break above the computer workstation, caused in turn by freezing weather. The next list presents examples of each of the seven major sources of physical loss.

1. Extreme temperature. Heat or cold. Examples: sunlight, fire, freezing, hot weather, and the breakdown of air-conditioning equipment.

2. Gases. War gases, commercial vapors, humid or dry air, suspended particles. Examples: sarin nerve gas, PCBs from exploding transformers, release of Freon from air conditioners, smoke and smog, cleaning fluid, and fuel vapors.

3. Liquids. Water, chemicals. Examples: floods, plumbing failures, precipitation, fuel leaks, spilled drinks, acid and base chemicals used for cleaning, and computer printer fluids.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 18 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

4. Living organisms. Viruses, bacteria, fungi, plants, animals, and human beings. Examples: sickness of key workers, molds, contamination from skin oils and hair, contamination and electrical shorting from defecation and release of body fluids, consumption of information media such as paper or of cable insulation, and shorting of microcircuits from cobwebs.

5. Projectiles. Tangible objects in motion, powered objects. Examples: meteorites, falling objects, cars and trucks, airplanes, bullets and rockets, explosions, and windborne objects.

6. Movement. Collapse, shearing, shaking, vibration, liquefaction, flows, waves, separation, slides. Examples: dropping or shaking fragile equipment, earthquakes, earth slides, lava flows, sea waves, and adhesive failures.

7. Energy anomalies. Electric surge or failure, magnetism, static electricity, aging circuitry; radiation, sound, light, radio, microwave, electromagnetic, atomic. Ex- amples: electric utility failures, proximity of magnets and electromagnets, carpet static, electromagnetic pulses (EMP) from nuclear explosions, lasers, loudspeak- ers, high-energy radio frequency (HERF) guns, radar systems, cosmic radiation, and explosions.

Although meteorites, for example, clearly pose little danger to computers, it is nonetheless important to include all such unlikely events in a thorough analysis of potential threats. In general, include every possible act included in a threat analysis. Then consider it carefully; if it is too unlikely, document the consideration and discard the item. It is better to have thought of a source of loss and to have discarded it than to have overlooked an important one. Invariably, when you present a threat analysis to others, someone will try to surprise the developer with another source of loss that has been overlooked.

Insensitive practitioners have ingrained inadequate loss lists in the body of knowl- edge from the very inception of information security. Proposing a major change at this late date is a bold action that may take significant time to accomplish. However, we must not perpetuate our past inadequacies by using the currently accepted destruction, disclosure, use, and modification (DDUM) as a complete list of losses. We must not underrate or simplify the complexity of our subject at the expense of misleading in- formation owners. Our adversaries are always looking for weaknesses in information security, but our strength lies in anticipating sources of threats and having plans in place to prevent the losses that they may cause.

It is impossible to collect a truly complete list of the sources of information losses that can be caused by the intentional or accidental acts of people. We really have no idea what people may do—now or in the future. We base our lists on experience, but until we can conceive of an act, or until a threat actually surfaces or occurs, we cannot include it on the list. And not knowing the threat means that we cannot devise a plan to protect against it. This is one of the reasons that information security is still a folk art rather than a science.

3.4.4 Challenge of Complete Lists. I believe that my lists of physical sources of loss and information losses are complete, but I am always interested in expanding them to include new sources of loss that I may have overlooked.

While I was lecturing in Australia, for example, a delegate suggested that I had omitted an important category. His computer center had experienced an invasion of field mice with a taste for electrical insulation. The intruders proceeded to chew through the computer cables, ruining them. Consequently, I had to add rodents to my list of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

FUNCTIONS OF INFORMATION SECURITY 3 · 19

sources. I then heard about an incident in San Francisco in which the entire evening shift of computer operations workers ate together in the company cafeteria to celebrate a birthday. Then they all contracted food poisoning, leaving their company without sufficient operations staff for two weeks. I combined the results of these two events into a category named “Living Organisms.”

3.5 FUNCTIONS OF INFORMATION SECURITY. The model for information security that I have proposed includes 12 security functions instead of the 3 (prevention, detection, and recovery) included in previous models. These functions describe the activities that information security practitioners and information owners engage in to protect information, as well as the objectives of the security controls that they use. Every control serves one or more of these functions.

Although some security specialists add other functions to the list, such as quality assurance and reliability, I consider these to be outside the scope of information security; other specialized fields deal with them. Reliability is difficult to relate to security except as endangerment when perpetrators destroy the reliability of information and systems, which is a violation of security. Thus, security must preserve a state of reliability but need not necessarily attempt to improve it. Security must protect the auditability of information and systems while, at the same time, security itself must be reliable and auditable. I believe that my security definitions include destruction of the reliability and auditability of information at a high level of abstraction. For example, reliability is reduced when the authenticity of information is put into question by changing it from a correct representation of fact.

Similarly, I do not include such functions as authentication of users and verification in my lists, since I consider these to be control objectives to achieve the 12 functions of information security.

There is a definite logic to the order in which I present the 12 functions in my list. A methodical information security practitioner is likely to apply the functions in this order when resolving security vulnerabilities.

1. Information security must first be independently audited in an adversarial manner in order to document its state and to identify its weaknesses and strengths.

2. The practitioner must determine if a security problem can be avoided altogether. 3. If the problem cannot be avoided, the practitioner needs to try to deter potential

abusers or forces from misbehaving.

4. If the threat cannot be avoided or deterred, the practitioner attempts to detect its activation.

5. If detection is not assured, then the practitioner tries to prevent the act from occurring.

6. If prevention fails and an act occurs, then the practitioner needs to stop it or minimize its harmful effects through mitigation.

7. The practitioner needs to determine if transferring the responsibility to another individual or department might be more effective at resolving the situation result- ing from the attack, or if another party (e.g., an insurer) might be held accountable for the cost of the loss.

8. After a loss occurs, the practitioner needs to investigate and search for the indi- vidual(s) or force(s) that caused or contributed to the incident as well as for any parties that played a role in it—positively or negatively.

9. When identified, all parties should be sanctioned or rewarded as appropriate.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

3 · 20 TOWARD A NEW FRAMEWORK FOR INFORMATION SECURITY

10. After an incident is concluded, the victim needs to recover or assist with recovery. 11. The stakeholders should take corrective actions to prevent the same type of

incident from occurring again.

12. The stakeholders must learn from the experience in order to advance their knowl- edge of information security and educate others.

3.6 SELECTING SAFEGUARDS USING A STANDARD OF DUE DILIGENCE. Information security practitioners usually refer to the process of selecting safeguards as risk assessment, risk analysis, or risk management. Selecting safeguards based on risk calculations can be a fruitless and expensive process. Although many security experts and associations advocate using risk assessment methods, many organizations ulti- mately find that using a standard of due diligence (or care) is far superior and more practical. Often one sad experience of using security risk assessment is sufficient to convince information security departments and corporate management of their limita- tions. Security risk is a function of probability or frequency of occurrence of rare loss events and their impact, and neither is sufficiently measurable or predictable for invest- ment in security. Note that risk applies only to rare events. Events such as computer virus attacks or credit card fraud are occurring continuously and are not risks; they are certainties and can be measured, controlled, and managed.

The standard of due diligence approach is simple and obvious; it is the default process that I recommend and that is commonly used today instead of more elaborate “scientific” approaches. The standard of due diligence approach is recognized and accepted by many legal documents and organizations and is documented in numerous business guides. The 1996 U.S. federal statute on protecting trade secrets (18 USC §1831), for example, states in (3)(a) that the owner of information must take “reasonable measures to keep such information secret” for it to be defined as a trade secret. (See Chapter 45.)

3.7 THREATS, ASSETS, VULNERABILITIES MODEL. Pulling all of the as- pects together in one place is a useful way to analyze security threats and vulnerabilities and to create effective scenarios to test real information systems and organizations. The model illustrated in Exhibit 3.1 is designed to help readers do this. Users can outline a scenario or analyze a real case by circling and connecting the appropriate descriptors in each column of the model.

In this version of the model, the Controls column lists only the subject headings of control types; a completed model would contain hundreds of controls. If the model is being used to conduct a review, I suggest that the Vulnerabilities section of the model be renamed to Recommended Controls.

3.8 CONCLUSION. The security framework proposed in this chapter represents an attempt to overcome the dominant technologist view of information security by focusing more broadly on all aspects of security, including the information that we are attempting to protect, the potential sources of loss, the types of loss, the controls that we can apply to avoid loss, the methods for selecting those controls, and our overall objectives in protecting information. This broad focus should have two bene- ficial effects: advancing information security from a narrow folk art to a broad-based discipline and—most important—helping to reduce many of the losses associated with information, wherever it exists.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EX H IB

IT 3 .1

Th re at s,

A ss et s,

an d Vu

ln er ab

ili tie

s M od

el

Th re

a ts

A ss

e ts

V u ln e ra

b il it ie s (M

is si n g a n d D e fi ci e n t C o n tr o ls )

O ff e n d e rs

H a v e /A

cq u ir e

A b u se

/ M is u se

M e th

o d s

Lo ss

e s

A ss

e ts

Lo st

C o n tr o l

O b je ct iv e s

C o n tr o ls

(T y p e s)

C o n tr o l

G u id e s

S k il ls

le ar ni ng

te ch

no lo gy

pe op

le

K n o w le d g e

di re ct

in di re ct

R e so

u rc e s

co m pu

te r

se rv ic es

tra ns po

rt fin

an ci al

A u th

o ri ty

em pl oy

m en

t co

nt ra ct

ow ne

rs hi p

po ss es si on

cu st od

ia n

ri gh

t ot he

r

Er ro rs

O m is si on

s N eg

lig en

ce Re

ck le ss ne

ss D el in qu

en cy

C iv il

D is pu

te s

C on

sp ir ac

y N at ur e

D is ru pt io n

D es tru

ct io n

Th ef t

Pr iv ac

y Tr es pa

ss Bu

rg la ry

La rc en

y Fo

rg er y

C ou

nt er fe iti ng

Sm ug

gl in g

Fr au

d Sc

am

Ex te rn

a l

he at , co

ld ga

se s,

ai r

w at er

ch em

ic al

ba ct er ia

vi ru se s

pe op

le an

im al s

in se ct s

co lli si on

co lla

ps e

sh ea

r sh ak

e vi br at e

liq ue

fy flo

w s

w av

es se pa

ra te

sl id es

el ec tri c

m ag

ne ts

ag in g

ra di at e

So un

d Li gh

t

A v a il a b il it y

a n d

U ti li ty

de st ro y

da m ag

e co

nt am

in at e

de ny

pr ol on

g ac

ce le ra te

de la y

m ov

e m is pl ac

e co

nv er t

ob sc ur e

In te g ri ty

a n d

A u th

e n ti ci ty

in se rt

us e

pr od

uc e

m od

ify re pl ac

e re m ov

e

In fo

rm a ti o n

sp ok

en pr in te d

m ag

ne tic

el ec tro

ni c

op tic al

ra di o

bi ol og

ic al

C o m p u te r

C o m m li n e s

N e tw

o rk

s

Fa ci li ti e s

B u il d in g s

Tr a n sp

o rt

P e o p le

A vo

id an

ce D et er re nc

e Pr ev en

tio n

D et ec tio

n M iti ga

tio n

Sa nc

tio n

Tr an

sf er

In ve st ig at e

Re co

ve ry

C or re ct io n

O rg an

iz at io n

Ph ys ic al

D ev el op

m en

t A ut om

at io n

O pe

ra tio

n Vo

ic e

N et w or k

A cc es s

Tr ai ni ng

M ot iv at io n

M an

ag em

en t

A pp

lic at io ns

Pr in tin

g A ud

it D is as te r

Re co

ve ry

C os te

ffe ct iv e

D ue

ca re

C om

pl et e

C on

si st en

t Pe

rf or m an

ce Su

st ai n

A ut om

at ic

To le ra te d

C on

se qu

en ce s

O ve rr id e

Fa ils af e

D ef au

lt In st ru m en

t A ud

ita bl e

N on

re pu

di at e

Se cr ec y

U ni ve rs al

In de

pe nd

en t

U np

re di ct ab

le Ta m pe

rp ro of

C om

pa rt m en

t

(c o n ti n u ed )

3 · 21 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EX H IB

IT 3 .1

Th re at s,

A ss et s,

an d Vu

ln er ab

ili tie

s M od

el (C on tin ue d )

Th re

a ts

A ss

e ts

V u ln e ra

b il it ie s (M

is si n g a n d D e fi ci e n t C o n tr o ls )

O ff e n d e rs

H a v e /A

cq u ir e

A b u se

/ M is u se

M e th

o d s

Lo ss

e s

A ss

e ts

Lo st

C o n tr o l

O b je ct iv e s

C o n tr o ls

(T y p e s)

C o n tr o l

G u id e s

M o ti v e s

no in te nt

ne gl ig en

ce er ro rs

an d

om is si on

s

In te n ti o n a l

pr ob

le m

so lv in g

ga in

hi gh

er et hi c

Ex tr e m e

A d v o ca

cy so ci al

po lit ic al

re lig

io us

Em be

zz le m en

t Br ib er y

Ex to rt io n

Ra ck et ee

ri ng

In fr in ge

m en

t Pl ag

ia ri sm

Pi ra cy

Es pi on

ag e

A nt itr us t

C on

tra ct

Se cu ri tie

s Em

pl oy

m en

t K ic kb

ac ks

La un

de ri ng

Li be

l D ru gs

Po rn og

ra ph

y H ar as sm

en t

A ss au

lt Se

x at ta ck

K id na

pp in g

M ur de

r Su

ic id e

Ra di o

A to m ic

M a sq

u e ra

d e

im pe

rs on

at e

sp oo

f

P ro

g ra

m m e d

Tr oj an

vi ru s

bo m b

by pa

ss tra

pd oo

r

A u th

o ri ty

vi ol at io n

A ct iv e

de ny

se rv ic e

fa ls e da

ta en

tr y

P a ss

iv e

br ow

se ob

se rv e

Fa il u re

om it du

ty

In d ir e ct

cr im

e us e

ap pe

nd re or de

r m is re pr es en

t Re

pu di at e

Fa il to

us e

C o n fi d e n ti a l

a n d

P o ss

e ss

io n

lo ca

te di sc lo se

ob se rv e

m on

ito r

ac qu

ir e

co py

ta ke

co nt ro l

ow n

in fe r

Ex p o se

to lo ss

En d a n g e r

fa il in st ru ct io n

D ep

th Is ol at e

Le as t

A cc ou

nt ab

ili ty

Tr us t

M ul tif un

ct io n

D ec ep

tio n

Po si tio

na l

Tr an

sp ar en

t

So ur ce : D on

n B.

Pa rk er , Fi gh tin g C om

pu te r C ri m e (N

ew Yo

rk , N Y:

Jo hn

W ile

y &

So ns , 1 9 9 8 ).

3 · 22 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

FURTHER READING 3 · 23

3.9 FURTHER READING Parker, D. B. FightingComputerCrime:ANewFrameworkforProtectingInformation.

Wiley (ISBN 978-0471163787), 1998. 528 pp. Parker, D. B. “What’s wrong with information security and how to fix it. Lecture

at the Naval Postgraduate School (2005-04-28).” YouTube. www.youtube.com/ watch?v=RW9hOBCSy0g

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4CHAPTER

HARDWARE ELEMENTS OF SECURITY

Sy Bosworth and Stephen Cobb

4.1 INTRODUCTION 4 · 2

4.2 BINARY DESIGN 4 · 2 4.2.1 Pulse Characteristics 4·2 4.2.2 Circuitry 4·2 4.2.3 Coding 4·3

4.3 PARITY 4 · 4 4.3.1 Vertical Redundancy

Checks 4·4 4.3.2 Longitudinal

Redundancy Checks 4·4 4.3.3 Cyclical Redundancy

Checks 4·5 4.3.4 Self-Checking Codes 4·5

4.4 HARDWARE OPERATIONS 4 · 6

4.5 INTERRUPTS 4 · 7 4.5.1 Types of Interrupts 4·7 4.5.2 Trapping 4·8

4.6 MEMORY AND DATA STORAGE 4 · 8 4.6.1 Main Memory 4·8 4.6.2 Read-Only Memory 4·8 4.6.3 Secondary Storage 4·9

4.7 TIME 4 · 10 4.7.1 Synchronous 4·10 4.7.2 Asynchronous 4·11

4.8 NATURAL DANGERS 4 · 11 4.8.1 Power Failure 4·11 4.8.2 Heat 4·11 4.8.3 Humidity 4·11 4.8.4 Water 4·12

4.8.5 Dirt and Dust 4·12 4.8.6 Radiation 4·12 4.8.7 Downtime 4·12

4.9 DATA COMMUNICATIONS 4 · 13 4.9.1 Terminals 4·13 4.9.2 Wired Facilities 4·14 4.9.3 Wireless

Communications 4·16

4.10 CRYPTOGRAPHY 4 · 16

4.11 BACKUP 4 · 17 4.11.1 Personnel 4·18 4.11.2 Hardware 4·18 4.11.3 Power 4·19 4.11.4 Testing 4·20

4.12 RECOVERY PROCEDURES 4 · 20

4.13 MICROCOMPUTER CONSIDERATIONS 4 · 20 4.13.1 Accessibility 4·20 4.13.2 Knowledge 4·21 4.13.3 Motivation 4·21 4.13.4 Opportunity 4·21 4.13.5 Threats to

Microcomputers 4·21 4.13.6 Maintenance and

Repair 4·24

4.14 CONCLUSION 4 · 25

4.15 HARDWARE SECURITY CHECKLIST 4 · 25

4.16 FURTHER READING 4 · 27

4 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 2 HARDWARE ELEMENTS OF SECURITY

4.1 INTRODUCTION. Computer hardware has always played a major role in computer security. Over the years, that role has increased dramatically, due to both the increases in processing power, storage capacity, and communications capabilities as well as the decreases in cost and size of components. The ubiquity of cheap, powerful, highly connected computing devices poses significant challenges to computer security. At the same time, the challenges posed by large, centralized computing systems have not diminished. An understanding of the hardware elements of computing is thus essential to a well-rounded understanding of computer security.

Chapter 1 of this Handbook has additional history of the evolution of information technology.

4.2 BINARY DESIGN. Although there are wide variations among computer ar- chitectures and hardware designs, all have at least one thing in common: They utilize a uniquely coded series of electrical impulses to represent any character within their range. Like the Morse code with its dots and dashes, computer pulse codes may be linked together to convey alphabetic or numeric information. Unlike the Morse code, however, computer pulse trains may also be combined in mathematical operations or data manipulation.

In 1946, Dr. John von Neumann, at the Institute for Advanced Study of Princeton University, first described in a formal report how the binary system of numbers could be used in computer implementations. The binary system requires combinations of only two numbers, 0 and 1, to represent any digit, letter, or symbol and, by extension, any group of digits, letters, or symbols. In contrast, the conventional decimal system requires combinations of 10 different numbers, from 0 to 9, letters from a to z, and a large number of symbols, to convey the same information. Von Neumann recognized that electrical and electronic elements could be considered as having only two states, on and off, and that these two states could be made to correspond to the 0 and 1 of the binary system. If the turning on and off of a computer element occurred at a rapid rate, the voltage or current outputs that resulted would best be described as pulses. Despite 60 years of intensive innovation in computer hardware, and the introduction of some optically based methods of data representation, the nature of these electrical pulses and the method of handling them remain the ultimate measure of a computer’s accuracy and reliability.

4.2.1 Pulse Characteristics. Ideally, the waveform of a single pulse should be straight-sided, flat-topped, and of an exactly specified duration, amplitude, and phase relationship to other pulses in a series. It is the special virtue of digital computers that they can be designed to function at their original accuracy despite appreciable degra- dation of the pulse characteristics. However, errors will occur when certain limits are exceeded, and thus data integrity will be compromised. Because these errors are diffi- cult to detect, it is important that a schedule of preventive maintenance be established and rigidly adhered to. Only in this way can operators detect degraded performance before it is severe enough to affect reliability.

4.2.2 Circuitry. To generate pulses of desirable characteristics, and to manip- ulate them correctly, requires components of uniform quality and dependability. To lower manufacturing costs, to make servicing and replacement easier, and generally to improve reliability, computer designers try to use as few different types of components as possible and to incorporate large numbers of each type into any one machine.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BINARY DESIGN 4 · 3

First-generation computers used as many as 30,000 vacuum tubes, mainly in a half- dozen types of logic elements. The basic circuits were flip-flops, or gates, that produced an output pulse whenever a given set of input pulses was present. However, vacuum tubes generated intense heat, even when in a standby condition. As a consequence, the useful operating time between failures was relatively short.

With the development of solid state diodes and transistors, computers became much smaller and very much cooler than their vacuum-tube predecessors. With advances in logic design, a single type of gate, such as the not-and (NAND) circuit, could replace all other logic elements. The resulting improvements in cost and reliability have been accelerated by the use of monolithic integrated circuits. Not least in im- portance is their vastly increased speed of operation. Since the meantime between failures of electronic computer circuitry is generally independent of the number of operations performed, it follows that throughput increases directly with speed; speed is defined as the rate at which a computer accesses, moves, and manipulates data. The ultimate limitation on computer speed is the time required for a signal to move from one physical element to another. At a velocity of 299,792,458 meters per second (186,282 miles per second) in vacuum, an electrical signal travels 3.0 meters or 9.84 feet in 10 nanoseconds (0.000.000.01 seconds). If components were as large as they were originally, and consequently as far apart, today’s nanosecond computer speeds would clearly be impossible, as would be the increased throughput and reliability now commonplace.

4.2.3 Coding. In a typical application, data may be translated and retranslated automatically into a half-dozen different codes thousands of times each second. Many of these codes represent earlier technology retained for backward compatibility and economic reasons only. In any given code, each character appears as a specific group of pulses. Within each group, each pulse position is known as a bit, since it represents either of the two binary digits, 0 or 1. Exhibit 4.1 illustrates some of the translations that may be continuously performed as data move about within a single computer.

A byte is the name originally applied to the smallest group of bits that could be read and written (accessed or addressed) as a unit. Today a byte is always considered by convention to have 8 bits. In modern systems, a byte is viewed as the storage unit for a single American Standard Code for Information Interchange (ASCII) character, al- though newer systems such as Unicode, which handle international accented characters

EXHIBIT 4.1 Common Codes for Numeral 5

Code Bits Typical Use Bit Pattern for “5”

Hexadecimal 4 Console switches 0101 Baudot 5 Paper tape 00001 Binary-Coded-Decimal (BCD) 6 Console indicators 000101 Transcode 6 Data transmission 110101 USASCII 7 Data transmission 0110101 EBCDIC 8 Buffer 11110101 EBCDIC, zoned decimal 8 Main memory 11000101 EBCDIC, packed decimal 8 Arithmetic logic unit 01011100 USASCII-8 8 Data transmission 01010101 Hollerith 12 Card reader/punch 000000010000 Binary, halfword 16 Arithmetic logic unit 0000000000000101

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 4 HARDWARE ELEMENTS OF SECURITY

and many other symbols, use up to 4 bytes per character. By convention, most people use metric prefixes (kilo-, mega-, giga-, tera-) to indicate collections of bytes; thus KB refers to kilobytes and is usually defined as 1,024 bytes. Outside the data processing field, K would normally indicate the multiplier 1,000. Because of the ambiguity in definitions, the United States National Institute of Standards and Technology (NIST) proposed, and in 2000 the International Electrotechnical Commission established, a new set of units for information or computer storage. These units are established by a series of prefixes to indicate powers of 2; in this scheme, KB means kibibytes and refers exclusively to 1,024 (210 or ∼103) bytes. However, kibibytes, mebibytes (220 or ∼106), gibibytes (230 or ∼109), and tebibytes (240 or ∼1012) are terms that have not yet become widely used.

Because translations between coding systems are accomplished at little apparent cost, any real incentive to unify the different systems is lacking. However, all data movements and translations increase the likelihood of internal error, and for this reason parity checks and validity tests have become indispensable.

4.3 PARITY. Redundancy is central to error-free data processing. By including extra bits in predetermined locations, certain types of errors can be detected imme- diately by inspection of these metadata (data about the original data). In a typical application, data move back and forth many times, among primary memory, secondary storage, input and output devices, as well as through communications links. Dur- ing these moves, the data may lose integrity by dropping 1 or more bits, by having extraneous bits introduced, and by random changes in specific bits. To detect some of these occurrences, parity bits are added before data are moved and are checked afterward.

4.3.1 Vertical Redundancy Checks. In this relatively simple and inexpensive scheme, a determination is initially made as to whether there should be an odd or an even number of “1” bits in each character. For example, using the binary-coded decimal representation of the numerical “5,” we find that the 6-bit pulse group 000101 contains two 1s, an even number. Adding a seventh position to the code group, we may have either type of parity. If odd parity has been selected, a 1 would be added in the leftmost checkbit position:

Odd parity 1000101 three 1s Even parity 0000101 two 1s

After any movement the number of 1 bits would be counted, and if not an odd number, an error would be assumed and processing halted. Of course, if 2 bits, or any even number, had been improperly transmitted, no error would be indicated since the number of “1” bits would still be odd.

To compound the problem of nonuniformity illustrated in Exhibit 4.1, each of the 4-, 5-, 6-, 7-, 8-, and 16-bit code groups may have an additional bit added for parity checking. Furthermore, there may be inconsistency of odd or even parity between manufacturers, or even between different equipment from a single supplier.

4.3.2 Longitudinal Redundancy Checks. Errors may not be detected by a vertical redundancy check (VRC) alone, for reasons just discussed. An additional safeguard, of particular use in data transmission and media recording such as tapes and disks, is the longitudinal redundancy check (LRC). With this technique, an extra

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PARITY 4 · 5

0 0 1 0 0 0 0 0 0

1 1 0 0 1 1 0 1 1

1 0 1 1 0 0 1 1 1

0 0 0 0 0 1 0 1 0

0 1 0 1 1 0 0 0 1

1 1 1 1 1 0 1 0 0

0 0 0 0 0 1 1 0 0

Vertical Parity Bits

Horizontal Parity Bits

Direction of Tape Movement

EXHIBIT 4.2 Vertical and Longitudinal Parity, Seven-Track Magnetic Tape

character is generated after some predetermined number of data characters. Each bit in the extra character provides parity for its corresponding row, just as the vertical parity bits do for their corresponding columns. Exhibit 4.2 represents both types as they would be recorded on 7-track magnetic tape. One bit has been circled to show that it is ambiguous. This bit appears at the intersection of the parity row and the parity column, and must be predetermined to be correct for one or the other, as it may not be correct for both. In the illustration, the ambiguous bit is correct for the odd parity requirement of the VRC character column; it is incorrect for the even parity of the LRC bit row.

In actual practice, the vertical checkbits would be attached to each character column as shown, but the longitudinal bits would follow a block of data that might contain 80 to several hundred characters. Where it is possible to use both LRC and VRC, any single data error in a block will be located at the intersection of incorrect row and column parity bits. The indicated bit may then be corrected automatically. The limitations of this method are: (1) multiple errors cannot be corrected, (2) an error in the ambiguous position cannot be corrected, and (3) an error that does not produce both a VRC and LRC indication cannot be corrected.

4.3.3 Cyclical Redundancy Checks. Where the cost of a data error could be high, the added expense of cyclical redundancy checks (CRCs) is warranted. In this technique, a relatively large number of redundant bits is used. For example, each 4-bit character requires 3 parity bits, while a 32-bit computer word needs 6 parity bits. Extra storage space is required in main and secondary memory, and transmissions take longer than without such checks. The advantage, however, is that any single error can be detected, whether in a data bit or a parity bit, and its location can be positively identified. By a simple electronic process of complementation, an incorrect 0 is converted to a 1, and vice versa.

4.3.4 Self-Checking Codes. Several types of codes are in use that inherently contain a checking ability similar to that of the parity system. Typical of these is the 2- of-5 code, in which every decimal digit is represented by a bit configuration containing exactly two 1s and three 0s. Where a parity test would consist of counting 1s to see if their number was odd or even, a 2-of-5 test would indicate an error whenever the number of 1s was more or less than 2.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 6 HARDWARE ELEMENTS OF SECURITY

4.4 HARDWARE OPERATIONS. Input, output, and processing are the three essential functions of any computer. To protect data integrity during these operations, several hardware features are available.

� Read-after-write. In disk and tape drives, it is common practice to read the data immediately after they are recorded and to compare them with the original values. Any disagreement signals an error that requires rewriting.

� Echo. Data transmitted to a peripheral device, to a remote terminal (see Section 4.9.1), or to another computer can be made to generate a return signal. This echo is compared with the original signal to verify correct reception. However, there is always the risk that an error will occur in the return signal and falsely indicate an error in the original transmission.

� Overflow. The maximum range of numerical values that any computer can accom- modate is fixed by its design. If a program is improperly scaled, or if an impossible operation such as dividing by zero is called for, the result of an arithmetic operation may exceed the allowable range, producing an overflow error. Earlier computers required programmed instructions to detect overflows, but this function now gen- erally is performed by hardware elements at the machine level. Overflows within application programs still must be dealt with in software. (Indeed, failure to do so can render software susceptible to abuse by malicious parties.)

� Validation. In any one computer coding system, some bit patterns may be unas- signed, and others may be illegal. In the IBM System/360 Extended Binary Coded Decimal Interchange Code (EBCDIC), for example, the number 9 is represented by 11111001, but 11111010 is unassigned. A parity check would not detect the second group as being in error, since both have the same number of 1 bits. A validity check, however, would reject the second bit configuration as invalid.

Similarly, certain bit patterns represent assigned instruction codes while others do not. In one computer, the instruction to convert packed-decimal numbers to zoned-decimal numbers is 11110011, or F3 in hexadecimal notation; 11110101, or F5, is unassigned, and a validity check would cause a processing halt whenever that instruction was tested.

� Replication. In highly sensitive applications, it is good practice to provide backup equipment on site, for immediate changeover in the event of failure of the primary computer. For this reason, it is sometimes prudent to retain two identical, smaller computers rather than to replace them with a single unit of equivalent or even greater power. Fault-tolerant, or fail-safe, computers use two or more processors that operate simultaneously, sharing the load and exchanging information about the current status of duplicate processes running in parallel. If one of the processors fails, another continues the processing without pause.

Many sensitive applications, such as airline reservation systems, have extensive data communications facilities. It is important that all of this equipment be dupli- cated as well as the computers themselves. (The failure of an airline reservation system, if permitted to extend beyond a relatively small number of hours, could lead to failure of the airline itself.)

Replacements should also be immediately available for peripheral devices. In some operating systems, it is necessary to inform the system that a device is down and to reassign its functions to another unit. In the more sophisticated systems, a malfunctioning device is automatically cut out and replaced. For example, the New York Stock Exchange operates and maintains two identical trading systems so that failure of the primary system should not result in any interruption to trading.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTERRUPTS 4 · 7

4.5 INTERRUPTS. The sequence of operations performed by a computer system is determined by a group of instructions: a program. However, many events that occur during operations require deviations from the programmed sequence. Interrupts are signals generated by hardware elements that detect changed conditions and initiate appropriate action. The first step is immediately to store the status of various elements in preassigned memory locations. The particular stored bit patterns, commonly called program status words, contain the information necessary for the computer to identify the cause of the interrupt, to take action to process it, and then to return to the proper instruction in the program sequence after the interrupt is cleared.

4.5.1 Types of Interrupts. Five types of interrupts are in general use. Each of them is of importance in establishing and maintaining data processing integrity.

4.5.1.1 Input/Output Interrupts. Input/output (I/O) interrupts are generated whenever a device or channel that had been busy becomes available. This capability is necessary to achieve error-free use of the increased throughput provided by buffering, overlapped processing, and multiprogramming.

After each I/O interrupt, a check is made to determine whether the data have been read or written without error. If so, the next I/O operation can be started; if not, an error-recovery procedure is initiated. The number of times that errors occur should be recorded so that degraded performance can be detected and corrected.

4.5.1.2 Supervisor Calls. The supervisor, or monitor, is a part of the operat- ing system software that controls the interactions between all hardware and software elements.

Every request to read or write data is scheduled by the supervisor when called upon to do so. I/O interrupts also are handled by supervisor calls that coordinate them with read/write requests. Loading, executing, and terminating programs are other important functions initiated by supervisor calls.

4.5.1.3 Program Check Interrupts. Improper use of instructions or data may cause an interrupt that terminates the program. For example, attempts to divide by zero and operations resulting in arithmetic overflow are voided. Unassigned instruction codes, attempts to access protected storage, and invalid data addresses are other types of exceptions that cause program check interrupts.

4.5.1.4 Machine Check Interrupts. Among the exception conditions that will cause machine check interrupts are parity errors, bad disk sectors, disconnection of peripherals in use, and defective circuit modules. It is important that proper procedures be followed to clear machine checks without loss of data or processing error.

4.5.1.5 External Interrupts. External interrupts are generated by timer action, by pressing an Interrupt key, or by signals from another computer. When two central processing units are interconnected, signals that pass between them initiate external interrupts. In this way, control and synchronization are continuously maintained while programs, data, and peripheral devices may be shared and coordinated.

In mainframes, an electronic clock generally is included in the central processor unit for time-of-day entries in job logs and for elapsed-time measurements. As an interval timer, the clock can be set to generate an interrupt after a given period. This feature should be used as a security measure, preventing sensitive jobs from remaining on the computer long enough to permit unauthorized manipulation of data or instructions.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 8 HARDWARE ELEMENTS OF SECURITY

4.5.2 Trapping. Trapping is a type of hardware response to an interrupt. Upon detecting the exception, an unconditional branch is taken to some predetermined lo- cation. An instruction there transfers control to a supervisor routine that initiates appropriate action.

4.6 MEMORY AND DATA STORAGE. Just as the human mind is subject to aberrations, so is computer memory. In the interests of data security and integrity, various therapeutic measures have been developed for the several types of storage.

4.6.1 Main Memory. Random access memory (RAM), and its derivatives, such as dynamic RAM (DRAM), synchronous DRAM (SDRAM, introduced in 1996 and running at 133 megaHertz [MHz]), and DDR-3 (Double Data Rate 3 SDRAM, an- nounced in 2005 and running at 800 MHz), share the necessary quality of being easily and quickly accessed for reading and writing of data. Unfortunately, this necessary characteristic is at the same time a potential source of difficulty in maintaining data in- tegrity against unwanted read/write operations. The problems are greatly intensified in a multiprogramming environment, especially with dynamic memory allocation, where the possibility exists that one program will write improperly over another’s data in memory. Protection against this type of error must be provided by the operating sys- tem. Chapter 24 in this Handbook discusses operating system security in more detail.

One form of protection requires that main memory be divided into blocks or pages; for example, 2,048 eight-bit bytes each. Pages can be designated as read-only when they contain constants, tables, or programs to be shared by several users. Additionally, pages that are to be inaccessible except to designated users may be assigned a lock by appropriate program instructions. If a matching key is not included in the user’s program, access to that page will be denied. Protection may be afforded against writing only or against reading and writing.

4.6.2 Read-Only Memory. One distinguishing feature of main memory is the extremely high speed at which data can be entered or read out. The set of sequential procedures that accomplishes this and other functions is the program, and the pro- grammer has complete freedom to combine any valid instructions in a meaningful way. However, certain operations, such as system start-up, or booting, are frequently and routinely required, and they may be performed automatically by a preprogrammed group of memory elements. These elements should be protected from inadvertent or unauthorized changes.

For this purpose, a class of memory elements has been developed that, once pro- grammed, cannot be changed at all, or require a relatively long time to do so. These elements are called read-only memory, or ROM; the process by which sequential in- structions are set into these elements is known asmicroprogramming. The technique can be used to advantage where data integrity is safeguarded by eliminating the possibility of programmer error.

Variations of the principle include programmable read-only memories (PROM) and erasable, programmable read-only memory (EPROM), all of which combine micro- programming with a somewhat greater degree of flexibility than read-only memory itself. The data on these chips can be changed through a special operation often re- ferred to as flashing (literally exposure to strong ultraviolet light; this is different from flash memory used today for storage of such data as digital music files and digital photographs—we will return to the subject of flash memory in the next section).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MEMORY AND DATA STORAGE 4 · 9

4.6.3 Secondary Storage. The term “secondary storage” traditionally has been used to describe storage such as magnetic disks, diskettes, tapes, and tape cartridges. Although the 1.44 megabyte (MB) magnetic floppy disk is obsolete, the magnetic hard drive, with capacities up to terabytes, remains an essential element of virtually all computers, and terabyte-capacity external hard drives the size of a paperback book are now available off-the-shelf for a few hundred dollars.

A more recent development are optical drives such as the removable, compact disc read-only memory (CD-ROM), originally made available in the early 1980s, which are useful for long-term archival storage of around 700 MB per disc. Hybrid forms of this type exist as well, such as CD-Rs, which can be written to once, and CD-RWs, which accommodate multiple reads and writes. The digital video disc (DVD), or as it has been renamed, the digital versatile disc, was introduced in 1997 and provides capacities ranging from 4.7 gigabytes (GB) per disc up to 30 GB for data archiving. The higher-capacity optical discs use Blu-ray technology introduced in 2002 and can store 25 GB per side; they typically are used for distributing movies, but BD-R (single use) and BD-RE (rewritable) discs hold much potential for generalized data storage.

The newest addition to secondary storage is RAM that simulates hard disks, known as flash memory. Derived from electrical EPROMs (EEPROMs) and introduced by Toshiba in the 1980s, this kind of memory now exists in a huge variety of formats, including relatively inexpensive Universal Serial Bus (USB) tokens with storage ca- pacities now in the gigabyte range. These devices appear as external disk drives when plugged into a plug-and-play personal computer. Another flash memory format is small cards, many the size of postage stamps, that can be inserted into mobile phones, cameras, printers, and other devices as well as computers.

Hardware safeguards described earlier, such as redundancy, validity, parity, and read-after-write, are of value in preserving the integrity of secondary storage. These safeguards are built into the equipment and are always operational unless disabled or malfunctioning. Other precautionary measures are optional, such as standard internal labeling procedures for drives, tapes, and disks. Standard internal labels can include identification numbers, record counts, and dates of creation and expiration. Although helpful, external plastic or paper labels on recordable media are not an adequate substitute for computer-generated labels, magnetically inscribed on the medium itself and automatically checked by programmed instructions.

Another security measure sometimes subverted is write-protection on removable media. Hardware interlocks prevent writing to them. These locks should be activated immediately when the media are removed from the system. Failure to do so will cause the data to be destroyed if the same media are improperly used on another occasion.

Hard drives, optical discs, and flash memory cards are classified as direct access storage devices (DASDs). Unlike magnetic tapes with their exclusively sequential processing, DASDs may process data randomly as well as in sequence. This capability is essential to online operations, where it is not possible to sort transactions prior to processing. The disadvantage of direct access is that there may be less control over entries and more opportunity to degrade the system than exists with sequential batch processing.

One possible source of DASD errors arises from the high rotational velocity of the recording medium and, except on head-per-track devices, the movement of heads as well. To minimize this possibility, areas on the recording surface have their addresses magnetically inscribed. When the computer directs that data be read from or into a particular location, the address in main memory is compared with that read from the DASD. Only if there is agreement will the operation be performed.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 10 HARDWARE ELEMENTS OF SECURITY

Through proper programming, the integrity of data can be further assured. In ad- dition to the address check, comparisons can be made on identification numbers or on key fields within each record. Although the additional processing time is generally negligible, there can be a substantial improvement in properly posting transactions.

Several other security measures often are incorporated into DASDs. One is similar to the protection feature in main memory and relies on determining “extents” for each data set. If these extents, which are simply the upper and lower limits of a data file’s addresses, are exceeded, the job will terminate.

Another safety measure is necessitated by the fact that defective areas on a disk surface may cause errors undetectable in normal operations. To minimize this pos- sibility, disks should be tested and certified prior to use and periodically thereafter. Further information is provided by operating systems that record the number of disk errors encountered. Reformatting or replacement must be ordered when errors exceed a predetermined level. Many personal computer hard drives now have some form of Self-Monitoring, Analysis, and Reporting Technology (SMART). Evolved from ear- lier technology such as IBM’s Predictive Failure Analysis (PFA) and Intellisafe by computer manufacturer Compaq, and disk drive manufacturers Seagate, Quantum, and Conner, SMART can alert operators to potential drive problems. Unfortunately, the implementation of SMART is not standardized, and its potential for preventive maintenance and failure prediction is often overlooked.

Note that SMART is different from the range of technologies used to protect hard drives from head crashes. A head crash occurs when the component that reads data from the disk actually touches the surface of the disk, potentially damaging it and the data stored on it. Many hard drives have systems in place to withdraw heads from the disk before such contact occurs. These protective measures have reached the point where an active hard drive can be carried around in relative safety as part of a music and video player (e.g., Apple iPod or Microsoft Zune).

4.7 TIME. Within the computer room and in many offices, a wall clock is usually a dominant feature. There is no doubt that this real-time indicator is of importance in scheduling and regulating the functions of people and machines, but the computer’s internal timings are more important for security.

4.7.1 Synchronous. Many computer operations are independent of the time of day but must maintain accurate relationships with some common time and with each other. Examples of this synchronism include the operation of gates, flip-flops, and registers, and the transmission of data at high speeds. Synchronism is obtained in various ways. For gates and other circuit elements, electronic clocks provide accurately spaced pulses at a high-frequency rate, while disk and tape drives are maintained at rated speed by servomotor controls based on power-line frequency.

Of all computer errors, the ones most difficult to detect and correct are probably those caused by timing inconsistencies. Internal clocks may produce 1 billion pulses per second (known as 1 gigahertz [GHz]), or more, when the computer is turned on. The loss of even a single pulse, or its random deformation or delay, can cause undetected errors. More troublesome is the fact that even if errors are detected, their cause may not be identified unless the random timing faults become frequent or consistent.

An example of the insidious nature of timing faults is the consequence of electrical power fluctuations when voltage drops below standard. During these power transients, disk drives may slow down; if sectors are being recorded, their physical size will be

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NATURAL DANGERS 4 · 11

correspondingly smaller. Then, when the proper voltage returns, the incorrect sector sizes can cause data errors or loss.

4.7.2 Asynchronous. Some operations do not occur at fixed time intervals and therefore are termed “asynchronous.” In this mode, signals generated by the end of one action initiate the following one. As an example, low-speed data transmissions such as those using ordinary modems are usually asynchronous. Coded signals produced by the random depression of keyboard keys are independent of any clock pulses.

4.8 NATURAL DANGERS. To preserve the accuracy and timeliness of computer output, computers must be protected against environmental dangers. Chapters 22 and 23 of this Handbook discuss such threats in extensive detail.

4.8.1 Power Failure. Probably the most frequent cause of computer downtime is power failure. Brownouts and blackouts are visible signs of trouble; undetected voltage spikes are far more common, although hardly less damaging.

Lightning can produce voltage spikes on communications and power lines of suf- ficient amplitude to destroy equipment or, at the very least, to alter data randomly. Sudden storms and intense heat or cold place excessive loads on generators. The drop in line voltage that results can cause computer or peripheral malfunction. Even if it does not, harmful voltage spikes may be created whenever additional generators are switched in to carry higher loads.

Where warranted, a recording indicator may be used to detect power-line fluctu- ations. Such monitoring often is recommended when computer systems show unex- plained, erratic errors. At any time that out-of-tolerance conditions are signaled, the computer output should be checked carefully to ensure that data integrity has not been compromised. If such occurrences are frequent, or if the application is a sensi- tive one, auxiliary power management equipment should be considered. These range from simple voltage regulators and line conditioners to uninterruptible power supplies (UPSs).

4.8.2 Heat. Sustained high temperatures can cause electronic components to malfunction or to fail completely. Air conditioning (AC) is therefore essential, and all units must be adequate, reliable, and properly installed. If backup electrical power is provided for the computer, it must also be available for the air conditioners. For example, after the San Francisco earthquake of 1989, the desktop computers and network servers in at least one corporate headquarters were damaged by a lack of synchronization between air conditioning and power supply. The AC was knocked out by the quake, and the building was evacuated, but the computers were left on. Many of them failed at the chip and motherboard level over the next few days because the temperature in the uncooled offices got too high. A frequently unrecognized cause of overheating is obstruction of ventilating grilles. Printouts, tapes, books, and other objects must not be placed on cabinets where they can prevent free air circulation. A digital thermometer is a good investment for any room in which computers are used. Today, many electronic devices include thermostats that cut off the power if internal temperatures exceed a danger limit.

4.8.3 Humidity. Either extreme of humidity can be damaging. Low humidity—below about 20 percent—permits buildup of static electricity charges that

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 12 HARDWARE ELEMENTS OF SECURITY

may affect data pulses. Because this phenomenon is intensified by carpeting, computer room floors should either be free of carpeting or covered with antistatic carpet.

High humidity—above about 80 percent—may lead to condensation that causes shorts in electrical circuits or corrodes metal contacts. To ensure operation within acceptable limits, humidity controls should be installed and a continuous record kept of measured values.

4.8.4 Water. Water introduced by rain, floods, bursting pipes, and overhead sprinklers probably has been responsible for more actual computer damage than fire or any other single factor. Care taken in locating computer facilities, in routing water pipes, and in the selection of fire-extinguishing agents will minimize this significant danger.

The unavailability of water—following a main break, for example—will cause almost immediate shutdown of water-cooled mainframes. Mission-critical data centers should be prepared for this contingency. As an example, when the Des Moines River flooded in 1993, it caused the skyscraper housing the headquarters of the Principal Financial Group to be evacuated, but not because of water in the building. The building stayed high and dry, but the flood forced the city water plant to shut down, depriving the building of the water necessary for cooling. After the flood, the company installed a 40,000-gallon water tank in the basement, to prevent any recurrence of this problem.

4.8.5 Dirt and Dust. Particles of foreign matter can interfere with proper oper- ation of magnetic tape and disk drives, printers, and other electromechanical devices. All air intakes must be filtered, and all filters must be kept clean. Cups of coffee seem to become especially unstable in a computer environment; together with any other food or drink, they should be banned entirely. Throughout all areas where computer equipment is in use, good housekeeping principles should be rigorously enforced.

4.8.6 Radiation. Much has been written about the destructive effect of magnetic fields on tape or disk files. However, because magnetic field strength diminishes rapidly with distance, it is unlikely that damage actually could be caused except by large magnets held very close to the recorded surfaces. For example, storing a CD or DVD by attaching it to a filing cabinet with a magnet is not a good idea, but simply walking past a refrigerator decorated with magnets while holding a CD or DVD is unlikely to do any damage.

The proliferation of wireless signals can expose data to erroneous pulses. Offices should be alert for possible interference from and between cordless phones, mobile phones, wireless Internet access points and peripherals, and microwave ovens.

Radioactivity may be a great threat to personnel but not to the computer or its recording media.

4.8.7 Downtime. It is essential to the proper functioning of a data center that preventive maintenance be performed regularly and that accurate records be kept of the time and the reason that any element of the computer is inoperative. The more often the computer is down, the more rushed operators will be to catch up on their scheduled workloads. Under such conditions, controls are bypassed, shortcuts are taken, and human errors multiply.

Downtime records should be studied to detect unfavorable trends and to pinpoint equipment that must be overhauled or replaced before outages become excessive.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DATA COMMUNICATIONS 4 · 13

If unscheduled downtime increases, preventive maintenance should be expanded or improved until the trend is reversed.

4.9 DATA COMMUNICATIONS. One of the most dynamic factors in current computer usage is the proliferation of devices and systems for data transmission. These range from telephone modems to wired networks, from Internet-enabled cell phones to 802.11 wireless Ethernet, and include Bluetooth, infrared, personal digital assistants (PDAs), music players, and new technologies that appear almost monthly. Computers that do not function at least part time in a connected mode may well be rarities. For fundamentals of data communications, see Chapter 5 of this Handbook.

The necessity for speeding information over great distances increases in proportion to the size and geographic dispersion of economic entities; the necessity for maintaining data integrity and security, and the difficulty of doing so, increases even more rapidly. Major threats to be guarded against include human and machine errors, unauthorized accession, alteration, and sabotage. The term “accession” refers to an ability to read data stored or transmitted within a computer system; it may be accidental or purposeful. “Alteration” is the willful entering of unauthorized or incorrect data. “Sabotage” is the intentional act of destroying or damaging the system or the data within it. For each of these threats, the exposure and the countermeasures will depend on the equipment and the facilities involved.

4.9.1 Terminals. In these discussions, a terminal is any input/output device that includes facilities for receiving, displaying, composing, and sending data. Examples include personal computers and specialized devices such as credit card validation units.

Data communications are carried on between computers, between terminals, or between computers and terminals. The terminals themselves may be classified as dumb or intelligent. Dumb terminals have little or no processing or storage capability and are largely dependent on a host computer for those functions. Intelligent terminals generally include disk storage and capabilities roughly equivalent to those of a personal computer. In addition to vastly improved communications capabilities, they are capable of stand-alone operation.

In the simplest of terminals, the only protection against transmission errors lies in the inability to recognize characters not included in the valid set and to display a question mark or other symbol when one occurs. Almost any terminal can be equipped to detect a vertical parity error. More sophisticated terminals are capable of detecting additional errors through longitudinal and cyclical redundancy characters, as well as by vertical parity and validity checks. Of course, error detection is only the first step in maintaining data integrity. Error correction is by far the more important part, and retransmission is the most widely used correction technique.

Intelligent terminals and personal computers are capable of high-speed transmis- sion and reception. They can perform complicated tests on data before requesting retransmission, or they may even be programmed to correct errors internally. The techniques for self-correction require forward-acting codes, such as the Hamming cyclical code. These are similar to the error-detecting cyclic redundancy codes, except that they require even more redundant bits. Although error correction is more expen- sive and usually slower than detection with retransmission, it is useful under certain circumstances. Examples include simplex circuits where no return signal is possible, and half-duplex circuits where the time to turn the line around from transmission to reception is too long. Forward correction is also necessary where errors are so

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 14 HARDWARE ELEMENTS OF SECURITY

numerous that retransmissions would clog the circuits, with little or no useful informa- tion throughput.

A more effective use of intelligent terminals and personal computers is to preserve data integrity by encryption, as described in this chapter and in Chapter 7. Also, they may be used for compression or compaction. Reducing the number of characters in a message reduces the probability of an error as well as the time required for transmission. One technique replaces long strings of spaces or zeroes with a special character and a numerical count; the procedure is reversed when receiving data.

Finally, the intelligent terminal or microprocessor may be used to encode or decipher data when the level of security warrants cryptography.

All terminals, of every type, including desktop and notebook personal computers (PCs), have at least one thing in common: the need to be protected against sabotage or unauthorized use. Although the principles for determining proper physical location and the procedures for restricting access are essentially the same as those that apply to a central computer facility, the actual problems of remote terminals are even more difficult. Isolated locations, inadequate supervision, and easier access by more people all increase the likelihood of compromised security.

4.9.2 Wired Facilities. Four types of wired facilities are in widespread use: dial- up access, leased lines, digital subscriber lines (DSL), and cable carriers. Both common carriers and independent systems may employ various media for data transmission. The increasing need for higher speed and better quality in data transmission has prompted utilization of coaxial and fiber optic cables, while microwave stations and communication satellites often are found as wireless links within wired systems.

Generally, decisions as to the choice of service are based on the volume of data to be handled and on the associated costs, but security considerations may be even more important.

4.9.2.1 Dial-Up Lines. Still widely used for credit and debit card terminals, dial-up lines have been replaced for many other applications by leased lines, DSL lines, and cables carrying Internet traffic (using the TCP/IP protocol discussed in Chapter 5 of this Handbook). Dial-up connections are established between modems operating over regular voice lines sometimes referred to as plain old telephone service (POTS).

Where dial-up access to hardware still exists, for example, for maintenance of certain equipment, proper controls are essential to protect both the equipment and the integrity of other systems to which it might be connected. Dial-up ports may be reached by anyone with a phone, anywhere on the planet, and the practice of war-dialing to detect modems is still used by those seeking unauthorized access to an organization’s network. (War dialing involves dialing blocks of numbers to find which ones respond as modems or fax machines. These numbers are recorded and may be dialed later in an attempt to gain unauthorized access to systems or services.) It is advisable to:

� Compile a log of unauthorized attempts at entry, and use it to discourage further efforts.

� Compile a log of all accesses to sensitive data, and verify their appropriateness. � Equip all terminals with internal identification generators or answer-back units, so that even a proper password would be rejected if sent from an unauthorized

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DATA COMMUNICATIONS 4 · 15

terminal. This technique may require the availability of an authorized backup terminal in the event of malfunction of the primary unit.

� Provide users with personal identification in addition to a password if the level of security requires it. The additional safeguard could be a magnetically striped or computerized plastic card to be inserted into a special reader. The value of such cards is limited, since they can be used by anyone, whether authorized or not. For high-security requirements, other hardware-dependent biometric identifiers, such as handprints and voiceprints, should be considered.

� Where appropriate, utilize call-back equipment that prevents a remote station from entering a computer directly. Instead, the device dials the caller from an internal list of approved phone numbers to make the actual connection.

With proper password discipline, problems of accession, alteration, and data sabo- tage can be minimized. However, the quality of transmissions is highly variable. Built into the public telephone system is an automatic route-finding mechanism that directs signals through uncontrollable paths. The distance and the number of switching points traversed, and the chance presence of cross-talk, transients, and other noise products will have unpredictable effects on the incidence of errors. Parity systems, described earlier, are an effective means of reducing such errors.

4.9.2.2 Leased Lines. Lines leased from a common carrier for the exclusive use of one subscriber are known as dedicated lines. Because they are directly connected between predetermined points, normally they cannot be reached through the dial-up network. Traditionally, leased lines were copper, but point-to-point fiber optic and coaxial cable lines can also be leased.

Wiretapping is a technically feasible method of accessing leased lines, but it is more costly, more difficult, and less convenient than dialing through the switched network. Leased lines are generally more secure than those that can be readily war-dialed.

To this increased level of security for leased lines is added the assurance of higher- quality reception. The problems of uncertain transmission paths and switching tran- sients are eliminated, although other error sources are not. In consequence, parity checking remains a minimum requirement.

4.9.2.3 Digital Subscriber Lines. Falling somewhere in between a leased line and POTS, a digital subscriber line offers digital transmission locally over ordinary phone lines that can be used simultaneously for voice transmission. This is possible because ordinary copper phone lines can carry, at least for short distances, signals that are in a much higher-frequency range than the human voice. A DSL modem is used by a computer to reach the nearest telephone company switch, at which point the data transmission enters the Internet backbone. Computers connected to the Internet over DSL communicate using TCP/IP and are said to be hosts rather than terminals. They are prone to compromise through a wide range of exploits. However, few if any of these threats are enabled by the DSL itself. As with leased lines, wiretapping is possible, but other attacks, such as exploiting weaknesses in TCP/IP implementations on host machines, are easier.

4.9.2.4 Cable Carriers. Wherever cable television (TV) is available, the same optical fiber or coaxial cables that carry the TV signal also can be used to provide high-speed data communications. The advantages of this technology include download

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 16 HARDWARE ELEMENTS OF SECURITY

speeds that can, in the case of coaxial cables, exceed 50 megabits per second, or in the case of fiber optic cable, exceed 100 gigabits per second.

The disadvantages arise from the fact that connections to the carrier may be shared by other subscribers in the same locality. Unless the service provider limits access, perhaps in accordance with a quality-of-service agreement, multiple subscribers can be online simultaneously and thus slow down transmission speeds. Even more serious is the possibility of security breaches, since multiple computers within a neighborhood may be sharing part of a virtual local area network, and thus each is potentially accessible to every other node on that network. For this reason alone, cable connections should be firewalled. For details of firewalls and their uses, see Chapter 26 in this Handbook. Another reason for using firewalls is that cable connections are always on, providing maximal opportunity for hackers to access an unattended computer.

4.9.3 Wireless Communications. Data transfers among multinational corpo- rations have been growing very rapidly, and transoceanic radio and telephone lines have proved too costly, too slow, too crowded, and too error-prone to provide adequate ser- vice. An important alternative is the communications satellite. Orbiting above Earth, the satellite reflects ultra-high-frequency radio signals that can convey a television program or computer data with equal speed and facility.

For communications over shorter distances, the cost of common-carrier wired ser- vices has been so high as to encourage competitive technologies. One of these, the microwave radio link, is used in many networks. One characteristic of such transmis- sions is that they can be received only on a direct line-of-sight path from the transmitting or retransmitting antenna. With such point-to-point ground stations, it is sometimes difficult to position the radio beams where they cannot be intercepted; with satellite and wireless broadcast communications, it is impossible. This is a significant issue with wireless local area network technology based on the IEEE 802.11 standards and com- monly known as Wi-Fi (a brand name owned by the Wi-Fi Alliance; the term is short for wireless fidelity). The need for security is consequently greater, and scramblers or cryptographic encoders are essential for sensitive data transfers.

Because of the wide bandwidths at microwave frequencies, extremely fast rates of data transfer are possible. With vertical, longitudinal, and cyclical redundancy check characters, almost all errors can be detected, yet throughput remains high.

4.10 CRYPTOGRAPHY. Competitive pressures in business, politics, and inter- national affairs continually create situations where morality, privacy, and the laws all appear to give way before a compelling desire for gain. Information, for its own sake or for the price it brings, is an eagerly sought after commodity. We are accustomed to the sight of armored cars and armed guards transporting currency, yet often invaluable data are moved with few precautions. When the number of computers and competent technicians was small, the risk in careless handling of data resources was perhaps not great. Now, however, a very large population of knowledgeable computer people exists, and within it are individuals willing and able to use their knowledge for illegal ends. Others find stimulation and satisfaction in meeting the intellectual challenge that they perceive in defeating computer security measures.

Acquiring information in an unauthorized manner is relatively easy when data are communicated between locations. One method of discouraging this practice, or rendering it too expensive to be worth the effort, is cryptographic encoding of data prior to transmission. This technique is also useful in preserving the security of files within data storage devices. If all important files were stored on magnetic or optical media

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BACKUP 4 · 17

in cryptographic cipher only, the incidence of theft and resale would unquestionably be less.

Many types of ciphers might be used, depending on their cost and the degree of security required. Theoretically, any code can be broken, given enough time and equipment. In practice, if a cipher cannot be broken fairly quickly, the encoded data are likely to become valueless. However, since the key itself can be used to decipher later messages, it is necessary that codes or keys be changed frequently.

For further information on cryptography, refer to Chapter 7 in this Handbook.

4.11 BACKUP. As with most problems, the principal focus in computer security ought to be on prevention rather than on cure. No matter how great the effort, however, complete success can never be guaranteed. There are four reasons for this being so:

1. Not every problem can be anticipated. 2. Where the cost of averting a particular loss exceeds that of recovery, preventive

measures may not be justified.

3. Precautionary measures, carried to extremes, can place impossible constraints on the efficiency and productivity of an operation. It may be necessary, therefore, to avoid such measures aimed at events whose statistical probability of occurrence is small.

4. Even under optimum conditions, carefully laid plans may go astray. In the real world of uncertainty and human fallibility, where there is active or inadvertent interference, it is almost a certainty that at one time or another, the best of precautionary measures will prove to be ineffective.

Recognizing the impossibility of preventing all undesired actions and events, it becomes necessary to plan appropriate means of recovering from them. Such plans must include backup for personnel, hardware, power, physical facilities, data, and software. Data backups are discussed more fully in Chapter 57 of this Handbook.

Responding to emergencies is described in Chapters 56 of this Handbook and business continuity planning and disaster recovery are discussed in Chapter 58 and 59.

Backup plans should be evaluated with respect to:

� The priorities established for each application, to ensure that they are properly assigned and actually observed.

� The time required to restore high-priority applications to full-functioning status. � The degree of assurance that plans actually can be carried out when required. For important applications, alternative plans should be available in the event that the primary plan cannot be implemented.

� The degree of security and data integrity that will exist if backup plans actually are put into effect.

� The extent to which changing internal or external conditions are noted, and the speed with which plans are modified to reflect such changes.

The assignment of priorities in advance of an actual emergency is an essential and critically important process. In most organizations, new applications proliferate, while old ones are rarely discarded. If backup plans attempt to encompass all jobs,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 18 HARDWARE ELEMENTS OF SECURITY

they are likely to accomplish none. Proper utilization of priorities will permit realistic scheduling, with important jobs done on time and at acceptable costs.

4.11.1 Personnel. The problems of everyday computer operation require con- tingency plans for personnel on whose performance hardware functioning depends. Illnesses, vacations, dismissals, promotions, resignations, overtime, and extra shifts are some of the reasons why prudent managers are continuously concerned with the problem of personnel backup. The same practices that work for everyday problems can provide guidelines for emergency backup plans. This subject is covered more fully in Chapter 45 of this Handbook.

4.11.2 Hardware. Hardware backup for data centers can take several forms:

� Multiple processors at the same site to protect against loss of service due to breakdown of one unit

� Duplicate installations at nearby facilities of the same company � Maintaining programs at a compatible service bureau, on a test or standby basis � A contract for backup at a facility dedicated to disaster recovery � A reciprocal agreement with a similar installation at another company

The probability of two onsite processors both being down at the same time due to internal faults is extremely small. Consequently, most multiple installations rarely fall behind on mission-critical applications. However, this type of backup offers no protection against power failure, fire, vandalism, or any disaster that could strike two or more processors at once. The disasters of September 11, 2001, proved that even a highly unlikely event actually could occur. With duplicate processors at different but commonly owned sites, there is little chance of both being affected by the same forces. Although the safety factor increases with the distance separating them, the difficulty of transporting people and data becomes greater. An alternate site must represent a compromise between these conflicting objectives. Furthermore, complete compatibility of hardware and software will have to be preserved, even though doing so places an undue operational burden on one of the installations. Shortly after September 11, a number of New York financial firms were back in operation with their alternative computer sites across the Hudson River.

The backup provided by service bureaus can be extremely effective, particularly if the choice of facility is carefully made. Although progressive service bureaus frequently improve both hardware and software, they almost never do so in a way that would cause compatibility problems for their existing customers. Once programs have been tested, they can be stored offline on tape or disk at little cost. Updated masters can be rotated in the service bureau library, providing offsite data backup as well as the ability to become fully operational at once.

Effective hardware backup is also available at independent facilities created ex- pressly for that purpose. In one type of facility, there are adequate space, power, air conditioning, and communication lines to accommodate a very large system. Most manufacturers are able to provide almost any configuration on short notice when disas- ter strikes a valued customer. The costs for this type of base standby facility are shared by a number of users so that expenses are minimal until an actual need arises. However, if two or more sharers are geographically close, their facilities may be rendered inop- erative by the same fire, flood, or power failure. Before contracting for such a facility,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BACKUP 4 · 19

it is necessary to analyze this potential problem; the alternative is likely to be a totally false sense of security. Several firms whose facilities were damaged or destroyed on September 11 were provided with complete replacement equipment by their vendors within a short time.

Another type of backup facility is already equipped with computers, disk and tape drives, printers, terminals, and communications lines so that it can substitute instantly for an inoperative system. The standby costs for this service are appreciably more than for a base facility, but the assurance of recovery in the shortest possible time is far greater. Here, too, it would be prudent to study the likelihood of more than one customer requiring the facility at the same time and to demand assurance that one’s own needs will be met without fail. Several companies successfully availed themselves of this type of backup and disaster recovery after September 11.

Backup by reciprocal agreement was for many years an accepted practice, although not often put to the test. Unfortunately, many managers still rely on this outmoded safeguard. One has only to survive a single major change of operating system software to realize that when it occurs, neither the time nor the inclination is available to modify and test another company’s programs. Even the minor changes in hardware and software that continuously take place in most installations could render them incompatible. At the same time, in accordance with Parkinson’s Law, workloads always expand to fill the available time and facilities. In consequence, many who believe that they have adequate backup will get little more than an unpleasant surprise, should they try to avail themselves of the privilege.

4.11.3 Power. The one truly indispensable element of any data processing instal- lation is electric power. Backing up power to PCs and small servers by uninterruptible power supplies is reasonable in cost and quite effective. For mainframes and large servers, several types of power backup are available. The principal determinant in se- lection should be the total cost of anticipated downtime and reruns versus the cost of backup to eliminate them. Downtime and rerun time may be extrapolated from records of past experience.

Problems due to electrical power may be classified by type and by the length of time that they persist. Power problems as they affect computers consist of variations in amplitude, frequency, and waveform, with durations ranging from fractions of a millisecond to minutes or hours. Long-duration outages usually are due to high winds, ice, lightning, vehicles that damage power lines, or equipment malfunctions that render an entire substation inoperative. For mainframes in data centers, it is usually possible, although costly, to contract for power to be delivered from two different substations, with one acting as backup.

Another type of protection is afforded by gasoline or diesel motor generators. Controls are provided that sense a power failure and automatically start the motor. Full speed is attained in less than a minute, and the generator’s output can power a computer for days if necessary.

The few seconds’ delay in switching power sources is enough to abort programs running on the computer and to destroy data files. To avoid this, the “uninterruptible” power supply was designed. In one version, the AC power line feeds a rectifier that furnishes direct current to an inverter. The inverter in turn drives a synchronous motor coupled to an alternator whose AC output powers the computer. While the rectifier is providing DC to the inverter, it also charges a large bank of heavy-duty batteries. As soon as a fault is detected on the main power line, the batteries are instantaneously and automatically switched over to drive the synchronous motor. Because the huge drain

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 20 HARDWARE ELEMENTS OF SECURITY

on the batteries may deplete them in a few minutes, a diesel generator must also be provided. The advantages of this design are:

� Variations in line frequency, amplitude, and waveform do not get through to the computer.

� Switchover from power line to batteries is undetectable by the computer. Programs keep running, and no data are lost.

� Millisecond spikes and other transients that may be responsible for equipment damage, and undetected data loss are completely suppressed.

A fuller treatment of physical threats is presented in Chapters 22 and 23 of this Handbook.

4.11.4 Testing. The most important aspect of any backup plan is its effectiveness. Will it work? It would be a mistake to wait for an emergency to find out. The only sensible alternative is systematic testing.

One form of test is similar to a dress rehearsal, with the actual emergency closely simulated. In this way the equipment, the people, and the procedures can all be ex- ercised, until practice assures proficiency. Periodically thereafter the tests should be repeated, so that changes in hardware, software, and personnel will not weaken the backup capability.

4.12 RECOVERY PROCEDURES. The procedures required to recover from any system problem will depend on the nature of the problem and on the backup measures that were in place. Hardware recovery ranges from instantaneous and fully automatic, through manual repair or replacement of components, to construction, equipping, and staffing of an entirely new data center. Chapters 58 and 59 of this Handbook provide extensive information about these issues.

Almost every data center is a collection of equipment, with options, modifications, additions, and special features. Should it become necessary to replace the equipment, a current configuration list must be on hand and the procedures for reordering established in advance. An even better practice would be to keep a current list of desired equipment that could be used as the basis for replacement. Presumably, the replacements would be faster and more powerful, but additional time should be scheduled for training and conversion.

4.13 MICROCOMPUTER CONSIDERATIONS. Four factors operate to inten- sify the problems of hardware security as they relate to small computers:

1. Accessibility 2. Knowledge 3. Motivation 4. Opportunity

4.13.1 Accessibility. Accessibility is a consequence of operating small comput- ers in a wide-open office environment rather than in a controlled data center. No security guards, special badges, man-traps, cameras, tape librarians, or shift supervisors limit access to equipment or data media in the office, as they do in a typical data center.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MICROCOMPUTER CONSIDERATIONS 4 · 21

4.13.2 Knowledge. Knowledge and its lack are equally dangerous. On one hand, as personal computers pervade the office environment, technical knowledge becomes widely disseminated. Where once this knowledge was limited to relatively few computer experts who could be controlled rather easily, its growing universality now makes control extremely difficult, if not impossible. On the other hand, when computers are operated by people with minimal knowledge and skills, the probability of security breaches through error and inadvertence is greatly increased.

4.13.3 Motivation. Motivation exists in numerous forms. It is present wherever valuable assets can be diverted for personal gain; it arises when real or fancied injustice creates a desire for revenge; and it can simply be a form of self-expression.

The unauthorized diversion of corporate assets always has provided opportunities for theft; now, with many employees owning computers at home, the value of stolen equipment, programs, and data can be realized without the involvement of third parties. When a third party is added to the equation and the thriving market in purloined personal data is factored in, the potential for data theft, a low-risk/high-return crime, is greatly increased.

Computers and networks are also a target for sabotage as well as data theft. The reliance upon such systems by governments, the military, large corporations, and other perceived purveyors of social or economic ills means that criminal acts are likely to continue. Because personal computers are now part of these systems, they are also a link to any policy or practice of which one or more groups of people disapprove. The motivation for sabotaging personal computers is more likely in the near term to increase than it is to disappear.

A third motivation for breaching computer security is the challenge and excitement of doing so. Whether trying to overcome technical hurdles, to break the law with impunity, or merely to trespass on forbidden ground, some hackers find these challenges irresistible, and they become criminal hackers. To view such acts with amused tolerance or even mild disapproval is totally inconsistent with the magnitude of the potential damage and the sanctity of the trust barriers that are crossed. Since the technology exists to lock out all but the most determined and technically proficient criminal hacker, failure to protect sensitive systems is increasingly viewed as negligence.

4.13.4 Opportunity. With so many personal computers in almost every office, with virtually no supervision during regular hours, and certainly none at other times, opportunities are plentiful for two types of security breaches: intentional by those with technical knowledge and unintentional by those without.

4.13.5 Threats to Microcomputers. Among the most significant threats to microcomputers are those pertaining to:

� Physical damage � Theft � Electrical power � Static electricity � Data communications � Maintenance and repair

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 22 HARDWARE ELEMENTS OF SECURITY

4.13.5.1 Physical Damage. Microcomputers and their peripheral devices are not impervious to damage. Disk drives are extremely susceptible to failure through impact; keyboards cannot tolerate dirt or rough handling. It is essential that computers be recognized as delicate instruments and that they be treated accordingly.

Even within an access-controlled data center, where food and drinks are officially banned, it is not uncommon for a cup of coffee to be spilled when set on or near operating equipment. In an uncontrolled office environment, it is rare that one does not see personal computers in imminent danger of being doused with potentially damaging liquids. The problem is compounded by the common practice of leaving unprotected media such as CDs and DVDs lying about on the same surface where food and drink could easily reach them. Although it may not be possible to eliminate these practices entirely, greater discipline will protect data media and equipment from contamination.

As mentioned in the section on heat, damage also can result from blocking vents necessary for adequate cooling. Such vents can be rendered ineffective by placing the equipment too close to a wall or, in the case of laptops, on soft surfaces, such as carpets, that block vents on the base of the machine. Vents on top of computer housings and cathode ray tube–style displays are too often covered by papers or books that prevent a free flow of cooling air. As a result, the internal temperature of the equipment increases, so that marginal components malfunction, intermittent contacts open, errors are introduced, and eventually the system malfunctions or halts.

4.13.5.2 Theft. The opportunities for theft of personal computers and their data media are far greater than for their larger counterparts. Files containing proprietary information or expensive programs are easily copied to removable media as small as a postage stamp and taken from the premises without leaving a trace. External disk drives are small enough to be carried out in a purse or an attaché case, and new thumb-size USB drives look like key fobs to the uninitiated. (For more information about removable, miniaturized, file storage, see Chapter 1 in this Handbook.) The widespread practice of taking portable computers home for evening or weekend work eventually renders even the most conscientious guards indifferent. In offices without guards, the problem is even more difficult. Short of instituting a police state of perpetual surveillance, what is to be done to discourage theft? Equipment can be chained or bolted to desks, or locked within cabinets built for the purpose. Greater diligence in recording and tracking serial numbers, more frequent inventories, and a continuing program of education can help. Most of all, it is essential that the magnitude of the problem be recognized at a sufficiently high management level so that adequate resources are applied to its solution. Otherwise, there will be a continuing drain of increasing magnitude on corporate profitability.

4.13.5.3 Power. Even in a controlled data center, brownouts, blackouts, voltage spikes, sags and surges, and other electrical power disturbances represent a threat. The situation is much worse in a typical office, where personal computers are plugged into existing outlets with little or no thought to the consequences of bad power.

Some of the rudimentary precautions that should be taken are:

� Eliminating, or at least controlling, the use of extension cords, cube taps, and multiple outlet strips. Each unit on the same power line may reduce the voltage available to all of the others, and each may introduce noise on the line.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MICROCOMPUTER CONSIDERATIONS 4 · 23

� Providing line voltage regulators and line conditioners where necessary to main- tain power within required limits.

� Banning the use of vacuum cleaners or other electrical devices plugged into the same power line as computers or peripheral devices. Such devices produce a high level of electrical noise, in addition to voltage sags and surges.

� Connecting all ground wires properly. This is especially important in older offices equipped with two-prong outlets that require adapter plugs. The third wire of the plug must be connected to a solid earth ground for personnel safety, as well as for reduction of electrical noise.

In addition, the use of UPSs is highly recommended for all computers and ancillary equipment. These devices are available in capacities from about 200 watts for PCs to virtually unlimited sizes for mainframes. While the power line is operational, a UPS is capable of conditioning the line by removing electrical noise, sags, spikes, and surges. When line voltage drops below a preset value, or when power is completely lost, the UPS converts DC from its internal batteries to the AC required to supply the associated equipment.

Depending on its rating and the load, the UPS may provide standby power for several minutes to several hours. This is enough time to shut down a computer normally, or in the case of large installations, to have a motor generator placed online.

The services of a qualified electrician should be utilized wherever there is a possi- bility of electric power problems.

4.13.5.4 Static Electricity. After one walks across a carpeted floor on a dry day, the spark that leaps from fingertip to computer may be mildly shocking to a person, but to the computer it can cause serious loss of memory, degradation of data, and even component destruction. These effects are even more likely when people touch components inside a computer without proper grounding.

To prevent this, several measures are available:

� Use a humidifier to keep the humidity above 20 percent relative. � Remove ordinary carpeting. Replace, if desired, with static-free types. � Use an antistatic mat beneath chairs and desks. � Use a grounding strip near each keyboard. � Wear a grounding bracelet when installing or repairing the components of any electronic equipment.

Touching the grounding strip before operating the computer will drain any static electricity charge through the attached ground wire, as will spraying the equipment periodically with an antistatic spray.

Some combination of these measures will protect personnel, equipment, and data from the sometimes obscure, but always real, dangers of static electricity.

4.13.5.5 Data Communications. Although personal computers perform sig- nificant functions in a stand-alone mode, their utility is greatly enhanced by communi- cations to mainframes, to information utilities, and to other small computers, remotely via phone lines or the Internet, or through local area networks. All of the security

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 24 HARDWARE ELEMENTS OF SECURITY

issues that surround mainframe communications apply to personal computers, with added complications.

Until the advent of personal computers, almost all terminals communicating with mainframes were “dumb.” That is, they functioned much like teletype machines, with the ability only to key in or print out characters, one at a time. In consequence, it was much more difficult to breach mainframe security, intentionally or accidentally, than it is with today’s fully intelligent personal computers.

The image of thousands of dedicated hackers dialing up readily available computer access numbers or probing Internet addresses, for illicit fun and games or for illegal financial gain, is no less disturbing than it is real. Countermeasures are available, including:

� Two-way encryption (see Chapter 7) � Frequent password changes (see Chapter 28) � Automatic call-back before logging on � Investigation of unsuccessful logons � Monitoring of hackers’ bulletin boards (see Chapters 12 and 15) � Firewalls to restrict traffic into and out of the computer (see Chapter 26) � Antivirus software (see Chapter 41)

Legislation that makes directors and senior officers personally liable for any corpo- rate losses that could have been prevented should have a marked effect on overcoming the current inertia. Prudence dictates that preventive action be taken before, rather than corrective action after, such losses are incurred.

4.13.6 Maintenance and Repair. A regular program of preventive mainte- nance should be observed for every element of a personal computer system. This should include scheduled cleaning of disk drives and their magnetic heads, keyboards, and printers. A vital element of any preventive maintenance program is the frequent changing of air filters in every piece of equipment. If this is not done, the flow of clean, cool air will be impeded, and failure will almost surely result.

Maintenance options for personal computers, in decreasing order of timeliness, include:

� Onsite management by regular employees � Onsite maintenance by third parties under an annual agreement � On-call repair, with or without an agreement � Carry-in service � Mail-in service

As personal computers are increasingly applied to functions that affect the very existence of a business, their maintenance and repair will demand more management attention. Redundant equipment and onsite backup will always be effective, but the extended time for offsite repairs will no longer be acceptable. For most business appli- cations, “loaners” or “swappers” should be immediately available, so that downtime will be held to an absolute minimum. Management must assess the importance of each functioning personal computer and select an appropriate maintenance and repair policy.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

HARDWARE SECURITY CHECKLIST 4 · 25

Accessibility, knowledge, motivation, and opportunity are the special factors that threaten every personal computer installation. Until each of these factors has been addressed, no system can be considered secure.

4.14 CONCLUSION. This chapter has dealt principally with the means by which hardware elements of a data processing system affect the security and integrity of its operations. Many safeguards are integral parts of the equipment itself; others require conscious effort, determination, and commitment.

An effective security program—one that provides both decreased likelihood of com- puter catastrophe and mitigation of the consequences of damage—cannot be designed or implemented without considerable expenditures of time and money. As with other types of loss avoidance, the premium should be evaluated against the expected costs. Once a decision has been made, however, this equivalent to an insurance policy should not be permitted to lapse. The premiums must continue to be paid in the form of periodic testing, continuous updating, and constant vigilance.

For more detailed information about risk management, see Chapter 62 in this Hand- book. For a discussion of insurance policies against information systems disasters of all kinds, see Chapter 60.

4.15 HARDWARE SECURITY CHECKLIST

Mainframes � Are security and integrity requirements considered when selecting new equip- ment?

� Is a schedule of preventive maintenance enforced? � Is a log kept of all computer malfunctions and unscheduled downtime? � Is there an individual with responsibility for reviewing the log and initiating action?

� Are parity checks used wherever possible? � Is there an established procedure for recording parity errors and recovering from them?

� Are forward-acting or error-correcting codes used when economically justified? � Do operators follow prescribed procedures after a read error or other machine check halt?

� Are all operator interventions logged and explained? � Is a job log maintained, and is it compared regularly with an authorized run list? � Is the interval timer used to prevent excessively long runs? � Are storage protect features such as data locks and read-only paging used? � Are keys to software data locks adequately protected? � Are precautions taken to prevent loss of data from volatile memory during power interruptions?

� Are standard internal and external tape and disk labeling procedures enforced? � Are write-enable protection rings always removed from tape reels immediately after use?

� Is there a rule that new tapes and disks must be tested or certified prior to use? At regular intervals thereafter?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

4 · 26 HARDWARE ELEMENTS OF SECURITY

� Are tapes and disks refinished or replaced before performance is degraded? � Are air conditioners adequate for peak thermal loads? Are air conditioners backed up?

� Is there a schedule for frequent filter changes? � Have all static electricity generators been disabled? � Have all sources of water damage been eliminated? � Is good housekeeping enforced throughout the facility? � Is access to data terminals restricted? � Are terminals and surrounding areas examined frequently to detect passwords carelessly left about?

� Is a log maintained of unsuccessful attempts to enter the computer from terminals? � Is the log used to prevent further attempts? � Is a log maintained of all successful entries to sensitive data? � Is the log used to verify authorizations? � Are terminals equipped with automatic identification generators? � Are test procedures adequate to assure high-quality data transmissions? � Is cryptography or scrambling used to protect sensitive data? � Has a complete backup plan been formulated? Is it updated frequently? � Does the backup plan include training, retraining, and cross-training of personnel? � Is onsite backup available for the central processing unit? For peripherals? � Does your backup site advise you of all changes to its hardware configuration and operating system?

� Does your backup site have enough free time available to accommodate your emergency needs?

� Do you monitor power-line voltage and frequency? � Are the effects of brownouts, dim-outs, and blackouts known? � Is advance warning available, and if so, is there a checklist of actions to be taken? � Are power correctors in use? Voltage regulators? Line conditioners? Lightning spark gaps?

� Is backup power available? Dual substation supply? Motor generators? Uninter- ruptible power supplies?

� Does your equipment provide automatic restart and recovery after a power failure? � Are backup plans tested realistically? At frequent intervals?

Microcomputers In addition to the appropriate items just listed: � Are removable disks always kept in a closed container when not actually mounted in a disk drive?

� Is it forbidden to put food or drink on or near computer equipment? � Are personal computers securely fastened to prevent dropping or theft? � Are air vents kept free? � Are accurate inventories maintained?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

FURTHER READING 4 · 27

� Is electrical power properly wired? � Are uninterruptable power supplies in place? � Has static electricity been eliminated? � Are data communications secure? � Is there an effective maintenance plan?

4.16 FURTHER READING Ayers, J. E. Digital Integrated Circuits: Analysis and Design. Boca Raton, FL: CRC

Press, 2003. (Second edition scheduled for publication in 2009.) Clements, A. Principles of Computer Hardware, 4th ed. New York: Oxford University

Press, 2006. Horak, R. Telecommunications and Data Communications Handbook. Hoboken, NJ:

Wiley-Interscience, 2007. Kerns, D. V. Essentials of Electrical and Computer Engineering, 2nd ed. Upper Saddle

River, NJ: Prentice-Hall, 2004. Pattern, D. A., and J. L. Hennessy. Computer Organization and Design: The Hardware

Software Interface, 3rd ed. Los Angeles: Morgan Kaufmann, 2007. Stallings, W. Computer Organization and Architecture: Designing for Performance,

7th ed. Upper Saddle River, NJ: Prentice-Hall, 2005.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5CHAPTER

DATA COMMUNICATIONS AND INFORMATION SECURITY

Raymond Panko and Eric Fisher

5.1 INTRODUCTION 5 · 2

5.2 SAMPLING OF NETWORKS 5 · 2 5.2.1 Simple Home Network 5·2 5.2.2 Building LAN 5·4 5.2.3 Firms’ Wide Area

Networks (WANs) 5·5 5.2.4 Internet 5·7 5.2.5 Applications 5·9

5.3 NETWORK PROTOCOLS AND VULNERABILITIES 5 · 9

5.4 STANDARDS 5 · 9 5.4.1 Core Layers 5·10 5.4.2 Layered Standards

Architectures 5·10 5.4.3 Single-Network

Standards 5·11 5.4.4 Internetworking

Standards 5·13

5.5 INTERNET PROTOCOL (IP) 5 · 14 5.5.1 IP Version 4 Packet 5·14 5.5.2 IP Version 6 5·16 5.5.3 IPsec 5·17

5.6 TRANSMISSION CONTROL PROTOCOL (TCP) 5 · 18 5.6.1 Connection-Oriented and

Reliable Protocol 5·18 5.6.2 Reliability 5·20 5.6.3 Flag Fields 5·20 5.6.4 Octets and Sequence

Number 5·21

5.6.5 Acknowledgment Numbers 5·21

5.6.6 Window Field 5·21 5.6.7 Options 5·21 5.6.8 Port Numbers 5·22 5.6.9 TCP Security 5·23

5.7 USER DATAGRAM PROTOCOL 5 · 23

5.8 TCP/IP SUPERVISORY STANDARDS 5 · 24 5.8.1 Internet Control Message

Protocol (ICMP) 5·24 5.8.2 Domain Name System

(DNS) 5·25 5.8.3 Dynamic Host

Configuration Protocol (DHCP) 5·26

5.8.4 Dynamic Routing Protocols 5·27

5.8.5 Simple Network Management Protocol (SNMP) 5·27

5.9 APPLICATION STANDARDS 5 · 28 5.9.1 HTTP and HTML 5·28 5.9.2 E-Mail 5·28 5.9.3 Telnet, FTP, and SSH 5·28 5.9.4 Other Application

Standards 5·29

5.10 CONCLUDING REMARKS 5 · 29

5.11 FURTHER READING 5 · 29

5.12 NOTES 5 · 29

5 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 2 DATA COMMUNICATIONS AND INFORMATION SECURITY

5.1 INTRODUCTION. Sometimes, an attacker can simply walk up to a target computer. In most cases, however, attackers must use networks to reach their targets. Some attacks even aim at networks, trying to bring down local area networks, wide area networks, and even the global Internet. This chapter provides an overview of networking to help readers of this Handbook when they come across networking concepts in other chapters or in other contexts. This chapter covers a limited number of networking concepts. Specifically, it focuses on aspects of networking that are most relevant to security.

Before beginning, readers should note three important pieces of terminology that pervade the chapter.

1. This chapter often uses the term octet, which is a byte—a collection of eight bits. Networking grew out of electrical engineering, where octet is the preferred term; it is also widely used in the international technical community.

2. The second term is host. Any device attached to the global Internet is called a host. This includes everything from large server hosts to client PCs, personal digital assistants, mobile telephones, and even Internet-accessible coffeepots.

3. We will distinguish between the terms internet and Internet; the latter refers to the global Internet. However, internet spelled in lower case is either the Internet layer in the TCP architecture (see Section 5.6) or a collection of networks that is not the global Internet.

5.2 SAMPLING OF NETWORKS. This section looks briefly at a series of in- creasingly complex networks, giving the reader a high-level overview of what networks look like in the real world.

5.2.1 Simple Home Network. Exhibit 5.1 shows a simple home PC network. The home has two personal computers. The network allows the two PCs to share files and the family’s single laser printer. The network also connects the two computers to the Internet.

Access line

to the Internet

Access Router with Built-in

Wireless Access Point UTP

File Sharing

Printer Sharing

UTP

Wireless Communication

Host B PC with

Internal NIC

Host A

PC with

Wireless NIC

DSL

Broadband Modem

EXHIBIT 5.1 Simple Home Network

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SAMPLING OF NETWORKS 5 · 3

5.2.1.1 Access Router. The heart of this network is its accessrouter. This small device performs a variety of functions, most importantly these five:

1. It performs as a switch. When one PC in the home sends messages (called packets) to the other hosts, the switch transfers the packets between them.

2. The access router is a wireless access point (WAP), which permits wireless computers to connect to it. Host A connects to the access router wirelessly.

3. A router connects a network to another network—in this case, it connects the internal network to the global Internet.

4. To use the Internet, each computer needs an Internet Protocol (IP) address. We will see later that IP is the main protocol that governs communication over the Internet. The access router has a built-in Dynamic Host Configuration Protocol (DHCP) server that gives each home PC an IP address.

5. The router provides network address translation (NAT), which hides internal IP addresses from potential attackers. Most routers also have a firewall for added security. WAPs are easily exploited if not configured with proper authentication security. Wireless signals can be transferred up to 800 feet away or more with special equipment. Without constant monitoring to defeat intrusions, an attacker can connect to an access point without the user’s knowledge and intercept all passing traffic. Using NAT is essential to keeping a home network secure. Users should always enable this feature in order to prevent their hosts from being directly accessible to the public Internet, where direct scans and attacks are prevalent.

5.2.1.2 Personal Computers. Each of the two PCs needs circuitry to com- municate over the network. Traditionally, this circuitry came in the form of a printed circuit board, so the circuitry was called the computer’s network interface card (NIC). In most computers today, the circuitry is built into the computer; there is no separate printed circuit board. However, the circuitry is still called the computer’s NIC.

In this small network, the two computers share their files. Given the wireless access capability of the network, drive-by hackers could potentially read shared files as well. File sharing without strong wireless security is dangerous. It is important to set up Wi-Fi Protected Access (WPA or WPA2) or 802.11i security in pre-shared key (PSK) mode on both the access router/access point and each of the client PCs.

It is important to configure the PCs for security. Although NAT by itself is strong, and most routers also provide stateful-inspection firewalls (see Chapter 26 in this Handbook), some attacks will inevitably get through to the internal network. Hosts must have strong firewalls, antivirus programs, and antispyware programs (see Chapter 41); and they must be updated automatically when security patches are released by the operating system vendor and by application program vendors (see Chapter 40).

5.2.1.3 UTP Wiring. In Exhibit 5.1, Host B connects to the access router via copper wiring called a UTP cable, Ethernet (IEEE 802.3) cable, or commonly Cat5 (Cat5 stands for Category 5 cabling, defined in standard ANSI/TIA/EIA-568-A). It uses four-pair unshielded twisted pair (UTP) wiring inside the cord jacket. As Exhibit 5.2 shows, a UTP cord contains eight copper wires organized as four pairs. The two wires of each pair are twisted around each other. The RJ-45 connectors at the ends of a UTP cord look like RJ-11 home telephone connectors but are a little wider. (RJ means

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 4 DATA COMMUNICATIONS AND INFORMATION SECURITY

8-Pin RJ-45 Connector UTP Cord

UTP Cord

Industry Standard Pen

4 Twisted Pairs

EXHIBIT 5.2 Unshielded Twisted Pair (UTP) Wiring Cord

Registered Jack and originally referred to Bell System order codes; it is now defined by the Administrative Council for Terminal Attachment, ACTA.)

5.2.1.4 Internet Access Line. The home network needs an Internet access line to connect the home to the Internet. In Exhibit 5.1, this access line is a digitalsubscriber line (DSL) high-speed access line, and the home connects to this access line via a small box called a DSL modem. (The DSL modem connects to the access router via a UTP cord; it connects to the wall jack via an ordinary telephone cord.) Other Internet access technologies include slow telephone modems, fast cable modems, geosynchronous- satellite connections, and even wireless access systems. Most of these technologies are called broadband access lines. In general, broadband simply means very fast, although in radio transmission it describes a wide range of frequencies.

5.2.2 Building LAN. The home network shown in Exhibit 5.1 is a local area network (LAN). A LAN operates on a customer’s premises—the property owned by the LAN user. (For historical reasons, premises is always spelled in the plural.) In the case of the home network, the premises consist of the user’s home or apartment. Exhibit 5.3 shows a much larger LAN. Here, the premises consist of a corporate multistory office building.

On each floor, computers connect to the floor’s workgroup switch via a UTP cord or a wireless access point. The workgroup switch on each floor connects to a core switch in the basement equipment room. The router in the basement connects the building LAN to the outside world.

Suppose that Client A on Floor 1 sends a packet to Server X on Floor 2. Client A sends the packet to Workgroup Switch 1 on the first floor. That workgroup switch sends the packet down to the core switch in the basement. The core switch then sends the packet up to Workgroup Switch 2, which passes the packet to Server X.

UTP is easy to wiretap, allowing attackers to read all packets flowing through the cord. Telecommunications closets should be kept locked at all times, and cords should be run through thick metal wiring conduits wherever possible (for more details of physical and facilities security, see Chapters 22 and 23 in this Handbook). UTP also generates weak radio signals when traffic flows through it. It is possible to read these signals from some distance away using highly specialized equipment. Newer

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SAMPLING OF NETWORKS 5 · 5

Office

Building

Floor 2

UTP

Telephone Wiring

Workgroup Switch 2

Workgroup

Switch 1

Wireless Client B Wireless

Access Point

Wired Client A

Equipment Room

Router

Core Switch

Optical Fiber Cord

To WAN

Basement

Floor 1

Server X

EXHIBIT 5.3 Building LAN

specifications called Cat5e and Cat6 were developed to cut down on interference and cables can be purchased with shielding, but even then it is possible to eavesdrop.

Eavesdropping by tapping a UTP cable is not difficult once physical access is gained; however, typically there are far easier ways of gaining access to a network and far more desirable targets. Eavesdropping on a wire would reveal any passing traffic, but eavesdropping on a router or switch would reveal passing traffic on many wires. Physical security is an important facet of network security and must be properly addressed, but most attacks today rely on more virtual vulnerabilities.

For more extensive details of LAN security, see Chapter 25 in this Handbook.

5.2.3 Firms’ Wide Area Networks (WANs). Although LANs operate within a company’s premises, wide area networks (WANs) connect geographically separate sites—usually within a single corporation. Corporations do not have the reg- ulatory rights-of-way needed to run wires though public areas. For WAN service, companies must use companies called carriers that do have these rights-of-way.

Exhibit 5.4 shows that most firms use multiple-carrier WANs. In the exhibit, some sites in this company are connected by point-to-point leased lines from a telephone company. The companies also subscribe to switched network services that transfer traf- fic between several sites. The exhibit shows that these switched network services use the Frame Relay technology. The company uses two separate Frame Relay networks—one to connect its own sites to one another and another to connect it to another firm.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 6 DATA COMMUNICATIONS AND INFORMATION SECURITY

Leased

Line

Branch in State

(60) T1

Leased

Line

T3 Leased Line

Headquarters

F ra

c tio

n a l

T 1 L

in e

T1 Leased

Line

Leased LineLeased

Line

Leased

Line

Internet

Da Kine Island

North Shore

Credit Card

Authorization

Bureau

Frame Relay

Frame

Relay

Operations

T3

T3

T1

T1

ISP 2

ISP 1

EXHIBIT 5.4 Wide Area Networks (WANs)

Carrier technology is usually considered more secure by security professionals due to its closed-access nature. Unlike the Internet, which allows anyone to connect to it, only commercial firms may connect to carrier WANs, which makes attacker access very difficult. However, attacker access is not impossible. For example, if an attacker hacks a computer owned by the carrier (or even by a customer), this breach may permit access.

In addition, the carrier alone knows how it routes traffic through its network. This should stymie attackers even if they somehow get access to the network. However, such security through obscurity is considered a poor practice by security professionals because it is possible for attackers who hack carrier computers to get access to routing information. (Attackers usually have much simpler attack vectors; see Chapters 15 and 19 in this Handbook for more details.)

Although carrier technology is more secure, it is also extremely expensive. With the development of virtual private networks (VPNs), companies can connect geo- graphically disparate groups of computers virtually over the common internet. This provides much of the security benefit of WANs while cutting the implementation cost dramatically. See Chapter 32 for more information about VPN security.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SAMPLING OF NETWORKS 5 · 7

Client

Host

Application

Application

Access Line Access Line

Network 2

Network 1

Router

Server Host

Network 3 Network 4

Network 5 Network 6

EXHIBIT 5.5 Internet

5.2.4 Internet. By the end of the 1970s, there were many LANs and WANs in the world. Many of the WANs were nonprofit networks that connected universities and research institutions. Unfortunately, computers on one network could not talk to computers on other networks. To address this problem, the Defense Advanced Research Projects Agency (DARPA) created ARPANET in 1969, the origin of today’s Internet, based on the pioneering conceptual design for what J. C. R. Licklider called the Intergalactic Computer Network in a 1963 paper. By definition, an internet connects individual networks together. Later, commercial networks were allowed to join later versions of ARPANET, and it became the Internet we know today.

Exhibit 5.5 shows that devices called routers connect the individual networks to- gether. Initially, these devices were called gateways. The term gateway was used instead of “router” in some early standards, but most vendors have now adopted the name “router.” There are two exceptions, the first being Microsoft, which still tends to call routers “gateways.” The second is the router directly accessible to a network, and thus the first hop when exiting a network is often called the default gateway.

Any computer on any network on the Internet can send messages to any computer on any other network on the Internet. The messages that travel all the way from one computer to another across the Internet are called packets.

Exhibit 5.6 shows that the packet travels all the way from the source host to the destination host. Along the way, it is routed through different networks until arriving at its destination.

The global Internet uses a suite of communication protocols known as Transmission Control Protocol/Internet Protocol (TCP/IP). In addition, many firms build separate internal TCP/IP networks for their own communication. These internal networks are called intranets to distinguish them from the Internet.

Initially, security on internal networks was comparatively light because it was as- sumed that external attackers would have a difficult time getting into corporate intranets. However, if a hacker takes over an internal computer connected to the intranet, light security becomes a serious problem. Consequently, most firms have been progressively hardening their intranet security.

Exhibit 5.7 shows that individual homes and corporations connect to the Internet via carriers called Internet service providers (ISPs). The Internet has many ISPs, but

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 8 DATA COMMUNICATIONS AND INFORMATION SECURITY

Network X

Network Z

Network Y

Router

Router

Frame X

Frame Y

Packet

Frame Z

Packet

Packet

Switch Switch

Switch Switch

EXHIBIT 5.6 Frames and Packets

they all connect at centers that usually are called network access points (NAPs). These connections allow global communications for all connected hosts.

Most ISPs are commercial organizations run for profit to provide Internet access for home users. There is no central access control to the Internet; however, there are central agencies for controlling Domain Name Systems (DNSs) called registrars.

When the Internet was designed in the late 1970s, there was a conscious decision to promote openness and not to add the burdens of security. As a consequence of a lack of security technology and open access to almost anyone, the Internet is a security nightmare. Companies that transmit sensitive information over the Internet need to consider cryptographic protections. (See Chapters 7, 32, 33, 34, 35, and 37 in this Handbook for more details of cryptography and other means for achieving security on networks.)

User PC Host Computer

Access Line

Router

ISP

NAP

NAP

NAP

Webserver Host Computer

Access Line

ISP

Webserver’s Internet Service

Provider NAP = Network Access Point

Internet Backbone (Multiple ISP Carriers)

ISP

ISP

User PC’s Internet Service

Provider

EXHIBIT 5.7 Internet Service Providers (ISPs)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STANDARDS 5 · 9

5.2.5 Applications. Although the inner workings of the Internet rely on net- works, most users are only aware of the applications they commonly use that run on top of networks. Familiar personal applications include the World Wide Web, email, and in- stant messaging, among many others. Corporations use some of these applications, but they also use many business-specific applications, such as accounting, payroll, billing, and inventory management. Often, business applications are transaction-processing ap- plications, which are characterized by high volumes of simple repetitive transactions. The traffic volume generated by transaction-processing and other business-oriented applications usually far outweighs the traffic of personal applications in the firm. (See Chapter 30 in this Handbook for details of e-commerce security.)

All programs have bugs, including security vulnerabilities. There are many appli- cations, and keeping track of application vulnerabilities and constantly patching many applications is an enormous task that is all too easy to put off or complete only partially. (See Chapter 40 for an overview of patch management.) Also, each application must be configured with options that have high security, and security must be managed on each application (e.g., anti-virus and spam blocking in email). (See Chapter 20 for a review of spam and anti-spam measures.)

5.3 NETWORK PROTOCOLS AND VULNERABILITIES. The products of dif- ferent network vendors must be able to work together (interoperate). This is possible only if there are strong communication standards to govern how hardware and soft- ware processes interact. With such standards, two or more programs can interoperate effectively.

Standards raise three security issues. One is the standard itself. For instance, the TCP standard discussed later in this chapter is difficult to attack because an attacker cannot send a false message unless he or she can guess the sequence number of the next message. This normally is very difficult to do. However, if the attacker sends an RST (reset) message, which terminates a connection, this protection is greatly reduced. In fact, it is fairly easy to send RST messages that close legitimate open connections.

A second issue is security built into the standard. Most standards were created without security, and security was added only in later versions, sometimes in an awk- ward way. For instance, IP, which is the main protocol for delivering packets over the Internet, originally had no security. The IP security (IPsec, pronounced eye-pea-sek) standards were created to address this weakness, but IPsec is burdensome and not widely used.

Another security weakness of early versions of IP, including the widely used IPv4, is the limitation on address space due to the 32 bit address field in the IPv4 packet (yielding an address space of about 4 × 109); as this edition of this Handbook goes to press, IPv4 address exhaustion is being addressed by the migration to IPv6, with its 128-bit addresses (an address space of about 3 × 1038).

A further issue is the security of the implementation of standards in vendor products. Most attacks that aim at standards weaknesses attack vendor products that have security vulnerabilities unrelated to the protocols they implement.

5.4 STANDARDS. Networks and network security depend on standards. Stan- dards have permitted global interconnectivity, unlike the early years of networking when proprietary products dominated the world of computing and interconnection was difficult or impossible.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 10 DATA COMMUNICATIONS AND INFORMATION SECURITY

EXHIBIT 5.8 Three Standards Core Layers

Super Layer Description

Application Communication between application programs on different hosts attached to different networks on a network.

Internetworking Transmission of packets across a routed internet. Packets contain application-layer messages.

Single network Transmission of packets across a single-switched network.

5.4.1 Core Layers. Standards are complex, and when people deal with complex problems, they usually break these problems into smaller parts and have different specialists work on the different parts. Exhibit 5.8 shows that standards are divided into three core layers that collectively have the functionality needed to allow an application program on one network in an internet to interoperate with another program on another computer on another network.

At theapplicationcorelayer, the two applications must be able to interact effectively. For instance, in World Wide Web access, the two application programs are the browser on the client PC and the Web server program on the Web server. The standard for Web interactions is the Hypertext Transfer Protocol (HTTP). Both the browser and the Web server applications have to send messages that comply with the HTTP standard.

The middle layer is the internet core layer. Standards at this layer govern how packets are delivered across a routed internet. One of the main standards at the internet core layer is the Internet Protocol (IP). We will see other internetworking standards later.

The lowest core layer is the single-network core layer. Standards at this layer govern the transmission of packets across the switches and transmission lines in a single-switched network (a LAN or WAN).

5.4.2 Layered Standards Architectures. Standards are created by standards agencies. These standards agencies first create detailed layering plans for creating stan- dards. These specific layering plans are called layered standards architectures. After- ward, standards agencies create standards in the individual layers. Exhibit 5.9 shows two popular layered standards architectures and relates these standards architectures to the three core layers we saw earlier.

The Internet Engineering Task Force (IETF) is the standards agency for the Inter- net. Its standards architecture is called TCP/IP—a name taken from two of its most

EXHIBIT 5.9 Layered Standards Architectures

Super Layer TCP/IP OSI Hybrid TCP/IP-OSI

Application Application Application Application Presentation Session

Internet Transport Transport Transport Internet Network Internet

Network Subnet access Data link Data link Physical Physical

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STANDARDS 5 · 11

important standards, TCP and IP. Exhibit 5.9 shows that TCP/IP has four layers. The bottom layer, the subnet access layer, corresponds to the single-network core layer. The top layer, in turn, is the application layer, which corresponds to the application core layer. The two middle layers—the internet and transport layers—correspond to the internet core layer. TCP/IP focuses primarily on internet working. Dividing this core layer into two TCP/IP layers permits greater division of labor in standards development.

The other standards architecture shown in the figure is OSI, which is rarely spelled out by its full name, the Reference Model of Open Systems Interconnection. OSI is governed by two standards agencies. One is ISO, the International Organiza- tion for Standardization. The other is ITU-T, the International Telecommunications Union–Telecommunications Standards Sector. (The official names and the official acronyms do not match because they originated in different languages.)

Exhibit 5.9 shows that OSI divides the three core layers into a total of seven layers. OSI single networks use standards at two layers—the physical and data link layers. OSI’s market dominance is so strong at the physical and data link layers that the IETF rarely develops standards at these layers. The subnet access indication in the TCP/IP framework basically means Use OSI standards here.

Neither of these two standards architectures dominates. What nearly all firms use today is the hybrid TCP/IP–OSI standards architecture, which Exhibit 5.9 illustrates. This hybrid architecture uses OSI standards at the physical and data link layer and TCP/IP standards at the internet and transport layer. Corporations also use standards from some other standards architectures at the internet and transport layers, but TCP/IP standards dominate.

At the application core layer, the situation is complex. Both OSI and TCP/IP stan- dards are used, often in combination. In fact, OSI standards often reference TCP/IP standards and vice versa. Although OSI and TCP/IP are often viewed as rivals, this is not the case at all. Several other standards agencies also create application layer standards, complicating the picture even further.

5.4.3 Single-Network Standards. As just noted, OSI standards dominate in the two single-network layers—the physical and data link layers. Exhibit 5.10 shows how the physical and data link layers are related.

Host A Server

Host

1 Data Link

3 Physical Links

Router R1

Physical Link A-X1

Physical Link X1-X2

Physical Link

X2-R1

Mobile Client Station

Data Link

A-R1

Switch X1

Switch X2

Switch X3

Switch X4

EXHIBIT 5.10 Physical and Data Link Layers

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 12 DATA COMMUNICATIONS AND INFORMATION SECURITY

5.4.3.1 Data Link Layer. The path that a frame takes through a single network is called the frame’s data link. In Exhibit 5.10, the data link runs between Host A and Router R1. This data link passes through Switch X1 and Switch X2.

The source computer sends the frame to the first switch, which forwards the frame to the next switch along the data link, which forwards the frame further. The last switch along the data link passes the frame to the destination computer (or router, if the packet in the frame is destined for a computer on another network).

5.4.3.2 Physical Layer. Physical-layer standards govern the physical connec- tions between consecutive devices along a data link. In Exhibit 5.10, these physical links are A–X1, X1–X2, and X2–R1. Earlier, we saw one popular transmission medium, unshielded twisted pair wire in Cat5 cables. UTP dominates in links between comput- ers and workgroup switches (see Exhibit 5.3). UTP signals typically involve voltage changes. For instance, a high voltage may indicate a 1, while a low voltage may indicate a 0. (Actual voltage patterns usually are much more complex.)

For longer distances and very high speeds, another popular transmission medium is optical fiber, which sends light signals through thin glass tubes. Optical fiber signals actually are very simple. In a clock cycle, the light is turned on for a 1 or off for a 0.

UTP cords act like radio antennas when they carry signals. Some of the signal al- ways radiates out, allowing people to intercept transmission signals by placing devices near (but not touching) the cord. Intercepting and interpreting electromagnetic emis- sions from computing devices is called van Eck phreaking (also famously codenamed “TEMPEST” by the NSA) after the Dutch scientist Wim van Eck published a paper in 1985 demonstrating how to monitor and reconstitute leaked signals from cathode-ray terminals (CRTs). In contrast, optical fiber requires physically tapping into the fiber cords. Physical wiretapping can also be done with UTP, but there are often far easier methods to intercept or steal traffic rather than trying to physically tap the wires.

Wireless transmission uses radio waves. This permits mobile devices to be served in ways never before possible. Wireless transmission is used for both LAN and WAN transmission.

Radio signals spread widely, even when dish antennas are used. Consequently, it is very easy for eavesdroppers to listen in on radio transmissions and do other mischief. Radio signals must be strongly encrypted, and the parties must be strongly authenticated to prevent impostors from sending radio transmission.

Radio signaling is very complex. Most radio signaling uses spread spectrum trans- mission, in which the information is sent over a wide range of frequencies. Spread spectrum transmission is used to improve propagation reliability. Radio transmission has many propagation problems, such as interference from other sources. Many propa- gation problems occur only at certain frequencies. By spreading the signal across a wide spectrum of frequencies and doing so redundantly, the signal will still be intelligible even if there are strong problems at some frequencies.

Prabakar Prabakaran summarized the benefits of spread-spectrum communications as follows:

Spread-spectrum systems provide some clear advantages to designers … [H]ere are nine ben- efits that designers can expect when using a spread-spectrum-based wireless system.

1. Reduced crosstalk interference: In spread-spectrum systems, crosstalk interference is greatly attenuated due to the processing gain of the spread spectrum system as described earlier …

2. Better voice quality/data integrity and less static noise …

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STANDARDS 5 · 13

3. Lowered susceptibility to multipath fading … 4. Inherent security: In a spread spectrum system, a PN [pseudo-random number] sequence is

used to either modulate the signal in the time domain (direct sequence systems) or select the carrier frequency (frequency hopping systems). Due to the pseudo-random nature of the PN sequence, the signal in the air has been “randomized.” Only the receiver having the exact same pseudo-random sequence and synchronous timing can de-spread and retrieve the original signal. Consequently, a spread spectrum system provides signal security that is not available to conventional analog wireless systems.

5. Co-existence: A spread spectrum system is less susceptible to interference than other non-spread spectrum systems. In addition, with the proper designing of pseudo-random sequences, multiple spread spectrum systems can co-exist without creating severe inter- ference to other systems. This further increases the system capacity for spread spectrum systems or devices.

6. Longer operating distances … 7. Hard to detect: Spread-spectrum signals are much wider than conventional narrowband

transmission (of the order of 20 to 254 times the bandwidth of narrowband transmissions). Since the communication band is spread, it can be transmitted at a low power without being detrimentally by background noise …

8. Hard to intercept or demodulate: The very foundation of the spreading technique is the code used to spread the signal …

9. Harder to jam: The most important feature of spread spectrum is its ability to reject inter- ference … .1

The military uses frequency-hopping spread-spectrum (FHSS) transmission for security. Military spread-spectrum transmission works in such a way that makes intercepting transmissions very difficult. Civilian spread-spectrum transmission, in contrast, is designed to make connecting simple and therefore offers relatively little security.

Switches spend almost all of their time forwarding frames. However, switches spend some of their time exchanging supervisory information packets with one another to keep the network running efficiently. For example, in Ethernet (IEEE 802.3), which dominates LAN standards, if there are loops among the switches, the network will mal- function. If a switch detects a loop, it sends supervisory packets to other switches. The switches in the network then communicate until they determine the most appropriate path and disable other ports to prevent the internal looping. This process is governed by the Spanning Tree Protocol (STP, part of IEEE 802.1) or the newer Rapid Spanning Tree Protocol (RSTP, defined in IEEE 802.1 w and now part of IEEE 802.1D-2004).

Attackers can create denial-of-service (DOS) attacks on the switches in a network by impersonating a switch and sending a flood of false messages to the network’s real switches indicating the presence of a loop. The switches may spend so much of their time reorganizing the network that they will be unable to serve legitimate traffic. They also can attack several other supervisory protocols to make switches unavailable for processing normal packets. The 802.1AE standard is designed to limit switch-to-switch communication to authenticated switches.

5.4.4 Internetworking Standards. As noted earlier, the IETF divided the internetworking core layer into two layers—the internet and transport layers. Exhibit 5.11 shows how the two layers are related.

The internet layer forwards packets, hop by hop, among routers until the packet reaches the destination host. The main standard at the internet layer is the Internet Protocol (IP).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 14 DATA COMMUNICATIONS AND INFORMATION SECURITY

Client PC

Router 1 Router 2 Router 3

Server

Transport Layer TCP is reliable; UDP is unreliable

implemented on the two hosts

Internet Layer Usually IP, which is unreliable

implemented on each host and router

EXHIBIT 5.11 Internet- and Transport-Layer Standards

The designers of TCP/IP realized that they could not predict what services the single networks connecting routers would provide. IP was made a simple best-effort protocol, in order to assume minimal functionality in the single networks along the way. There are no guarantees that packets will arrive at all or, if they do arrive, that they will arrive in order.

To make up for the limitations of IP, a transport layer was added. The main standard designed for this layer, the Transmission Control Protocol (TCP), was created as a high-capability protocol that would fix any errors made along the way, ensure that packets arrived in order, slow transmission when the network became overloaded, and do several other things. For applications that did not need this level of reliability, a simpler standard was created, the User Datagram Protocol (UDP).

5.5 INTERNET PROTOCOL (IP). The Internet Protocol (IP) does two main things. First, it governs how packets are organized. Second, it determines how routers along the way move packets to the destination host. (Analogously, data-link-layer standards govern how frames containing packets are organized and how switches along the way move the frame across a single-switched network.)

5.5.1 IP Version 4 Packet. The main version of the Internet Protocol is Version 4 (IPv4). (There were no Versions 0, 1, 2, or 3.) This version has been in use since its definition in 1981 and will continue to be used for many years to come, although IPv6 is intended to supersede it. Exhibit 5.12 shows the IPv4 packet’s organization.

A packet is a long stream of 1s and 0s. The IP header normally is shown on several rows, with 32 bits on each row. The first row has bits 0 through 31; the next row shows bits 32 through 63 and so on.

The header is divided into smaller units called fields. Fields are defined by their bit position in the packet. For example, the first four bits comprise the version number field. These are bits 0 through 3. In IPv4, this field holds 0100, which is 4 in binary. The header length field comprises the next four bits (bits 3 through 7).

5.5.1.1 First Row. As just noted, the first field (bits 0 through 3) is the version number field. In IPv4, the value is 0100 (4). In the newer version of the Internet Protocol, IP Version 6 (IPv6), the value is 0110.

The next field is the header length field. This gives the length of the headers in 32-bit units. As Exhibit 5.12 shows, a header without options has five 32-bit lines, so this field will have the value 0101 (5 in binary).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTERNET PROTOCOL (IP) 5 · 15

Bit 0 Bit 31

Version (4 bits)

Value is 4

(0100)

Header Length

(4 bits)

Diff-Serv (8 bits)

Total Length (16 bits)

length in octets

Fragment Offset (13 bits) Octets from start of original IP

fragment’s data field

Flags (3 bits)

Identification (16 bits) Unique value in each original IP packet

Time to Live (8 bits) Protocol (8 bits)

1 = ICMP, 6 = TCP,

17 = UDP

Header Checksum (16 bits)

Source IP Address (32 bits)

Destination IP Address (32 bits)

Options (if any) Padding

Data Field

EXHIBIT 5.12 Internet Protocol (IP) Packet

The use of options is uncommon in practice. In fact, options tend to indicate attacks. Therefore, a value larger than 5 in the header length field indicates that the packet header has options and is therefore suspicious.

The 1-octet dif-serv (differential services) field was created to allow different ser- vices (priority, etc.) to be given to this packet. However, this field typically is not used.

The total length field gives the length of the entire IP packet in octets (bytes). Given the 16-bit length of this field, the maximum number of octets in the IP packet is 65,536 (216). Most IP packets, however, are far smaller. The length of the data field is this total length minus the length of the header in octets.

5.5.1.2 Second Row. If an IP packet is too long for a single network along the way, the router sending the packet into that network will fragment the packet, dividing its contents into a number of smaller packets. For assembly on the destination host, all fragment packets are given the same identification field value as in the original packet. The data octets in the original packets are numbered, and the number of the first data octet in the packet is given a fragment offset value (13 bits long). There are three flag fields (1-bit fields). One of these, more fragments, is set to 1 in all but the last packet, in which it is made 0. The information in these three fields allows the destination host to place the packets in order and know when there are no more packets to arrive.

IP fragmentation by routers is usually rare, and attackers can use fragmentation to hide attack information. Even if the first fragment packet is dropped by the firewall, other packets that do not have the signature information in the first header can get through. Therefore, IP fragmentation is suspicious.

5.5.1.3 Third Row. The third line begins with an ominous-sounding time to live (TTL) field, which has a value between 0 and 255. The sending host sets the initial value (64 or 128 in most operating systems). Each router along the way decreases the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 16 DATA COMMUNICATIONS AND INFORMATION SECURITY

value by 1. If a router decreases the value to 0, it discards the packet. This process was created to prevent misaddressed packets from circulating endlessly around the Internet.

To identify hosts, attackers will use the Internet Control Message Protocol (ICMP) to ping many IP addresses (as discussed in Section 5.8.1). A reply tells the attacker that a host exists with that IP address. In addition, by guessing the initial TTL value and looking at the TTL value in the arriving packet, the attacker can guess how many router hops separate the attacker’s host from the victim host. Sending many pings to different IP addresses can help the attacker map the routers in the target network. Often, administrators will turn off ICMP traffic outside of the internal networks in order to prevent anyone who isn’t an authorized user from mapping active internal hosts.

Thedatafield of the IP packet may contain a TCP message segment, a UDP datagram message, or something else, such as the ICMP messages we will discuss in Section 5.8.1. A value of 1 in this field indicates that the data field is an ICMP message. In turn, 6 indicates a TCP segment, and 17 indicates that the data field contains a UDP header.

The header checksum field contains a value placed there by the sender. This number is determined by a calculation based on the values of other fields. The receiving internet process redoes the calculation. If the two numbers are different, then there must have been an error along the way. If so, the router or destination host receiving the packet will simply discard the packet. There is no retransmission, so IP is not inherently reliable; however, one of the functions of TCP is to monitor the sequence numbers and initiate retransmission of missing packets. See Section 5.6.2.

5.5.1.4 Source and Destination IP Address. When you send a letter, the envelope has an address and a return address. The analogous addresses in IP headers are the source and destination IP addresses. Note that IP addresses are 32 bits long. For human reading, these 32 bits are divided into four 8-bit segments, and each segment’s bits are converted into a decimal number between 0 and 255. The four segment numbers are then separated by dots. An example is 128.171.17.13. Note that this dotted deci- mal notation is a memory and writing crutch for inferior biological entities (people). Computers and routers work with 32-bit IP addresses directly.

Many forms of firewall filtering are based on IP addresses. In addition, many attack- ers spoof their packet’s source IP address (i.e., replace the real IP address with a false IP address).

5.5.2 IP Version 6. Although IP Version 4 is widely used, its 32-bit IP address size causes problems: It can address only 4,294,967,296 (∼109) devices. This relatively small size limits the number of possible IP addresses. In addition, when IP addresses were distributed, most addresses were assigned to the United States because the Internet was invented there. In fact, some U.S. universities received more IP addresses than China.

To address the limitations of the 32-bit IP address size, a new version of the Internet Protocol was created. This is IP Version 6 (IPv6). (A Version 5 was defined, but it was never used.) Exhibit 5.13 shows the IPv6 packet organization.

One obvious change is that the IP addresses are much larger—128 bits. Each IP address, then, requires four 32-bit lines to write and is equivalent to ∼1038. This will provide IP addresses to allow almost every device to be a host on the Internet—including toasters and coffeepots. To give us a sense of the scale of this enormous number, it is enough to address every single molecule of water in a cube over 2 km on a side. Another popular description of the difference in size of the IPv4 and IPv6 address space is that if the address space of IPv4 were represented as a square roughly 4 cm on a side,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTERNET PROTOCOL (IP) 5 · 17

Bit 0 Bit 31

Next Header or Payload (Data Field)

Destination IP Address (128 bits)

Source IP Address (128 bits)

Diff-Serv (8 bits)

Can be used for

Priority, etc.

Flow Label (20 bits) Marks a packet as part of a specific flow of packets;

Can be used instead of the destination IP address in routing

Hop Limit (8 bits)

Next Header (8 bits)

Name of next header

Payload Length (16 bits)

Version (4 bits)

Value is 6

(0110)

EXHIBIT 5.13 IP Version 6 Packet

the equivalent area for IPv6 address space would cover the solar system out to Pluto’s orbit.

The version number field is 4 bits long, and its value is 6 (0110). There also is a dif-serv field and a flow label field that is 20 bits long. These fields allow the packet to be assigned to a category of packets with similar needs. All packets in this category would be assigned the same flow label and would be treated the same way by routers. However, this capability is not widely used.

There is a hop limit field that serves the same function as the time to live (TTL) field in IPv4. The payload length, in turn, gives the length of the data field in octets.

A major innovation in IPv6 is the next header field. There can be multiple head- ers following the first header shown in Exhibit 5.13. For instance, IPsec security is implemented with a security header. Although options are unusual in IPv4, IPv6 uses additional headers extensively. The next header field tells what the next header is. Each additional header has a next header field that identifies the next header or says that there is no next header.

5.5.3 IPsec. IP, which was created in the early 1980s, initially had no security at all. Finally, in the 1990s, the Internet Engineering Task Force developed a general way to secure IP transmission. This was IP security, which normally is just called IPsec. IPsec functions by protecting a packet or most of a packet and sending the protected packet inside another packet. IPsec is a general security solution because everything within the data field of the protected packet is securely encrypted, including the transport and application layer information. This includes the transport message and the application message contained in the transport message. Originally developed for IPv6, it was extended to IPv4 as well, becoming a completely general solution. See Chapter 32 in this Handbook for further discussion of IPsec.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 18 DATA COMMUNICATIONS AND INFORMATION SECURITY

Bit 0

Source Port Number (16 bits)

Sequence Number (32 bits)

Acknowledgement Number (32 bits)

Header

Length (4 bits)

Reserved (6 bits)

Flag Fields (6 bits)

Window (16 bits)

TCP Checksum (16 bits)

Options (if any) Padding

Data Field

Flag fields are 1-bit fields. They include SYN, ACK, FIN, RST, PSH, and URG.

Urgent Pointer (16 bits)

Destination Port Number (16 bits)

Bit 31

EXHIBIT 5.14 Transmission Control Protocol (TCP) Segment

5.6 TRANSMISSION CONTROL PROTOCOL (TCP). As noted earlier, the Transmission Control Protocol (TCP) is one of the two possible TCP/IP protocols at the transport layer. Exhibit 5.14 shows the TCP message, which is called a TCP segment.

5.6.1 Connection-Oriented and Reliable Protocol. Protocols are either connectionless or connection-oriented.

� Connection-oriented protocols are like telephone conversations. When you call someone, there is at least tacit agreement at the beginning of the conversation that you are able to speak. Explicit indicators such as “Hold, please.” and “Can I call you back?” indicate an unwillingness to proceed at the moment. Also, there is at least tacit agreement that you are done talking at the end of the conversation; simply hanging up is considered rude. “Bye” or “Talk to you later” are examples of termination signals.

� Connectionless protocols, in turn, are like email. When you send a message, there is no prior agreement, and after the message is sent, there is no built-in provision for a reply (unless you are one of those people who asks to be notified when the receiver reads the message).

Exhibit 5.15 shows a sample TCP connection. Three messages are sent to open a connection. The originator sends a TCP SYN segment to indicate that it wishes to open a TCP session. The other transport process sends back a TCP SYN/ACK segment that acknowledges the connection opening message and indicates that it is willing to open the connection. The originator then sends an ACK segment to indicate reception of the SYN/ACK segment.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

TRANSMISSION CONTROL PROTOCOL (TCP) 5 · 19

Client PC

Transport Process

Open

(3)

1. SYN (Open)

2. SNY, ACK (1) (Acknowledgment of 1)

3. ACK (2)

5. ACK (4)

7. ACK (6)

10. ACK (9)

12. ACK (11)

14. ACK (13)

15. FIN

13. FIN (Close)

16. ACK (15)

Note: An ACK may be combined with the next message if the next message is

sent quickly enough.

4. Data = HTTP Request

6. Data = HTTP Response

8. Data = HTTP Request (Error)

9. Data = HTTP Request (No ACK so Retransmit)

11. Data = HTTP Resonse

Carry HTTP

Req & Resp (4)

Carry

HTTP Req &

Resp (4)

Close

(4)

Webserver

Transport Process

EXHIBIT 5.15 Messages in a TCP Session

Attackers can use TCP connection openings to execute denial-of-service attacks that make a server unable to respond to legitimate traffic. The attacker sends a SYN segment to open a connection to the victim server. The victim server responds with a SYN/ACK message. The victim server also sets aside resources for the connection. The attacker never responds with an ACK, so this is called a half-open SYN attack. If the attacker floods a server host with SYN segments, the victim server will reserve so many resources that it will be overloaded and unable to serve legitimate connection opening attempts. The server may even crash. See Chapter 18 for discussion of denial-of-service attacks.

Ending a conversation, in contrast, normally takes four messages. One side sends a FIN segment, which the other party acknowledges. Then the other party sends a FIN segment, which the other side acknowledges. After the first side sends the original FIN segment, it will not send any new information, but it will send acknowledgments for segments sent by the other party.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 20 DATA COMMUNICATIONS AND INFORMATION SECURITY

There is another way to end a session or even to reject opening one. At any point, either party can send a RST (reset) message. An RST message ends the conversation abruptly. There is not even an acknowledgment. It is like hanging up in a telephone conversation.

Attackers often preface an attack by attempting to identify the IP addresses of running hosts—much like thieves casing a neighborhood. One way to do this is to send TCP SYN segments to hosts. If hosts reject the SYN segment, they often send back an RST message. As noted earlier, TCP segments are carried in the data fields of IP packets. The source IP address in the packet delivering the TCP RST segment will be that of the internal host. Whenever the attacker receives an RST segment, this verifies the existence of a working host at that packet’s IP address. Firewalls often stop RST segments from leaving a site to prevent them from reaching the attacker.

5.6.2 Reliability. In addition to being connectionless or connection-oriented, protocols are either reliable or unreliable. An unreliable protocol does not detect and correct errors. Some unreliable protocols do not even check for errors. Others check for errors but simply discard a message if they find that it contains an error.

TCP is a reliable protocol. It actually corrects errors. The TCP checksum field is calculated using values from other fields. The sender places the result of its calculation in the checksum field. The receiver redoes the calculation and compares it with the transmitted value. If the receiving transport layer process finds that a message is correct (the values are the same), it sends an acknowledgment message. However, if the receiver detects an error in the TCP segment it receives (the values are different), it discards the segment and does nothing else.

How does a receiver know that there is an error in the message? The sender computes a value based on the other bits in the TCP segment (not just the header). The receiver redoes the calculation. If the two values match, the receiver sends an acknowledgment. If they do not match, the receiver merely drops the segment and does not send an acknowledgment.

If the segment arrives correctly, the original sender receives an acknowledgment. However, if the segment never arrives or is discarded because of damage, no reply is sent. If the original sender does not receive an acknowledgment in a specified period of time, it will resend the original segment. It will even use the original sequence number.

5.6.3 Flag Fields. Flag field is a general name for a 1-bit field that is logical (true or false). To say that a flag field is set means that its value is 1. To say that a flag field is not set means that its value is 0.

The TCP header contains a number of flag fields. One of these is SYN. To request a connection opening, the sender sets the SYN bit. The other sends a SYN/ACK segment, in which both the SYN and ACK bits are set. Other commonly used flags are FIN, RST, URG, and PSH.

The URG flag indicates the presence of urgent data that should be handled before earlier data octets. The urgent pointer field indicates the location of the urgent data.

If an application message is large, TCP will divide the application message into multiple TCP segments and send the segments individually. To help the receiving TCP process, the sending transport process may set the PSH (push) bit in the application message’s last segment. This tells the receiving transport process to push the data up to the application program immediately without buffering and delays.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

TRANSMISSION CONTROL PROTOCOL (TCP) 5 · 21

5.6.4 Octets and Sequence Number. The sequence number field value al- lows the receiver to put arriving TCP segments in order even if the packets carrying them arrive out of order (including when a segment is retransmitted). Sequence num- bers are also used in acknowledgments, albeit indirectly. In TCP transmission, every octet that is sent, from the very first, is counted. This octet counting is used to select each segment’s sequence number.

� For the first segment, a random initial sequence number (ISN) is placed in the sequence number field.

� If the segment contains data, the number of the first octet contained in the data filed is used as the segment’s sequence number.

� For a purely supervisory message that carries no data, such as an ACK, SYN, SYN/ACK, FIN, or RST segment, the sequence number is increased by 1 over the previous message.

One dangerous attack is TCP session hijacking, in which an attacker takes over the role of one side. This allows the hijacker to read messages and send false messages to the other side. To accomplish session hijacking, the attacker must be able to predict sequence numbers because if a segment arrives with an inappropriate sequence number, the receiver will reject it. TCP session hijacking is likely to be successful only if the initial sequence number is predictable. Few operating systems today pick initial sequence numbers in a predictable way, but predicable sequence numbers were common in earlier operating systems, some of which are still in use.

5.6.5 Acknowledgment Numbers. When a receiver sends an acknowledg- ment, it sets the ACK bit. It also puts a value in the acknowledgment number field to indicate which segment is being acknowledged. This process is needed because the sender sends many segments and because acknowledgments may be delayed.

You might think that the acknowledgment number would be the sequence number of the segment being acknowledged. Instead, it is the number of the last octet in the data field plus 1. In other words, the acknowledgment number gives the octet number of the first octet in the next segment to be sent. This seems a bit odd, but it makes certain calculations easier for the receiver.

5.6.6 Window Field. Flow control limits the rate at which a side sends TCP segments. The TCP window field allows one to limit how many more octets the other side may send before getting another acknowledgment. The process is somewhat complex and has no known security implications at the time of this writing (June 2013). In acknowledgments, the ACK bit is set, and both the acknowledgment and window size fields are filled in.

5.6.7 Options. Like the IPv4 header, the TCP header can have options. However, while IP options are rare and cause for suspicion, TCP uses options extensively. One common option, often sent with the initial SYN or SYN/ACK segment, is the maximum segment size (MSS) option. This gives the other side a limit on the maximum size of TCP segment data fields (not on segment sizes as a whole). The presence of TCP options, then, is not suspicious by itself.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 22 DATA COMMUNICATIONS AND INFORMATION SECURITY

SMTP

Application

Multitasking

Server

Ports 20 and

21

Port

80Port 25

FTP Application

HTTP Application

EXHIBIT 5.16 Multitasking Server Host and Port Numbers

5.6.8 Port Numbers. We have now looked at most fields in the TCP header. The first two fields warrant special mention.

5.6.8.1 Port Numbers on Servers. Port number fields mean different things for clients and servers. For a server, it represents a specific application running on that server, as Exhibit 5.16 shows. Servers are multitasking computers, which means that they can run multiple applications at the same time. Each application is specified by a different port number.

For instance, on a server, a Web server application program may run on TCP Port 80. Incoming TCP segments that have 80 as their destination port number are passed to the Web server application. Actually, TCP Port 80 is the well-known port for Web server programs, meaning that it is the usual port number for the application. Although Web servers can be given other TCP port numbers, this makes it impossible for users to establish connections unless they know or can guess the nonstandard TCP port number.

The TCP port range from 0 to 1023 is reserved for the well-known port numbers of major applications, such as HTTP and email. For instance, Simple Mail Transfer Protocol (SMTP) mail server programs usually are run on TCP Port 25, while File Transfer Protocol (FTP) requires two well-known port numbers—TCP Port 21 for supervisory control and TCP Port 20 for the actual transfer of files.

5.6.8.2 Port Numbers on Clients. Client hosts use TCP port numbers dif- ferently. Whenever a client connects to an application program on a server, it generates a random ephemeral port number that it uses only for that connection. On Windows machines, the ephemeral TCP port numbers range from 1024 to 4999.

The Microsoft port number range for ephemeral port numbers may differ from the official IETF range, with values of 5000–65534. The use of nonstandard ephemeral port numbers by Windows and some other operating systems causes problems for firewall filtering.

5.6.8.3 Sockets. Exhibit 5.17 shows that the goal of internetworking is to deliver application messages from one application on one machine to another application on another machine. On each machine, there is a TCP port number that specifies the application (or connection) and an IP address to specify a computer. A socket is a combination of an IP address and a TCP port number. It is written as the IP address,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

USER DATAGRAM PROTOCOL 5 · 23

Client 60.171.18.22

SMTP Server

123.30.17.120 Port 25

From: 60.171.18.22:4400 To: 123.30.17.120:25

From: 1.33.17.13:80

To:60.171.18.22.22:2707

From: 60.171.18.22;2707

To: 1.33.17.13:80

Webserver

1.33.17.13 Port 80

EXHIBIT 5.17 Sockets

a colon, and the TCP port number. A typical socket, then, would be something like 128.171.17.13:80.

Attackers often do socket spoofing—both IP address spoofing and port spoofing. For instance, in TCP session hijacking, if the attacker wishes to take over the identity of a client, it must know both the client’s IP address and ephemeral port number. Of course, these fields are transmitted in the clear (without encryption) in TCP, so an attacker with a sniffer that captures and reads traffic flowing between the client and server can easily obtain this information.

5.6.9 TCP Security. Like IP, TCP was created without security. However, al- though IPsec has made IP secure, the IETF has not created a comparable way to secure TCP. One reason for this is IPsec’s ability to secure all transport layer traffic trans- parently, without modification to transport layer protocols. The IETF has made IPsec the centerpiece of its security protections and a single method to handle upper-layer security. Communicating partners that want TCP security should implement IPsec.

However, few TCP sessions are protected by IPsec. Consequently, some pairs of users employ an option in TCP, which adds an electronic signature to each TCP session. This signature proves the identity of the sender. This option, described in RFC 2385, requires the two parties to share a secret value. This option is awkward because it provides no way to share keys automatically, and it does not provide encryption or other protections. The option is used primarily in the Border Gateway Protocol (BGP). BGP is used to exchange routing information between administrative systems—say a corporate system and an internet service provider. BGP always uses one-to-one connections, the communicating parties usually know each other quite well, and the two parties have long-term relationships, which makes key exchange less burdensome and risky. Outside of BGP, however, the RFC 2385 electronic signature option does not appear to be used significantly. Even in BGP, it is widely seen as very weak security.

5.7 USER DATAGRAM PROTOCOL. As noted earlier, TCP is a protocol that makes up for the limitations of IP. TCP adds error correction, the sequencing of IP packets, flow control, and other functionality that we have not discussed.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 24 DATA COMMUNICATIONS AND INFORMATION SECURITY

Bit 0

Source Port Number (16 bits)

Data Field

Destination Port Number (16 bits)

UDP Length (16 bits) UDP Checksum (16 bits)

Bit 31

EXHIBIT 5.18 User Datagram Protocol (UDP)

Not all applications need the reliable service offered by TCP. For instance, in voice over IP (VOIP), there is no time to wait for the retransmission of lost or damaged packets carrying voice. In turn, the Simple Network Management Protocol (SNMP), which is used for network management communications, sends so many messages back and forth that the added traffic of connection-opening packets, acknowledgments, and other TCP supervisory segments could overload the network. Consequently, voice over IP, SNMP, and many other applications do not use TCP at the transport layer.

Instead, they use theUserDatagramProtocol(UDP). This protocol is connectionless and unreliable. Each UDP message (called a UDP datagram) is sent on its own. There are no openings, closings, or acknowledgments.

As a consequence of the simplicity of UDP’s operation, the UDP datagram’s organi- zation is also very simple, as Exhibit 5.18 illustrates. There are no sequence numbers, acknowledgment numbers, flag fields, or most of the other fields found in TCP.

There are source and destination port numbers, a UDP header length to allow variable-length UDP datagrams, and a UDP checksum. If the receiver detects an error using the checksum, it simply discards the message. There is no retransmission.

The fact that both TCP and UDP use port numbers means that whenever you refer to port numbers for well-known applications, you also need to refer to whether the port numbers are TCP or UDP port numbers. This is why the well-known port number for Web servers is TCP port 80.

TCP’s sequence numbers make TCP session hijacking very difficult. The receiver will discard messages with the wrong sequence numbers even if the source and desti- nation sockets are correct. UDP lacks this protection, making UDP a somewhat more dangerous protocol than TCP.

Like TCP, UDP has no inherent security. Companies that wish to secure their UDP communication must use IPsec.

5.8 TCP/IP SUPERVISORY STANDARDS. So far, we have looked at standards that deliver a stream of packets across an internet and that perhaps check for errors and provide other assurances. However, the TCP/IP architecture also includes a number of supervisory protocols that keep the Internet functioning.

5.8.1 Internet Control Message Protocol (ICMP). The first supervisory protocol on the Internet was the Internet Control Message Protocol (ICMP). As Exhibit 5.19 shows, ICMP messages are delivered in the data fields of IP packets.

The best-known pair of ICMP message types is the ICMP echo message and the echo reply message. Suppose that a host sends an ICMP echo message to an IP address. If a host is active at that address, it may send back an ICMP echo reply message. This

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

TCP/IP SUPERVISORY STANDARDS 5 · 25

Host Unreachable Error Message

Router

Echo Request (Ping)

Echo Reply

ICMP

Message IP

Header

EXHIBIT 5.19 Internet Control Message Protocol (ICMP)

process is often called pinging because the most popular program for sending ICMP echo message is called Ping. The echo message is a very important tool for network management. If the network manager suspects a problem, he or she will ping a wide range of host addresses to see which of them are reachable. The pattern of responses can reveal where problems exist within a network.

Attackers also love to ping a wide range of host IP addresses. This can give them a list of hosts that are reachable for attacks. Another popular network management and attack tool is traceroute (or tracert on Windows PCs). Traceroute is similar to ping, but traceroute also lists the routers that lie between the sending host and the host that is the target of the traceroute command. This allows an attacker to map the network. Border firewalls often drop echo reply messages leaving the firm to the outside.

Many ICMP messages are error messages. For instance, if a router cannot deliver the packet, it may send back an ICMP error message to the source host. This error message will provide as much information as possible about the type of error that occurred.

If an attacker cannot ping destination hosts because a firewall stops them, attackers often send IP packets that are malformed and so will be rejected. The ICMP error message is delivered in an IP packet, and the source IP address in this packet will reveal the IP address of the sending router. By analyzing error messages, the attacker can learn how routers are organized in a network. This information can be very useful to attackers.

5.8.2 Domain Name System (DNS). To send a packet to another host, a source host must place the destination host’s IP address in the destination address field of the packets. Often, however, the user merely types the host name of the destination host, for instance, cnn.com.

Unfortunately, host names are only nicknames. If the user types a host name, the computer must learn the corresponding IP address. As Exhibit 5.20 shows, the host wishing to send a packet to a target host sends a Domain Name System (DNS) request message to the DNS server. This message contains the host name of the target host. The DNS response message sends back the target host’s IP address. To give an analogy, if you know someone’s name, you must look up their telephone number in a telephone directory if you want to call them. In DNS, the human name corresponds to the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 26 DATA COMMUNICATIONS AND INFORMATION SECURITY

DNS Table

Host Name

. . .

. . . Voyager.cba.hawaii.edu

. . .

1. Client, hawaii.edu

wishes to send

packets to

Voyager.cba.

3. DNS Host

does table

lookup

4. DNS Response Message

“The IP address is 128.171.17.13”

Host Voyager.cba.hawaii.edu

128.171.17.13

5. Packets to

128.171.17.13

2. DNS Resuest Message

“The host name is Voyager.cba.hawaii.edu”

IP Address

. . .

. . . 128.171.17.13

. . .

EXHIBIT 5.20 Domain Name System (DNS) Server

host name, the telephone number corresponds to the IP address, and the DNS server corresponds to the telephone directory.

DNS is critical to the Internet’s operation. Unfortunately, DNS is vulnerable to several attacks. For example, in DNS cache poisoning, an attacker replaces the IP address of a host name with another IP address. After cache poisoning, a legitimate user who contacts a DNS server to look up the host name will be given the false IP address, sending the user to the attacker’s chosen site. Denial-of-service attacks are also too easy to accomplish. RFC 3833 lists a number of DNS security issues.2

Several attempts to strengthen DNS security have been developed, under the general banner of Domain Name System Security Extensions (DNSSEC), especially RFC 2535.3 However, both the original DNSSEC specifications and the newer DNSSEC bis specifications (RFCs 4033-40354) have proven to be insufficient. Developing a security standard that is sufficiently backwardly compatible for Internet-scale implementation has proven to be extremely difficult.

If the DNS server does not know the host name, it contacts another DNS server. The DNS system contains many DNS servers organized in a hierarchy. At the top of the hierarchy are 13DNS root servers. Below these are DNS servers for top-level domains, such as .com, .edu, .ie, .uk, .nl, and .ca. Each top-level domain has two or more top-level DNS servers for their domain. Second-level domain names are given to organizations (e.g., Hawaii.edu and Microsoft.com). Organizations are required to maintain DNS servers for computers within their domain.

If attackers could bring down the 13 root servers, they could paralyze the Internet. Widespread paralysis would not occur immediately, but in a few days, the Internet would begin experiencing serious outages.

5.8.3 Dynamic Host Configuration Protocol (DHCP). Server hosts are given static (permanent) IP addresses. Client PCs, however, are given dynamic (tem- porary) IP addresses whenever they use the Internet. The Dynamic Host Configuration Protocol (DHCP) standard that we saw earlier in the chapter makes this possible. A DHCP server has a database of available IP addresses. When a client requests an IP ad- dress, the DHCP server picks one from the database and sends it to the client. The next time the client uses the Internet, the DHCP server may give it a different IP address.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

TCP/IP SUPERVISORY STANDARDS 5 · 27

The fact that clients may receive different IP addresses each time they get on the Internet causes problems for peer-to-peer (P2P) applications. A presence server or some other mechanism must be used to find the other party’s IP address. A lack of accepted standards for presence (including presence security) is a serious issue now that P2P applications are widespread. In fact, most security considerations in P2P presence servers have been used in P2P piracy applications, with an eye toward avoiding discovery by legitimate authorities.

5.8.4 Dynamic Routing Protocols. How do routers on the Internet learn what to do with packets addressed to various IP addresses? They frequently talk to one an- other, exchanging information about the organization of the Internet. These exchanges must occur frequently because the structure of the Internet changes frequently as routers are added or dropped. Protocols for exchanging organization information are called dynamic routing protocols. There are many dynamic routing protocols, including the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), the Border Gateway Protocol (BGP), and Cisco Systems’ proprietary Enhanced Interior Gateway Routing Protocol (EIGRP). Each is used under different circumstances. These proto- cols have widely different security features, and different versions of each protocol have different levels of functionality.

An attacker who can impersonate a router can send false dynamic routing protocol messages to other routers. These false messages could cause the routers to fail to deliver their packets. The attacker could even cause packets to pass through the attacker’s computer (called a man-in-the-middle attack or MIMA) in order to read their contents.

The protocols just listed have widely different security features, and different ver- sions of each protocol have different levels of security functionality.

5.8.5 Simple Network Management Protocol (SNMP). Networks often have many elements—routers, switches, and host computers. Managing dozens, hun- dreds, or thousands of devices can be nearly impossible. To make management easier, the IETF developed the Simple Network Management Protocol (SNMP). As Exhibit 5.21 shows, the manager program can send SNMP messages to managed devices to de- termine their conditions. The manager program can even send configuration messages that can change the ways in which remote devices operate. This allows the manager to fix many problems remotely.

Network Management Software (Manager)

Network Management

Agent (Agent)

Simple Network

Management Protocol (SNMP)

Command (Get, Set, etc.)

Response

Managed Device

Trap

Management Information

Base (MIB)

EXHIBIT 5.21 Simple Network Management Protocol (SNMP)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

5 · 28 DATA COMMUNICATIONS AND INFORMATION SECURITY

Many firms disable remote configuration because of the damage that attackers could do with it. They could simply turn off all ports on switches and routers, or they could do more subtle damage.

5.9 APPLICATION STANDARDS. Most applications have their own application-layer standards. In fact, given the large number of applications in the world, there are literally hundreds of application-layer standards.

As corporations get better at defending against attacks at lower layers, attackers have begun to focus their attention on application vulnerabilities. If an attacker can take over an application running with high privileges, he or she obtains these privileges. Many applications run at the highest privileges, and attackers that compromise them own the box.

5.9.1 HTTP and HTML. Many applications have two types of standards. The transport standard transfers application-layer messages between applications on dif- ferent machines; for the World Wide Web, this is the Hypertext Transfer Protocol (HTTP). The other is a standard for document structure. The main document-structure standard for the WWW is the Hypertext Markup Language (HTML).

Netscape, which created the first widely used browser, also created a security stan- dard to protect HTTP communication. This was Secure Sockets Layer (SSL). Later, the Internet Engineering Task Force took over SSL and changed the name of the standard to Transport Layer Security (TLS).

5.9.2 E-Mail. Popular transfer standards for email are the Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and Internet Message Access Proto- col (IMAP) for downloading email to a client from a mailbox on a server. Popular document-body standards include RFC 2822 (for all-text messages), HTML, and Mul- tipurpose Internet Mail Extensions (MIME). S/MIME (Secure MIME) adds public-key encryption (see Chapter 7) to MIME and is defined in RFCs 2634, 3850, and 3851.

An obvious security issue in email is content filtering. Viruses, spam, phishing messages, and other undesirable content should be filtered out before they reach users and can do damage. (For more information on spam and other low-technology attacks, see Chapter 20 in this Handbook; for malware and spam countermeasures see Chapters 26, 27, 31, and 41.)

Another security issue in email is securing messages flowing from the sending client to the sender’s mail server, to the receiver’s mail server, and to the receiving client. Fortunately, there are security standards for part or all of the message flows, including SSL/TLS and S/MIME among others. Unfortunately, the IETF has been unable to agree on a security standard.

When Web mail, which uses HTTP and HTML for email communication, is used, then SSL/TLS can work between the sender and the sender’s mail server and between the receiver’s mail server and the receiver. Transmission between the email servers is another issue. Of course, senders can send encrypted message bodies directly to receivers. However, this prevents filtering at firewalls. Users should be particularly careful about using Web mail via wireless connections. (See Chapters 32 and 33.)

5.9.3 Telnet, FTP, and SSH. The two earliest applications on the Internet were the File Transfer Protocol (FTP) and Telnet. FTP provides bulk file transfers between hosts. Telnet allows a user to launch a command shell (user interface) on another computer. Neither of these standards has any security. Of particular concern is that

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 5 · 29

both send passwords in the clear (without encryption) during login. The newer Secure SHell (SSH) standard can be used in place of both FTP and Telnet while providing high security by encrypting all transferred traffic between the hosts.

5.9.4 Other Application Standards. There are many other applications and therefore application standards. These include Voice over IP (VoIP; see Chapter 34 in this Handbook), peer-to-peer applications (P2P; see Chapter 35), and service-oriented architecture (SOA) and Web service applications (see Chapters 21, 30, and 31), among many others. Most applications have serious security issues. Application security has become perhaps the most complex aspect of network security (see Chapters 38, 39, and 40).

5.10 CONCLUDING REMARKS. It is impossible to understand information security without a strong knowledge of networking. This chapter is designed to give you a working overview of networking. It is likely to be sufficient if you run into basic networking questions while reading other chapters in this Handbook. However, to work in security, you will need a much stronger knowledge of networking. The books and other resources cited in Section 5.11 are a good start in that direction.

5.11 FURTHER READING Comer, D. E. Internetworking with TCP/IP Vol. 1: Principles, Protocols, and

Architecture, 6th ed. Addison-Wesley, 2013. Ferrero, A. The Eternal Ethernet, 2nd ed. Boston: Addison-Wesley, 1999. FitzGerald, J. Business Data Communications and Networking, 11th ed. Wiley, 2011. Freedman, A. Computer Desktop Encyclopedia. Point Pleasant, PA: Computer Lan-

guage Company, 2013. Available online from www.computerlanguage.com Gibson, D. Microsoft Windows Networking Essentials. Sybex, 2011 Hallberg, B. Networking, A Beginner’s Guide, 5th ed. McGraw-Hill Osborne Media,

2009. Hummel, S. L. Network Design Fundamentals. CreateSpace Independent Publishing

Platform, 2013. Kurose, J. F., and K. W. Ross. Computer Networking: A Top-Down Approach, 6th ed.

Pearson, 2012. Panko, R. R. Business Data Networks and Telecommunications, 8th ed. Prentice-Hall,

2010. Panko, R. R. Corporate Computer and Network Security, 2nd ed. Prentice-Hall, 2009. Panko, R. R., and J. Panko. BusinessDataNetworksandSecurity, 9th ed. Prentice-Hall,

2012. Palmer, M. Hands-On Networking Fundamentals, 2nd ed. Cengage Learning, 2012. Roberts, R. M. Networking Fundamentals, 2nd ed. Goodheart-Willcox, 2011. Spurgeon, C. Ethernet: The Definitive Guide. O’Reilly Media, 2000. Stevens, W. R. TCP/IP Illustrated, Volume 1: The Protocols, 2nd ed. Addison-Wesley

Professional, 2011.

5.12 NOTES 1. P. Prabakaran, “Tutorial on Spread Spectrum Technology,” EE Times | Design,

May 6, 2003, www.eetimes.com/design/communications-design/4008962/Tutorial- on-Spread-Spectrum-Technology

2. www.faqs.org/rfcs/rfc3833.html 3. www.faqs.org/rfcs/rfc2535.html 4. www.dnssec.net/

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6CHAPTER

LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

Gary C. Kessler

6.1 OVERVIEW 6 · 2 6.1.1 LAN Characteristics 6·2 6.1.2 LAN Components 6·2 6.1.3 LAN Technology

Parameters 6·3 6.1.4 Summary 6·3

6.2 LAN TOPOLOGY 6 · 3 6.2.1 Network Control 6·4 6.2.2 Star Topology 6·4 6.2.3 Ring Topology 6·4 6.2.4 Bus Topology 6·6 6.2.5 Physical versus

Logical Topology 6·6

6.3 MEDIA 6 · 8 6.3.1 Coaxial Cable 6·8 6.3.2 Twisted Pair 6·9 6.3.3 Optical Fiber 6·10 6.3.4 Wireless Media 6·11 6.3.5 Summary 6·13

6.4 MEDIA ACCESS CONTROL 6 · 13 6.4.1 Contention 6·13 6.4.2 Distributed Polling 6·14

6.5 LAN PROTOCOLS AND STANDARDS 6 · 15

6.5.1 OSI Model versus LAN Model Architectures 6·15

6.5.2 IEEE 802 Standards 6·17 6.5.3 IEEE 802.3 CSMA/CD

Standard 6·19 6.5.4 Ethernet II 6·21 6.5.5 IEEE 802.5 Token-Ring

Standard 6·22 6.5.6 IEEE 802.2 LLC

Standard 6·23 6.5.7 Summary 6·24

6.6 INTERCONNECTION DEVICES 6 · 24 6.6.1 Hubs 6·25 6.6.2 Switches 6·25 6.6.3 Bridges 6·25 6.6.4 Routers 6·26 6.6.5 Summary 6·27

6.7 NETWORK OPERATING SYSTEMS 6 · 27

6.8 SUMMARY 6 · 28

6.9 FURTHER READING 6 · 30

6.10 NOTES 6 · 30

This chapter provides a broad overview of local area network (LAN) concepts, basic terms, standards, and technologies. These topics are important to give the information security professional a better understanding of the terms that might be used to describe a particular network implementation and its products. The chapter also is written with an eye to what information security professionals need to know; for a more complete

6 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 2 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

overview of the topic, the reader is referred to general LAN texts, such as those listed in Section 6.10.

6.1 OVERVIEW. There are a number of ways to describe a LAN, and each will provide a glimpse as to implementation and product differences as well as points of security exposures. This section introduces various terms and perspectives as a basis for the discussion in the following sections.1

6.1.1 LAN Characteristics. One way of describing LANs is to describe the characteristics that distinguish a local network from other types of networks. The most common characteristics are:

� Small geographic scope (the two most distant stations may be up to 5 kilometers [km] or so apart)

� Fast speed (data rates well in excess of 1 million [mega] bits per second [Mbps] and up to 1 billion [giga] bits per second [Gbps])

� Special media (common use of coaxial cable and optical fiber, as well as twisted pair)

� Private ownership

This type of network, then, has a very different look and feel than the Internet or some other public or private wide-area networks (WANs). More people have access to the LAN infrastructure than to the infrastructure of just about any WAN. LAN users can easily “spy” on each other by sniffing packets, something that is generally very difficult on the Internet. A single user can bring the LAN to a standstill.

The corporate LAN is generally the users’ primary access to the Internet. The users on the LAN are behind the corporate firewall and router; some studies suggest that they are responsible for 80 percent of security incidents.

Other LANs include hotel networks, which are often used by criminals as handy sources of confidential information available on unprotected systems temporarily hooked up to these Internet-access services.

Often the success of these attacks is due to users’ lack of education and awareness, such as choosing poor passwords, not maintaining up-to-date virus signature files, or computers attached to the LAN without firewalls. Sometimes the attacks are more sophisticated, such as using a packet sniffer to learn another user’s password or taking steps to degrade network performance.

6.1.2 LAN Components. In general, there are four basic components required to build a LAN, providing their own vulnerabilities and exposures from a security perspective:

1. Computers. These are the basic devices that are connected on the network. Read “computer” very broadly; the term can include personal computers (PCs), minicomputers, mainframes, file servers, printers, plotters, mobile devices (e.g., smartphones and tablets), communications servers, and network interconnection devices. It can also include protocol analyzers.

2. Media. These are the physical means by which the computers are interconnected. LAN media include unshielded twisted pair (UTP), coaxial cable (coax), optical fiber, and wireless (radio) devices. The wireless media have connection points

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN TOPOLOGY 6 · 3

throughout an area where devices can attach to the network, and every place is a potential connection point in a wireless environment.

3. Network interface card (NIC). This is the physical attachment from the com- puter to the LAN medium. Older NICs are internal cards; the only item that is actually seen is the physical attachment to the LAN, often an RJ-45 jack. An increasing number of adapters use the universal serial bus (USB) slots on modern computers. Although NICs range widely in price depending on their capabilities, intended use, and vendor, an internal 1 Gbps Ethernet NIC for a desktop personal computer (PC) could be purchased for less than $7, a USB Ethernet adapter for about $14, and a wireless USB adapter for less than $13 at the time of writing in January 2013.

4. Software. The three components above provide physical connectivity. Software—often called a network operating system (NOS)—is necessary for the devices to actually take advantage of the resource sharing that the LAN can provide. The NOS can support many types of services such as file sharing, print sharing, client/server operation, communications services, and more.

While the LAN needs to be examined in a holistic fashion, each of these components at each attached node also may require examination.

6.1.3 LAN Technology Parameters. One final way of discussing the specific operation of the LAN is to describe the technology:

� Physical topology. The physical layout of the medium. � Logical topology. The logical relationship of the LAN nodes to each other. � Media Access Control (MAC) Standard. The specification describing the rules that each node follows to determine when it is its turn to transmit on the medium.

� Use of the Logical Link Control (LLC) protocol. Defines the frame format employed above the MAC layer, and additional services.

� Use of higher-layer protocols. Defines the node-to-node communicating proto- cols and additional higher-layer applications.

6.1.4 Summary. It does not matter how a LAN is classified or described. It is essential, however, that the LAN be understood from a variety of perspectives to be able to apply a network-security examination.

6.2 LAN TOPOLOGY. WANs typically use some sort of switched technology, such as traditional circuit switching, packet switching (e.g., X.25), or fast packet switching (e.g., frame relay or asynchronous transfer mode [ATM]). Indeed, point- to-point lines typically connect the network switches so that there is a single data transmission on the line at one time.

Historically, LANs have been broadcast networks, meaning that every LAN station hears every transmission on the medium. LAN topologies, then, have to support the broadcast nature of the network and provide full connectivity between all stations.

The topology of a network is used to describe two issues. The physical topology describes how the LAN stations are physically connected so that they can communicate with each other. The logical topology describes how the broadcast nature of the LAN is actually affected, and, therefore, how stations participate in the process of obtaining

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 4 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

permission to transmit on the medium. There are three common topologies found in LANs: star, ring, and bus.

6.2.1 Network Control. Since LANs are broadcast networks, it is imperative that only a single node be allowed to transmit at any one time. All LANs use a distributed access-control scheme, meaning that all nodes follow the same rules to access the network medium and no one LAN node controls the other nodes’ access. In this way, LAN nodes can come online and offline without bringing the network down.

This description is not meant to suggest that there are no critical elements in a LAN. Indeed, if a central hub, switch, or transmitter fails, the LAN will crash. Distributed control does suggest, however, that all nodes (user stations) follow the same access rules, and failure of a single node will not bring the LAN down. The access-control scheme is defined by the MAC protocol.

6.2.2 Star Topology. In astartopology(see Exhibit 6.1), all devices on the LAN are interconnected through some central device. Since LANs use distributed access- control schemes, all communication is from one node to another, and the central device merely provides a pathway between pairs of devices.

Physical star topologies have a tremendous advantage over other topologies in that they greatly ease network administration, maintenance, reconfiguration, and error recovery. Disadvantages include the single point of failure.

6.2.3 Ring Topology. In a ring topology, the nodes are connected by a set of point-to-point links that are organized in a circle (see Exhibit 6.2). Stations connect to

EXHIBIT 6.1 Star Topology

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN TOPOLOGY 6 · 5

EXHIBIT 6.2 Ring Topology

the medium using active taps that are actually bit repeaters; a bit is read from the input line, held for a single bit time, then transmitted out to the output line.

A station transmits a message on the network by sending out a bit stream on its outgoing link; thus, rings are unidirectional in nature. Since all of the other stations see the bits one at a time, the intended receiver has no prior warning about an incoming message. For this reason, the transmitter is responsible for removing the message from the ring when the bits come back around. The MAC scheme ensures that multiple stations do not transmit at the same time.

In addition, a ring is a serial broadcast network. Because a station sends a message one bit at a time, every other station will see the message as it passes through but each will be receiving a different part of the message at any point in time.

Rings are a common physical LAN topology. However, unlike stars, they have multiple points of failure: if one link or one active tap fails, the integrity of the ring is destroyed. If the probability of failure of a single element is p and there are n elements, then the probability of failure P{F} of the LAN is

P{F} = 1 − (1 − p)n

As the number of elements rises, the probability of network failure rises exponen- tially. This problem is of such a critical nature that nearly all ring products use a star-wiring scheme or have some sort of redundancy built in for just this eventuality.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 6 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

EXHIBIT 6.3 Bus Topology

6.2.4 Bus Topology. In a bus topology (see Exhibit 6.3), all devices are con- nected to a single electrically continuous medium; for this reason, this topology is also called a common cable or shared medium network. Nodes attach to the medium using a passive tap, one that monitors the bit flow without altering it. This is similar to the operation of a voltmeter; it measures the voltage on a power line without changing the available voltage.

Bus networks are analogous to the way appliances are connected to an alternating current (AC) power line. All of the devices draw power from the same source, even if they are on different physical segments of the power distribution network within the building. In addition, the operation of the devices is independent of each other; if the coffeepot breaks, the toaster will still work.

A bus is a simultaneous broadcast network, meaning that all stations receive a transmitted message at essentially the same time (ignoring propagation delay through the medium). Most home and business LANs employ a baseband bus where direct current (DC) signals are applied directly to the bus by the transmitter without any modification. In addition, transmissions on a baseband bus are broadcast bidirectionally and cannot be altered by the receivers. Bus LAN technologies are employed on cable television systems. For example, they employ a broadband bus where the signals are modulated (i.e., frequency shifted) to certain frequencies for transmission in one direction or another.

Buses are the oldest LAN topology and are generally limited in the type of medium that they can use. They do not usually suffer from single-point-of-failure problems.

6.2.5 Physical versus Logical Topology. A distinction was made above between the physical and logical topology of a LAN. Physical topology describes how the stations are physically positioned and attached to each other whereas the logical topology describes how the signals propagate and the logical operation of the network.

In all of today’s commonly used LANs, the logical topology differs from the phys- ical topology. The most common LAN configuration today is a star-wired bus (see Exhibit 6.4). This type of network has a star topology where all stations are physically attached with point-to-point links to a central device. This central device contains a bus that interconnects all of the I/O ports in such a way that when one station transmits a message, all stations will receive it. Since this acts exactly like a simultaneous broad- cast, or bus, network, we categorize this configuration as a physical star, logical bus.

Another common configuration is a star-wired ring (see Exhibit 6.5). In this con- figuration, the bits will travel in logical order from station A to B, C, A, and so forth,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN TOPOLOGY 6 · 7

hub

EXHIBIT 6.4 Star-Wired Bus

hub

A B C

EXHIBIT 6.5 Star-Wired Ring

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 8 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

A

(D,C)

B

(C,D) C

(A,B)

D

(B,A)

EXHIBIT 6.6 Bus-Wired Ring (The station identifier is shown above the station ID of the predecessor and successor stations in the logical ring.)

which matches the serial broadcast operation of a ring. We call this a physical star, logical ring.

Although uncommon today, another hybrid technology is the bus-wired ring (see Exhibit 6.6). In this configuration, nodes are passively attached to a single cable, form- ing a physical bus. Each station maintains a table specifying the address of predecessor and successor stations, thus forming a logical ring.

6.3 MEDIA. The next paragraphs discuss the three primary types of LAN media currently in use. Due to their relatively high speed, small geographic size, and protected environments, a number of media types can be employed with LANs.

6.3.1 Coaxial Cable. Coaxial cable (coax) is the original LAN medium. It gets its name from the physical composition of the cable itself (see Exhibit 6.7). At the center of the cable is a conductor, usually made of copper, which is surrounded by an insulator that, in turn, is surrounded by another conductor that acts as an electrical shield. Since the shield completely surrounds the central conductor and the two have a common axis, the shield prevents external electrical noise from affecting signals on

Outer

Insulation

Outer

Conductor

Inner

Insulation

Center

Conductor

EXHIBIT 6.7 Coaxial Cable

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MEDIA 6 · 9

EXHIBIT 6.8 Unshielded Twisted Pair

the conductor and prevents signals on the conductor from generating noise that affects other cables.

Coaxial cables vary in size from 1 4 –1 inch (6.35–25.4 mm), depending on the

thickness of the conductor, shield, and insulation. Applications for coax range from cable television to LANs. Speeds in excess of several hundred Mbps at distances of several hundred to several thousand meters can be achieved. Coaxial cable also has a high immunity from electromagnetic and radio frequency interference. However, it is easy to tap.

Coaxial cable is only seen in physical bus LANs such as Ethernet. The original Ethernet specification, in fact, called for a thin coaxial cable; a later version that employed thin (CATV) coax was dubbed CheaperNet. Coax is not typically found in star or ring networks.

Coaxial cable is easy to wiretap.2

6.3.2 Twisted Pair. The medium enjoying the largest popularity for LAN ap- plications today is twisted pair. Twisted pair cable consists of two insulated copper conductors that are twisted around each other (see Exhibit 6.8). This is typically 22- to 26-gauge (i.e., 0.025"/0.644 mm to 0.016"/0.405 mm) wire, the same as is used for telephone wiring. Twisting the conductors around each other minimizes the effect of external electrical radiation on the signal carried on the wire; if external voltage is applied to one wire of the pair, it will be applied equally to the other wire. The twisting, then, effectively eliminates the effect of the external noise. As the number of twists per inch increases, the noise reduction characteristics improve; unfortunately, so does the overall amount of cable and the cost. Most twisted pair for telephony applications has 10 to 15 twists per foot.

The type of twisted pair cable shown in Exhibit 6.8 is called unshielded twisted pair (UTP) because the wire pair itself is not shielded. The data-carrying capacity of UTP is generally indicated by its category:

Level 1 (sometimes called Category 1, or Cat 1) cable is older 0.4 MHz cable used for some telephone and modem applications, but is generally unsuited for data applications.

Level 2 (sometimes called Category 2, or Cat 2) cable is 4 MHz cable used for legacy data terminal systems, such as IBM 3270 BISYNC.

Category 3 (Cat 3) cable has a maximum bandwidth of 16 MHz and is rated for 10 Mbps over a wire segment of 100 m (although speeds of 100 Mbps can often be achieved). Cat 3 cable is rated up to 16 Mbps and is primarily used today for telephones.

Category 4 (Cat 4) cable, with a maximum bandwidth of 20 MHz, was used for IBM’s 16 Mbps Token Ring networks. It is not commonly seen today.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 10 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

Category 5 (Cat 5) cable has a maximum bandwidth of 100 MHz and is rated for voice or data at speeds up to 100 Mbps over a wire segment of 100 meters. Cat 5e is rated for full-duplex and 1 gigabit (Gbps) Ethernet. These are the most common LAN cables in use today.

Category 6 (Cat 6) cable is rated to 250 MHz over a wire segment between 15 and 100 meters in length. Cat 6 is intended for use for very-high-speed broadband applications at data rates up to 10 Gbps. Cat 6a cable is a variant of Cat 6, rated to 500 MHz and 10 Gbps.

Category 7 (Cat 7) cable is rated up to 600 MHz and uses four pair. Each pair of wires in the cable sheath, and the sheath itself, are shielded to prevent electromagnetic interference at data rates up to 10 Gbps. Cat 7a is rated up to 1,000 MHz and 10 Gbps data rates.

UTP is commonly found in physical star-wired bus and ring LANs; it is never used in a physical bus and rarely in a physical ring. As with coaxial cable, it is easy to wiretap. In addition, many LANs using UTP also make connections through patch panels, which are frequently unprotected because the technicians installing the connections are unaware of the security issues of providing centralized access to dozens or hundreds of connections.

Another twisted pair variant is shielded twisted pair (STP), where each cable pair is surrounded by a metallic shield that provides the same function as the outer conductor in coaxial cable. STP was only used in the IBM Token Ring, a star-wired ring.

6.3.3 Optical Fiber. Optical fiber is a thin flexible medium that acts as a wave- guide for signals in the 1014- to 1015-Hz range, which includes the visible light spectrum and part of the infrared spectrum. Optical fiber is a great medium for digital communi- cations; it is essentially immune to any type of radio or magnetic interference and very difficult (using highly specialized equipment) to tap surreptitiously. Theoretically able to achieve data rates on the order of trillions of bits per second, optical fiber has been shown to reach data rates of 100 Gbps over a 4,350-mile (7,000-km) fiber; the practical limit is usually due to the electronics performing optical-electrical conversion.

In WAN applications, this speed limit is exceeded in one of two ways.

1. An optical switch can terminate optical fiber without any electrical-optical con- version.

2. Dense wave division multiplexing (DWDM) allows 100 or more 10 Gbps bit streams to be carried on a single-fiber strand simultaneously. These technologies may well eventually find their way to the LAN.

The electronics are a critical part of any optical fiber system. The incoming electrical signal to be transmitted on the fiber is converted to an optical signal by the transmitter. Common optical sources are a light-emitting diode (LED) or injection laser diode (ILD). LEDs are less expensive than ILDs but are limited to lower speeds. The optical signal is received by a device called a photodiode, which essentially counts photons and converts the count to an electrical signal. Common photodiodes include the positive- intrinsic-negative (PIN) photodiode and avalanche photodiode (APD). The PIN is less expensive than the APD but is limited to lower speeds.

The physical and transmission characteristics of optical fiber are shown in Ex- hibit 6.9. At the center of an optical fiber cable is the core, a thin, flexible medium capable of carrying a light signal. The core is typically between 2 and 125 micrometers

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MEDIA 6 · 11

Cladding

Cladding

Single Mode

Graded-index Multimode

Core

Core

EXHIBIT 6.9 Optical Fiber Cable

(μm), or microns, in diameter and may be made from a variety of glass or plastic com- pounds. Surrounding the core is a layer called the cladding. The optical characteristics of the cladding are always different from the core’s characteristics so that light signals traveling through the core at an angle will reflect back and stay in the core. The cladding may vary in thickness from a few to several hundred microns. The outermost layer is the jacket. Composed of plastic or rubber, the jacket’s function is to provide the cable with physical protection from moisture, handling, and other environmental factors.

Two types of optical fiber cable are used for voice and data communications, differ- entiated by their transmission characteristics (see Exhibit 6.9). Multimode fiber (MMF) has a core diameter between 50 and 125 μm. Because this diameter is relatively large, light rays at different angles will be traveling through the core. This phenomenon, known as modal dispersion, has the effect of limiting the bit rate and/or distance of the cable. MMF cable is generally limited to a maximum cable length of 2 km. Single-mode fiber (SMF) eliminates the multiple path problem of MMF by using a thin core with a diameter of 2 to 8 μm. This thin-core cable results in a single propagation path so that very high bandwidths over large distances (up to 10 km) can be achieved.

SMF is the most expensive type of fiber and is usually used for long-haul data and telecommunications networks. MMF is commonly used on LANs; it is less expensive but can still handle the required data rates and distances.

Optical cable is extremely difficult to wiretap, but it’s easy to cut. Such cables should be protected by shielded conduits, not placed in accessible locations such as next to a baseboard on the floor of a public corridor—in a hospital!

6.3.4 Wireless Media. Wireless LANs use radio signals to interconnect LAN nodes. Wireless LANs are increasingly common in environments where:

� It is difficult to install new wiring (e.g., in a building with asbestos in the walls). � There are mobile users (e.g., in a hospital or car rental agency).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 12 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

� Right-of-ways for wiring are hard to obtain (e.g., campus environments that span roadways).

� A temporary network is necessary (e.g., at a conference or meeting). � Residential areas have no other networking facilities. � Conference centers, hotels, and colleges and universities need wide and easy network access.

Wireless LANs generally employ infrared, spread spectrum, or microwave commu- nications technology.Infrared (IR) is used for a variety of communications, monitoring, and control applications. It is also used for such non-LAN applications as home en- tertainment remote control, building security intrusion and motion detectors, medical diagnostic equipment, and missile guidance systems. For wireless LANs, the most common IR communications band uses signals with a wavelength in the range 800 to 1,000 nanometers (nm, or 10−9 m). Diffused IR operates at data rates between 1 to 4 Mbps at distances up to 200 feet, and can be used for stationary or mobile LAN nodes. Directed Beam IR, which requires line-of-sight, operates at data rates from 1 to 10 Mbps at distances up to 80 feet. IR systems are limited to a single room because the signals cannot pass through walls. Spread spectrum is a wireless communications technology in the region of 2.4 or

5 gigahertz (GHz, or billions of cycles per second), where the actual frequency of the transmitted signal is deliberately varied during transmission. Originally, the fre- quency shifting was for security purposes to prevent monitoring of the communications channels. Two types of spread spectrum technology are used in LANs:

1. In frequency hopping spread spectrum (FHSS),3 the transmitter sends the signal over a set of radio frequencies, hopping from frequency to frequency at split- second intervals in what appears to be a random sequence. The sequence is not random, however, and the receiver changes frequencies in synchronization with the transmitter. FHSS can support data rates from 1 to 3 Mbps up to a distance of 330 feet (100 m).

2. In direct sequence spread spectrum (DSSS), each bit in the original data stream is represented by multiple bits in the transmitted signal, spreading the signal across a wide frequency range. One result of DSSS is that the system can achieve a greater bandwidth than the original signal. DSSS can support data rates in excess of 20 Mbps up to a distance of 1,000 feet (300 m).

Another modulation scheme used in wireless LANs isorthogonalfrequency-division multiplexing (OFDM). OFDM is a variant of frequency division multiplexing and uses a forward error-correction scheme and orthogonal subcarriers in order to minimize frequency crosstalk and bit errors.

Wireless access points can be purchased for less than $100, making this an attractive alternative to even UTP-based LANs in many scenarios. Microwave LANs refers to communications in the area of 1, 5, and 19 GHz. Elec-

tromagnetic energy with a frequency higher than 1 GHz and data rates up to 20 Mbps can be maintained for distances up to 130 feet. One major disadvantage of microwave is that Federal Communications Commission (FCC) licensing is required for many of these frequencies.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MEDIA ACCESS CONTROL 6 · 13

6.3.5 Summary. In the early 1980s, coaxial cable was the most commonly used LAN medium. Twisted pair, used for telephony applications, was not used in LANs be- cause high speeds could not be achieved. Optical fiber technology was still in its infancy and was very expensive. All of this changed by the early 1990s, when the electronics to drive twisted pair had dramatically improved, and optical fiber technology had greatly matured. It is rare to see coaxial cable used in a LAN today; instead, UTP (less costly than coax) or optical fiber (higher speeds than coax) are more often employed. Wireless LANs are a viable alternative to wire-based networks, yet more difficult to secure.4

However, growth in wireless network access to the Internet outstripped fixed broadband subscriptions by the late 2000s; in 2011, rates of growth for wireless subscriptions were 200 to 300 percent of the rates of growth for fixed subscriptions.5

6.4 MEDIA ACCESS CONTROL. As mentioned, LANs are broadcast networks connecting peer devices, all having equal access to the medium. These characteristics place two requirements on the protocol that controls access to the network:

1. There can be only one station transmitting at any given time since multiple transmitters would result in garbled messages.

2. All stations must follow the same rules for accessing the network since there is no master station.

The schemes controlling access to the network medium are called media access control (MAC) protocols. Although many different LAN MAC schemes have been introduced in working products, the most common ones are essentially variants of two approaches: contention and distributedpolling. These schemes will be discussed below, along with reference to appropriate Institute for Electronics and Electrical Engineers (IEEE) LAN standards.

6.4.1 Contention. A contention network can be compared to a group of people sitting around a conference table without a chairperson. When someone wants to speak, it is necessary first to determine whether anyone else is already speaking; if someone else is speaking, no one else can begin until that person has stopped. When a person detects silence at the table, he or she starts to talk. If two people start to talk at the same time, a collision has occurred and must be resolved. In the human analogy, collisions are resolved in one of two ways: Either both speakers stop and defer to each other (“polite backoff”) or both continue speaking louder and louder until one gives up (a “rudeness algorithm”).

The contention scheme used in LANs is similar to the polite backoff situation, and is called carrier sense multiple access with collision detection (CSMA/CD). CSMA/CD is one of the oldest LAN MAC schemes in use today, used originally in Ethernet and becoming the basis of the IEEE 802.3 standard (to be described). Although there have been other contention schemes used on LANs, CSMA/CD is the one that has survived and thrived in the marketplace.

CSMA/CD works on logical bus networks. When a station is ready to transmit, it first listens to the network medium (“carrier sense”). If the station detects a transmission on the line, it will continue to monitor the channel until it is idle. Once silence is detected, the station with a message to send will start to transmit. Stations continue to monitor the channel during transmission so that if a collision is detected, all transmitters stop transmitting.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 14 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

CSMA/CD networks employ a backoff scheme so that the first collision does not bring the network down. Without a backoff scheme, all transmitters would detect a collision and stop transmitting; after again hearing silence on the line, however, all stations would once again start transmitting and would again collide with each other. The backoff scheme causes stations to make a random decision whether to transmit or not after silence is detected on the channel after a collision has occurred.

CSMA/CD uses a backoff scheme called truncated binary exponential backoff . Although this name is a mouthful, it actually describes the process very precisely. When a station is ready to transmit and detects silence on the line, it will attempt to send a message with a probability of 1 (i.e., 100 percent likelihood that it will transmit); this probability is called the persistency of the MAC scheme.6 If a collision occurs, the station will stop transmitting and again wait for silence on the line. When silence is again detected, the station will transmit with a probability of 1∕2 (i.e., there is a 50 percent chance that it will transmit and a 50 percent chance that it will not). If two stations were involved in the collision and they both back off to a 1∕2-persistent condition, then there is a 50 percent chance that one will transmit and one will defer at the next transmission opportunity, a 25 percent chance that both will defer at the next opportunity, and a 25 percent chance that both will collide again.

If a station collides again, its persistency is again cut in half, now to 1∕4. All sta- tions involved in the collision(s) drop their persistency and each station independently determines whether it will transmit at the next occurrence of silence or not.

As long as collisions occur, the persistency is continually cut in half until the station either successfully transmits or has 16 unsuccessful attempts to transmit the message. After 16 failed attempts, the station gives up.7 After the station successfully transmits or has 16 unsuccessful attempts, the station’s persistency returns to 1 and the operation continues as before.

Wireless LANs also use a form of contention, but it is generally not CSMA/CD because collision detection is not practical in a wireless environment. Instead, the sta- tions still employ CSMA—they listen for an idle channel—but they do not necessarily transmit when the channel is idle. Instead, they wait to see if the channel remains idle for some period of time in an attempt to stave off a collision. This is a form of CSMA with collision avoidance (CSMA/CA).

6.4.2 Distributed Polling. Imagine that the same group of people is sitting around the same conference table, still without a chairperson. One person at the table has a microphone and can say anything to anyone in the room. Everyone in the room, of course, will hear the message. The rule here is that the only person who is allowed to speak is the one with the microphone; furthermore, the person will hold on to the microphone only while he or she has something to say and can hold on to it only for some maximum amount of time. When the first person is done talking or the time limit is reached, the microphone is passed to the next person at the table. Person 2 can now speak or immediately pass the microphone on to person 3. Eventually, the first person at the table will get the microphone back and get another opportunity to talk.

The scheme just described is implemented in LANs with a scheme called token passing. This is the basis for the IBM Token Ring and represents the second most commonly used LAN MAC algorithm. Token passing, in one variant or another, is the basis for the IEEE 802.4 and 802.5 standards, as well as for the Fiber Distributed Data Interface (FDDI).

Token passing requires a logical ring topology. When a station has data to send to another station, it must wait to receive a bit pattern representing the token. Tokens are

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN PROTOCOLS AND STANDARDS 6 · 15

sent in such a way that only one station will see it at any given time; in this way, if a station sees the token, it has temporary, exclusive ownership of the network.

If a station receives the token and has no data to send, it passes the token on. If it does have data to send, it generates a frame containing the data. After sending the frame, the station will generate and send another token.

A token ring network is a logical ring implemented on a physical topology that supports a serial broadcast operation (i.e., a star or a ring). Each station receives transmissions one bit at a time and regenerates the bits for the next station. A station transmitting a frame will send the bits on its output link and receive them back on its input link. The transmitter, then, is responsible for removing its message from the network. When finished transmitting, the station transfers control to another station by sending the bits comprising a token on its output link. The next station on the ring that wants to transmit and sees the token can then send its data frame. Token rings (standardized in 802.5 and FDDI) are the most common implementation of token passing.

A token bus network (as specified in 802.4) is conceptually similar to the token ring, except that it is implemented using a simultaneous broadcast topology (i.e., a bus). In this physical topology, all stations hear all transmissions. A station that wants to send data to another will address a frame to the intended receiver on the network, as in a CSMA/CD bus. When done transmitting, the station will address a token to the next station logically in the ring; while all stations will hear the token transmission, only the one station to which it is addressed will pick it up. After receiving a token, a station may or may not transmit data, but it is, in any case, responsible for passing the token to the next station in the logical ring. Eventually, the token will return to the first station.

6.5 LAN PROTOCOLS AND STANDARDS. The Open Systems Interconnec- tion (OSI) Reference Model continues to be the standard framework with which to describe data communications architectures, including those for LANs. The basic LAN protocol architecture maps easily to the OSI model, as discussed in this section.

6.5.1 OSI Model versus LAN Model Architectures. Although the LAN protocol architecture can be related to the OSI model, there is not a perfect one-to-one mapping of the protocol layers (see Exhibit 6.10). The OSI Physical Layer is analogous to a LAN Physical Layer (PHY). Both specify such things as:

� Electrical characteristics of the interface � Mechanical characteristics of the connector and medium � Interface circuits and their functions � Properties of the medium � Signaling speed � Signaling method

Most LAN physical layer specifications actually comprise two sublayers. The lower sublayer describes physical layer aspects that are specific to a given medium; the higher sublayer describes those aspects that are media-independent.

The OSI Data Link Layer, responsible for error-free communication between any two communicating devices, is represented by two sublayers in a LAN. The lower sublayer is the MAC, which deals with issues of how the station should access the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 16 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

Application, Presentation,

Session, Transport,

Network

Data

Link

Physical

OSI Model IEEE LAN Protocol Model

Physical Layer (PHY)

802.3, .4, .5, .6, .9, .11, .12, .15, .16

Media Access Control (MAC)

802.3, .4, .5, .6, .9, .11, .12, .15, .16

802.2 – Logical Link Control (LLC)

Security (SILS)

802.10 – Standard for Interoperable LAN

802.1 – Higher Level Interface (HILI)

EXHIBIT 6.10 IEEE versus LAN Protocol Models

network medium. The MAC is responsible for error-free communication over the PHY and specifies such things as:

� Framing � Addressing � Bit-error detection � Control and maintenance of the MAC protocol � Rules governing medium access

The upper sublayer is called the Logical Link Control (LLC). The LLC protocol is responsible for maintaining a logical connection between two communicating LAN stations. The LLC specifies such rules as:

� Frame sequencing � Error control � Establishment and termination of a logical connection � Addressing of higher layer services

Recalling that the main functions of the network layer are routing and congestion control, there are two reasons that no LAN protocol layer acts strictly like the OSI Network Layer:

1. There is no need for a routing algorithm in a broadcast network because all stations receive all transmissions; the address of the intended receiver is included in the transmission itself.

2. Congestion control is also not an issue in a broadcast network; a broadcast network must be limited to a single transmitter at a time, and this is accomplished by the MAC layer.

There are no standards for LANs corresponding to the upper four layers of the OSI model. Even in the less organized 1980s, end-to-end protocols as such were not required in a LAN environment because the end-to-end communication was limited to nodes on the LAN, and for that the MAC guaranteed error-free communication.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN PROTOCOLS AND STANDARDS 6 · 17

Only when LAN interconnection, via WAN and LAN access to the Internet, gained popularity did other end-to-end protocols become necessary. IP (and other network layer protocols) grew in demand as well. Those protocols are associated with the communications software as part of a network operating system (NOS), and these will be discussed later.

6.5.2 IEEE 802 Standards. Although they are not directly related to security, it is useful to be familiar with the standards describing LANs, the most common of which are the IEEE 802 standards. The IEEE Computer Society formed the Project 802 Committee in February 1980 to create standards for LANs as part of its more general work on standards for microprocessors; no other organization was making any similar standardization efforts. Originally, there was to be a single LAN standard, operating at a speed between 1 and 20 Mbps. The standard was divided into three parts: PHY, MAC, and a high-level interface (HILI) to allow other protocol suites to have a common protocol boundary with the LAN. The original MAC was based on the Ethernet standard, but other MAC schemes were quickly added and, over the years, the 802 committee has addressed many LAN schemes. They all have in common an interface to a single LLC protocol that provides a common interface between the HILI and any MAC.

A description of the Project 802 working groups (WG) and their status as of October 2012 follows.8

802.1—High-Layer LAN Protocols Working Group. Provides the framework for higher-layer issues, including protocol architecture, security, end-to-end proto- cols, bridging, internetworking, network management, and performance mea- surement.

802.2—Logical Link Control Working Group. Provides a consistent interface between any LAN MAC and higher-layer protocols. Depending on the options employed, the LLC can provide error detection and correction, sequential delivery, and multiprotocol encapsulation. The 802.2 standard is described in more detail in Section 6.5.6. This WG has been disbanded.9

802.3—Ethernet Working Group. Defines the MAC and PHY specifications for a CSMA/CD bus network. This specification is discussed in more detail in Section 6.5.3. (The 802.3 CSMA/CD standard is based on Ethernet, described in Section 6.5.4.)

802.4—Token Bus Working Group. Defines the MAC and PHY specifications for a token-passing bus based on work originally done at General Motors as part of the Manufacturing Automation Protocol (MAP). Well suited for factory floors and assembly lines, MAP never achieved widespread use. This WG has been disbanded.

802.5—Token Ring Working Group. Defines the MAC and PHY specifications for a token-passing ring. Although this WG is currently disbanded, the speci- fication is discussed in more detail in Section 6.5.5 for historical purposes.

802.6—Metropolitan Area Network (MAN) Working Group. Defines the MAC and PHY specifications for a MAN. In particular, the 802.6 standard defines a MAC and PHY called Distributed Queue Dual Bus (DQDB), which was one of the MACs employed with the Switched Multimegabit Data Service (SMDS) and Connectionless Broadband Data Service (CBDS). Introduced in the early 1990s, neither service remains in use today. This WG has been disbanded.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 18 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

802.7—Broadband Technology Advisory Group (BBTAG). Advises other 802 subcommittees about changes in broadband technology and their effect on the 802 standards. This WG has been disbanded.

802.8—Fiber Optics Technology Advisory Group (FOTAG). Advises other 802 subcommittees about changes in optical fiber technology and their effect on the 802 standards. This WG has been disbanded.

802.9—Integrated Services LAN (ISLAN) Working Group. Defines the MAC and PHY specifications for integrated voice/data terminal access to integrated services networks, including ISLANs and MANs, and Integrated Services Digital Networks (ISDN). The only practical implementation was deployed in IsoEthernet products, described in the IEEE 802.9a standard. This WG has been disbanded.

802.10—Security Working Group. Defines procedures for providing security mechanisms on interconnected LANs, including cryptography and certificates. This WG has been disbanded.

802.11—Wireless LAN (WLAN) Working Group. Defines MAC and PHY spec- ifications for “through the air” media. The original 802.11 standard defined operation at 1 or 2 Mbps using the 2.4-GHz range and DSSS or FHSS spread spectrum technology; nominal maximum distances were 330 feet (100 m). The most common variants today are: � 802.11b—Data rates up to 11 Mbps at a nominal maximum distance up to 460 feet (140 m) on a frequency of 2.4 GHz using DSSS.

� 802.11g—Data rates up to 54 Mbps at a nominal maximum distance up to 460 feet (140 m) on a frequency of 2.4 GHz using DSSS or OFDM.

� 802.11n—Data rates up to 150 Mbps at a nominal maximum distance up to 820 feet (250 m) on a frequency of 2.4 or 5 GHz using OFDM.

Future 802.11 standards are expected that will provide data rates up to 866.7 Mbps on a frequency of 5 GHz using OFDM.

802.12—Demand Priority Working Group. Describes one of the MAC and PHY specifications originally proposed for 100 Mbps LAN speeds and dubbed 100BASE-VG/AnyLAN. Largely unused, and the WG has been disbanded.

802.13. (This number was never assigned to a WG because it was felt that the 13 would hamper products in the marketplace.)

802.14—Cable Modem Working Group. Originally intended to describe LANs for cable TV systems. This WG has been disbanded.

802.15—Wireless Personal Area Network (WPAN) Working Group. Defines a MAC and PHY for a short distance wireless network between portable and mobile devices such as PCs, personal digital assistants (PDAs), cell phones, pagers, and other communications equipment.

802.16—Broadband Wireless Access (BBWA) Working Group. Defines the MAC and PHY for high-speed wireless network access over relatively short distances. BBWA standards address the “first-mile/last-mile” connection in wireless metropolitan area networks, extending the reach of residential broad- band services such as cable modem or digital subscriber line (DSL).

802.17—Resilient Packet Ring (RPR) Working Group. Defines standards to sup- port the development and deployment of RPR local, metropolitan, and wide

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN PROTOCOLS AND STANDARDS 6 · 19

area networks for resilient and efficient transfer of data packets at rates scalable to many gigabits per second. This WG is currently in hibernation.10

802.18—Radio Regulatory Technical Advisory Group (RR-TAG). On behalf of other 802 WGs using radio-based communication, this TAG monitors, and actively participates in, ongoing national and international radio regulatory activities.

802.19—Wireless Coexistence Working Group. Develops and maintains policies defining the responsibilities of 802 standards developers to address issues of coexistence with existing standards and other standards under development.

802.20—Mobile Broadband Wireless Access (MBWA) Working Group. Defines the specification for a packet-based wireless interface that is optimized for IP- based services. The goal is to enable worldwide deployment of affordable, ubiquitous, always on, and interoperable multivendor mobile broadband wire- less access networks that meet the needs of business and residential end user markets. This WG is currently in hibernation.

802.21—Media Independent Handover Services Working Group. Developing standards to enable handover and interoperability between heterogeneous net- work types including both 802 and non-802 networks.

802.22—Wireless Regional Area Networks (WRAN) Working Group. Devel- oping a standard for a radio-based PHY, MAC, and air interface for use by license-exempt devices on a noninterfering basis in the spectrum allocated to broadcast television.

802.23—Emergency Services Working Group. This working group was created to define an IEEE 802 framework for LANs that would comply with applicable civil authority requirements for communications systems. This working group has been disbanded.

802.24—Smart Grid Technology Advisory Group. This TAG was created to pro- vide liaison between the 802 committee and the smart grid industry and reg- ulatory bodies, and to provide coordination and collaboration amongst 802 working groups related to smart grids.

6.5.3 IEEE 802.3 CSMA/CD Standard. The original IEEE 802.3 standard, first published in 1985, describes the PHY and MAC for a CSMA/CD bus network operating over thick coaxial cable. Today, an 802.3 network implementation can employ any of a number of media types, including UTP and optical fiber. Without question, star-wired UTP implementations are the most popular.

The 802.3 committee anticipated the different media types that might be used, and they developed a nomenclature to identify the actual physical implementation, using the format:

[speed (Mbps)][signaling type][segment length (m) or media type]

The original 802.3 specification, for example, operated at 10 Mbps, used baseband (digital) signaling and limited a single coaxial cable segment to a length of 500 m (1,640 feet); the cable was designated 10BASE5. In fact, the largest distance between two 802.3 stations could be 2.8 km (9,200 feet), so repeaters might be used to inter- connect several 500-m coaxial cable segments.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 20 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

802.3 MAC header

Destination

Number of bytes

4266 38 – 1492

CRCInformationLength Source

AddressAddress

EXHIBIT 6.11 IEEE 802.3 Frame Format

A less expensive version, called CheaperNet, was later introduced that operated over thin coaxial cable segments limited to 185 m (610 feet); this PHY is denoted 10BASE2.

In the mid-1980s, AT&T introduced a product called StarLAN, which operated at 1 Mbps over UTP. Although this product has long been relegated to obscurity, it was the first to break the 1-Mbps barrier on UTP. Subsequent versions of 802.3 that employ UTP all use a star topology where each network node connects directly back to a central hub. The first 10-Mbps version of 802.3 was denoted 10BASE-T, the T indicating use of the UTP medium (which structured wiring standards say is limited to a distance of 100 m, or 330 feet). The 10-Mbps optical fiber version of 802.3 is 10BASE-F. Today, of course, 100-Mbps and 1-Gbps versions (i.e., 100BASE-T and 1000BASE-T) are available. Full-duplex Ethernet takes advantage of the point-to-point links in a star configuration and effectively doubles the line speed by allowing both stations to transmit at the same time.

Exhibit 6.11 shows the format of an IEEE 802.3 MAC frame, primarily for reference purposes. The fields and their functions are:

� Preamble. Used for clock synchronization; employs 7 repetitions of the 8-bit pattern 10101010. (8 binary bits = 1 byte = 1 octet)

� Start frame delimiter (SFD). The bit pattern 10101011 denotes the actual be- ginning of the frame. 1 octet.

� Destination address (DA). 48-bit MAC address of the station that should receive this frame. An all-1s address in 48 binary bits (ff-ff-ff-ff-ff-ff in hexadecimal) is the broadcast address, indicating that all stations should receive this message.

� Source address (SA). 48-bit MAC address of the station sending this frame. � Length. Number of octets in the LLC data field, a value between 0 and 1500. 2 octets.

� LLC Data. Data from LLC (and higher layers). This field contains a 3-octet LLC Header, 5-octet 802.2 Subnetwork Access Protocol (SNAP) header, and 38 to 1492 octets of higher layer data.

� PAD. Additional octets to ensure that the frame is at least 64 octets in length; this minimum is required by CSMA/CD networks as part of the collision detection mechanism.

� Frame check sequence (FCS). Remainder from CRC-32 calculation used for bit error detection. 4 octets.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN PROTOCOLS AND STANDARDS 6 · 21

Ethernet

446–1500

Number of bytes

6 26

CRCDataType Source

Address Address

Destination

header

EXHIBIT 6.12 Ethernet II Frame Format

6.5.4 Ethernet II. The IEEE’s CSMA/CD standard is based on the Ethernet specification developed at Xerox’s Palo Alto Research Center (PARC) in the mid- 1970s. When Xerox first decided to market Ethernet, there was no OSI model or any LAN standards or products. Given that environment, Xerox sought industry support for this new specification. The Ethernet specification has been jointly distributed (and marketed) by Digital Equipment Corporation (DEC, now Compaq), Intel, and Xerox (hence sometimes known as DIX Ethernet). While the 802.3 standard is based on Ethernet II, the two are not exactly the same.

Exhibit 6.12 shows the format of an Ethernet MAC frame, primarily for purposes of comparison to the IEEE frame. The fields and their functions are:

� Preamble. Used for clock synchronization; employs the bit pattern 10101010 … 10101011. 8 octets.

� Destination address (DA). 48-bit MAC address of the station that should receive this frame. An all-1s address (ff-ff-ff-ff-ff-ff) is the broadcast address, indicating that all stations should receive this message.

� Source address (SA). 48-bit MAC address of the station sending this frame. � Protocol identifier (PID). Indicator of the protocol information transported in the Information field. Sample values include 2048 and 2054 to indicate the Internet Protocol (IP) and Address Resolution Protocol (ARP), respectively. 2 octets.

� Information. Protocol data unit from the protocol identified in the PID field. 46 to 1,500 octets. (It is the responsibility of the higher layer to ensure that there are at least 46 octets of data in the frame.)

� Frame check sequence (FCS). Remainder from CRC-32 calculation used for bit error detection. 4 octets.

The point in comparing the frame formats of Ethernet and 802.3 is primarily of historical purposes because today’s implementations are 802.3 and not Ethernet. That said, it is interesting to note that the two specifications are, in fact, different. It is a minor thing, perhaps, and was a common misnomer in the industry to refer to IEEE 802.3 Ethernet (even the IEEE 802.3 committee is now known as the Ethernet Working Group), but it was an important difference to both a network administrator and a security professional.

In particular, in years past, if one LAN device only understood Ethernet encapsula- tion, it would not be able to communicate successfully with another LAN device that only understood IEEE 802.3 encapsulation. Both devices, however, can share the same

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 22 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

Number of bytes

header

Frame AC FC FCS

Number of bytes

(assuming 8232–byte maximum frame size)

FS

4 10 – 8195

Information

0–186 61 1

RIFSADA

802.5 MAC

1 1 1

FSFCACToken

EXHIBIT 6.13 IEEE 802.5 Token and Frame Formats

medium backbone because the electronics are the same. A NetWare server running the Internetwork Packet Exchange (IPX) network layer protocol over IEEE 802.3 frames, for example, could easily share the network with a UNIX host running IP over Ethernet, but it maintained some immunity from attack by an IP host for the NetWare server because the two networks could not cross-communicate.

6.5.5 IEEE 802.5 Token-Ring Standard. The IEEE 802.5 token-ring stan- dard was based on the IBM product of the same name. Both the standard and the product date back to about 1985. It is described here for historical purposes.

The token ring has a logical ring topology, although it was built as a physical star. Designed to operate with STP or UTP cable, most implementations operated at speeds of 16 Mbps or higher. The 802.5 MAC was essentially the same as the token passing scheme described in Section 6.4.2. The fields of the MAC frame (see Exhibit 6.13) are:

� Start delimiter (SD). Marks the actual beginning of the transmission. Bit pattern JK0JK000, where J and K represent special symbols on the line.11 1 octet.

� Access control (AC). Indicates whether this transmission is a token (i.e., no data) or a frame (i.e., contains data). This field also contains information about the priority of this transmission. 1 octet.

� Frame control (FC). Indicates if this frame carries LLC (and higher-layer) data or MAC management information; if it is MAC-specific information, this field also indicates the MAC frame type. 1 octet.

� Destination address (DA). 48-bit MAC address of the station to which this frame is intended.

� Source address (SA). 48-bit MAC address of the station sending this frame. � Routing information field (RIF). An optional field, used only in multiple-ring networks utilizing source routing and in which the intended receiver is on a different ring than the transmitter. In source routing, the transmitter can specify

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LAN PROTOCOLS AND STANDARDS 6 · 23

the intended path of this frame, designating up to eight intermediate networks.12

0 to 18 octets. � Information (INFO). Contains an LLC frame or MAC management information. No maximum length is specified by the standard, but the length of this field will be limited by the time required to transmit the entire frame, controlled by the token holding time parameter.

� Frame check sequence (FCS). Remainder from a CRC-32 calculation to detect bit errors in the frame. 4 octets.

� End delimiter (ED). Demarks the end of the transmission, with the bit pattern JK1JK1IE, where J and K are as described in the SD field. The I-bit indicates whether this frame is the last frame of a multiple-frame sequence and the E-bit indicates whether a bit error was detected by the receiver (E); these bits are cleared by the original sender when the frame returns to that station. 1 octet.

� Frame status (FS). The bit pattern AC00AC00; these bits indicate whether the frame’s destination address was recognized by any station on the network (A) and whether this frame was successfully copied by the intended receiver (C). 1 octet.

As shown, a token comprises just three octets, the SD, AC, and ED fields. A station sends a frame whenever there is user data or MAC information to send. The station must wait until it receives a token before it can generate a frame.

The transmitting station is responsible for generating a new token after it transmits a single frame. Recall that the transmitted bits come back to the sender, and it is this station that removes the bits from the network. According to the original standard, the transmitter will send a token after sending all of the bits of the frame and must wait until it has seen at least the returning SA field to verify that it is, in fact, removing its own frame from the network. Optionally, early token release allows the transmitter to generate a new token immediately after finishing sending the bits from its frame, even if the SA field has not yet returned. This latter option was developed to improve performance in very large token ring environments, such as the American National Standards Institute (ANSI) FDDI standard.

Today, 802.5 token rings are primarily limited to IBM environments, and there is a lot to be found there. FDDI is more commonly found in multibuilding campus environments, used as a backbone to interconnect Ethernet/802.3 networks. FDDI is being phased out; the last FDDI product vendor dropped out of the marketplace in 1999.

6.5.6 IEEE 802.2 LLC Standard. The IEEE 802.2 LLC protocol was intended to provide a common interface between 802 LAN MACs and higher-layer applications. With the LLC, the underlying MAC scheme is transparent to the application just as the application is transparent to the MAC.

The LLC was designed to support any number of services, the most common being an unacknowledged connectionless service (primarily used in contention networks) and an acknowledged connection-oriented service (primarily used in token ring environments).

The LLC is loosely based on the Higher-layer Data Link Control (HDLC) bit- oriented protocol in both operation and frame format (see Exhibit 6.14). The LLC frame appears in the Information field of a MAC frame. The first two fields of the LLC header are the Destination Service Access Point (DSAP) and the Source Service Access Point (SSAP) fields, originally intended to identify the higher-layer services at the source

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 24 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

802.2 LLC 802 SNAP

DSAP SSAP Control InformationType0x00-00-000xAA0xAA 0x03

header header

EXHIBIT 6.14 IEEE 802.2 LLC Frame Transporting SNAP Header (which in turn indicates IEEE organization and EtherType protocol identifiers)

and destination node. This is similar in concept to ports in the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) but was never well implemented, and the DSAP and SSAP values are typically the same. The third field is the Control field, identifying the type of frame.

The Subnetwork Access Protocol (SNAP) is an IEEE 802 protocol that can be used to identify any protocol created by any agency, and is commonly used above the LLC layer. In this case, the SNAP header immediately follows the LLC header. Use of SNAP is indicated by the LLC fields when both DSAP and SSAP fields are set to a value of 170 (0xAA) and the Control field is set to a value of 3 (octal 03) to indicate that it is an Unnumbered Information frame.

The SNAP header has two fields. The 3-byte Organizationally Unique Identifier (OUI) field refers to the organization that developed either the higher-layer protocol or a way to refer to the protocol. The 2-byte Type field identifies the protocol using the Organization-defined number.

The Internet Protocol (IP) and Address Resolution Protocol (ARP) provide example uses of SNAP. The common format of a SNAP header encapsulating these protocols would be to set the OUI value to 0 (0x00-00-00) to identify IEEE/ISO as the organiza- tion. The Type field would then use the EtherType values of 2048 (0x08-00) and 2054 (0x08-06) to indicate use of IP and ARP, respectively.

6.5.7 Summary. This section has covered the important LAN standards gov- erning what is most likely to be seen in the industry today. Table 6.1 summarizes some of the discussion about the most common LAN topologies, media, MAC schemes, and standards.

6.6 INTERCONNECTION DEVICES. LAN interconnection devices are used to attach individual LANs to each other in order to build a large enterprise network. They can also interconnect LAN components across a WAN and provide LAN access to the

TABLE 6.1 LAN Characteristics

Physical Topology

Logical Topology Media MAC

Speed (Mbps) Standard

Bus Bus Coax CSMA/CD 10 802.3, Ethernet Star Bus UTP, Fiber CSMA/CD 1–1000 802.3 Star Bus Wireless CSMA/CA 1–150 802.11 Star Ring UTP Token passing 16 802.5 Ring Ring Fiber Token passing 100 FDDI

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTERCONNECTION DEVICES 6 · 25

Internet. Several types of such devices are used for LAN interconnections, including hubs, switches, bridges, and routers. The major distinction between these devices is the OSI layer at which they operate, and all are discussed in the next sections.

6.6.1 Hubs. Hubs are used to build physically star-wired LANs, using media that are basically point-to-point in nature (such as UTP and optical fiber). Note that it is the internal wiring of the hub that determines its logical nature, so that a logical bus or ring LAN can be physically star-wired.

So-called Ethernet hubs support 10, 100, and/or 1,000 Mbps Ethernet or 802.3 networks. Different hubs will have a different number of ports, generally ranging from 4 to 32. Hubs provide physical connectivity only; when a frame arrives on one port, the hub will broadcast the frame back out to all other ports, which simulates the broadcast bus environment. Multiple hubs can be interconnected to form reasonably large networks. Token-ring hubs, generally called multistation access units (MAUs), look similar to

Ethernet hubs but have different internal wiring. When an MAU receives a transmission on one port, it merely forwards that transmission, a bit at a time, to the next port sequentially on the MAU. In this way, it simulates the ring environment.

6.6.2 Switches. Switches are generally employed in the CSMA/CD environment and extend the capabilities of a hub. A switch operates at a combination of PHY and MAC layers. In addition to providing physical connectivity like a hub, a switch learns the MAC address of all stations attached to it. When a frame arrives on a switch port, the switch looks at the destination MAC address and places the frame on the port associated with that address (which might be the port leading to another switch).

Switches are used primarily to improve performance. Given the scenario described earlier, multiple stations can transmit simultaneously without collision. Furthermore, switches can operate in full-duplex mode, meaning that a single station can both transmit and receive at the same time. A 10 Mbps switched Ethernet LAN, for example, can achieve performance similar to that of a 100-Mbps hubbed Ethernet LAN. (This was a real boon in those environments where it is not viable to upgrade 10-Mbps NICs and wiring.)

There is a subtle security ramification to the use of switches versus hubs. In particular, if a user places a packet sniffer on a hubbed LAN, the sniffer will see every frame because the hub simulates the broadcast environment. A packet sniffer on a switched network will not be as effective; it will only pick up those frames that are specifically addressed to the LAN broadcast address. That said, many switches come with an administrative port that can be set to monitor all ports for troubleshooting purposes.

6.6.3 Bridges. A bridge provides a point-to-point link between the two LANs, usually those employing similar MAC schemes. Bridges operate at the MAC layer, and their operation is controlled by the MAC address.

Ethernet environments commonly employ learning bridges. In a very simple case, consider a bridge interconnecting two LANs, #1 and #2 (see Exhibit 6.15). When any LAN station sends a frame, both destination and source MAC addresses are included in the transmission. As frames appear on the networks, the bridge sees all of the source addresses and builds a table associating the MAC addresses with one LAN or the other, eventually learning the location of all of the network’s stations. This process is sometimes called backward learning because the bridge learns the location of stations that transmit.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 26 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

MAC: 00-50-04-29-e7-01 Bridge MAC: 11-34-f2-b8-89-73 MAC: ab-37-16-14-c8-32MAC: ab-37-16-5a-68-10

LAN#2LAN#1

EXHIBIT 6.15 Two LANs Interconnected via a Bridge

A bridge is a simple frame store-and-forward device. Like all stations on the LAN, a bridge examines the destination address of any transmitted frames. If a transmission on LAN #1 contains a destination address of a station on LAN #2, the bridge will forward the frame. If a transmission contains an unknown destination address, the bridge will also forward the frame.

Although a bridge bases its decisions on the MAC address, it is not an intelligent device; that is, it knows that a station with a particular MAC address is in one direction or another, but it does not know precisely where that station is. Because bridges have to build tables containing all of the stations’ addresses that they learn, bridges do not scale particularly well to large networks. Bridges also extend the broadcast domain (i.e., if a frame transmitted on LAN #1 is sent to the broadcast address, it will be forwarded to LAN #2).

6.6.4 Routers. A router is conceptually similar to a bridge in that it is also a store-and-forward device. A router, however, works at the Network Layer and is therefore a much more powerful device than a bridge. As Exhibit 6.16 shows, every LAN device has both a MAC (hardware) and Network Layer (software) address (in this case, IP is the sample Network Layer address). Because Network Layer addresses are hierarchical, the networks themselves have a network identifier number (the NET ID in Exhibit 6.16). Network Layer addresses are well suited to environments where intermediate devices have to find a best route between networks.

Like a bridge, a router is considered to be just another station on a LAN to which it is attached. If the router sees a transmission on LAN #1 (with a NET ID of 192.168.16.0) containing a destination address of a station on another network, it will route the packet to the correct destination network, even if that means going through another router to get there.

This example also demonstrates another major difference between bridges and routers. In a bridged environment, a station on LAN #1 sends a frame to some MAC address and has no knowledge of whether the intended destination is on the same LAN or not; the bridge will forward the frame if necessary, but this is all transparent to sender

MAC: 00-50-04-29-e7-01 IP: 192.168.16.5

MAC: ab-37-16-14-c8-32 IP: 172.28.99.132

MAC: 11-34-f2-b8-89-73 IP: 172.28.15.4

MAC: ab-37-16-5a-68-10 IP: 192.168.16.12

LAN#2 (NET_ID=172.28.0.0)LAN#1 (NET_ID=192.168.16.0)

Router

IP: 192.168.16.1 IP: 172.28.0.1

EXHIBIT 6.16 Two LANs Interconnected via a Router

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NETWORK OPERATING SYSTEMS 6 · 27

and receiver. In a routed environment, however, the sender can tell if the receiver is on the same or different network merely by examining the destination network address. In fact, the router only gets involved if the packet has to leave the local network; that is why in an IP environment, for example, an address of a default gateway (router) has to be provided.

Routers also limit the broadcast domain. If a station on LAN #1 transmits a frame using the broadcast MAC address, the frame goes no further than the router.

Routers build their routing tables very differently than bridges. Whereas bridges learn the relative location of a station by observing a frame’s source address, packets learn the Network Layer address by the use of routing protocols that allow groups of routers to exchange routing information.13

6.6.5 Summary. Hubs, switches, bridges, and routers are all commonly em- ployed LAN interconnection devices. These are tools in the kit of everyone who works with LANs, as the building blocks of everything from small and intermediate-size local networks to large enterprise networks and the global Internet.

6.7 NETWORK OPERATING SYSTEMS. Just as an operating system manages computer resources, a network operating system (NOS) provides the software that controls the resources of a LAN. NOSs generally comprise software that provides at least these functions:

� Hardware drivers are the software that allows the NOS to communicate with the NIC.

� Communications software allows applications running on different LAN nodes to communicate.

� Services are the functional aspects of the NOS and the reason that people use a LAN in the first place. Sample services include file services (file sharing), print services (commonly shared printers), message services (email), communi- cation services (LAN access to the Internet), and fax services (commonly shared facsimile).

NOSs are typically classified as being peer to peer or client/server. A peer-to-peer LAN allows any LAN node to communicate with any other LAN node, and any LAN node can provide services to other nodes. In a client/server (or server-based) environment, every node is either a client or a server. In this scenario, servers are special nodes that offer services to other servers or to clients, while clients are the ordinary end-user workstations. Clients can only communicate with a server.

When evaluating or investigating the security of a LAN, the software is the most common point of exposure, vulnerability, and exploitation, particularly for remote attacks.

Some sample NOSs that have had historical significance include:

AppleTalk. Apple Macs have come with integrated LAN capabilities since their inception in 1985. Originally using a scheme called LocalTalk, AppleTalk was a peer-to-peer network running over a 10-Mbps CSMA/CD LAN. The Network Layer protocol historically associated with AppleTalk was called the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 28 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

Datagram Delivery Protocol (DDP). Apple dropped support for AppleTalk in 2009 and supports TCP/IP-based networking.

Microsoft Networking. Microsoft operating systems have come with LAN capa- bilities since Windows for Workgroups (WfW or Windows 3.11). Employing a nonroutable protocol called the Network Basic Input/Output System (Net- BIOS) Extended User Interface (NetBEUI), Windows client systems (Win- dows 3.11 and later) can be easily used to build an inexpensive, simple peer- to-peer LAN for file and print sharing. NetBEUI is nonroutable because it does not provide an addressing mechanism to allow interconnected yet dis- tinct NetBEUI subnetworks; if two NetBEUI networks are attached in any way, they will appear to be one large network. (This is why the hard drive of improperly configured Windows systems can be viewed from across the Internet.) Microsoft defined NetBIOS over TCP/IP (NBT) in the 1980s to sup- port encapsulation of NetBIOS messages in TCP and UDP messages. Most Microsoft networking today relies more on TCP/IP than NetBEUI.

Microsoft Windows Server (including Windows NT Server, Windows Server 2003, Windows Server 2008, and Windows Server 2012). The NOS of choice for Windows network environments, Windows Server is Microsoft’s client/server operating system. Client systems can run nearly any Windows operating system, from Windows XP or NT Workstation to Windows VISTA, Windows 7, or Windows 8. Clients on a Windows Server network themselves can form a peer-to-peer network. Microsoft networking is reliant on Active Directory and TCP/IP.

Novell NetWare. Novell offered one of the first PC-class networks in the early 1980s using a proprietary star-based LAN. By the 1990s, NetWare was the best-known client/server NOS and accounted for more than 70 percent of the NOS market. The Network Layer protocol associated with classical NetWare is the Internetwork Packet Exchange (IPX) protocol. By the turn of the century, Microsoft was eating dramatically into NetWare’s popularity and TCP/IP was dominating as the protocol-of-choice. At around this time, Novell embraced Linux and TCP/IP, and NetWare has been replaced with the Open Enterprise Server.

UNIX and Linux. TCP/IP has been the network communications protocol for UNIX systems since 1984, allowing UNIX-based hosts to build client/server (and, ultimately, peer-to-peer) networks. TCP/IP has also been integral to Linux since its inception in 1991. With TCP/IP, any system can run server (daemon) software to provide services to other systems, so that any system can act as a client or server, depending on application.

6.8 SUMMARY. Exhibit 6.17 shows a possible network design that includes many of the elements that have been described in this chapter (and a few that have not). This network’s router provides the interface to the Internet and is attached via some sort of dedicated connection, such as a point-to-point 56 Kbps or T1 (1.544 Mbps) leased line, frame relay, or digital subscriber line.

In this scenario, the router is physically located at the main site. From a security perspective, the organization may segment its network into an external and internal side, the internal being protected by a firewall.14 The external network includes the router, public Web server, and firewall. Those three systems are interconnected through

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SUMMARY 6 · 29

“External” Firewall

E-mail

Server

Hub Dedicated connection

to internet via DDS

(56 kbps), T1 frame

relay, DSL, etc. Internet

Privately

owned fiber

link between two local sites

Customer Premises (Main Site)

Hub

Bridge

Router

Bridge

Public

Web-server

Switches

User Workstations

Customer Premises

(Building #2)

Print/File

Server

Internal

Web Server

“Internal”

EXHIBIT 6.17 LAN Scenario

a hub to which they each attach via a Cat 5 UTP cable. In this scenario, the hub could actually implement 10BASE-T or 100BASE-T Ethernet, or even a token ring.

The external and internal networks are connected through the firewall, which, in this case, will have two NICs. The two networks are separate and distinct; the firewall does not extend the broadcast domain of either network, and, in fact, these two networks would have different IP network identifiers.

The internal network at the main site is a collection of servers and user workstations that are interconnected via a set of switches. In this example, these are 8-port 100-Mbps Ethernet switches. Since there are more than 8 devices, the switches themselves need to be interconnected. There are several options for that:

� Stackable switches physically attach to each other, extending the switch’s back- plane to create a larger switch (in this case, a 16-port switch).

� An optical fiber link can be used to interconnect the switch, usually at backplane speeds in the 1+-Gbps range.

� A UTP link might be used to interconnect the switches via two of the 100-Mbps ports.

To connect the LAN in Building #2 with the LAN at the main site, a point-to-point connection between a pair of bridges would suffice. In this case, the buildings are several kilometers apart, necessitating use of optical fiber.

In Building #2, there is another hub-based LAN, with a laptop using wireless technology, communicating with an access node that is also attached to the hub.

This chapter has only skimmed the surface of LAN concepts, standards, and tech- nologies. Their study is important to the security professional, however, because LANs are the basis of all networking. As a network of networks, the Internet comprises

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

6 · 30 LOCAL AREA NETWORK TOPOLOGIES, PROTOCOLS, AND DESIGN

millions of local networks. This chapter indicates many of the points of potential vulnerability or compromise in a system.

6.9 FURTHER READING Cisco Systems. Internetworking Technology Handbook. Cisco DocWiki Web-

site. June 20, 2012. http://docwiki.cisco.com/wiki/Internetworking Technology Handbook

Gast, M. “Wireless LAN Security: A Short History.” O’Reilly | Wireless Devcen- ter Website. April 19, 2002. www.oreillynet.com/pub/a/wireless/2002/04/19/ security.html

Mikalsen, A., and P. Borgesen. LocalAreaNetworkManagement,DesignandSecurity: A Practical Approach. Hoboken, NJ: John Wiley & Sons, 2002.

Riley, S., and R. A. Breyer. Switched, Fast, and Gigabit Ethernet, 3rd ed. Indianapolis, IN: New Riders Publishing, 1998.

Stallings, W., and T. Case. Business Data Communications—Infrastructure, Network- ing and Security, 7th ed. Upper Saddle River, NJ: Prentice-Hall, 2012.

6.10 NOTES 1. See Chapter 5 in this Handbook for additional background information on LANs

and WANs. 2. See Sections 22.4.5 and 23.9.1 in this Handbook for further discussion of wiretaps. 3. It is an interesting point of trivia to note that the original frequency-hopping spread

spectrum technique was coinvented by Hollywood star Hedy Lamarr in 1940 and given, free of charge, to the U.S. Navy.

4. See Chapter 33 in this Handbook for more details of wireless LAN security. 5. M. Kende, “Internet Global Growth: Lessons for the Future,” Analysys Mason

Knowledge Centre (Website), 2012, www.analysysmason.com/internet-global- growth-lessons-for-the-future (p. 14).

6. Since CSMA/CD transmits with a probability of 1, it is sometimes referred to as being 1-persistent.

7. As an aside, although the station can experience 16 collisions, the probability of transmission will never fall below 1/1024, or 2-10, since Ethernet and IEEE 802.3 do not allow more than 1,024 devices on the network. This is the source of the word “truncated” in the name of the scheme.

8. Up-to-date status information about the 802 committee can be found at the LAN/MAN Standards Committee Web site at http://grouper.ieee.org/groups/802/.

9. A WG is disbanded when it is considered that there is no more work for the IEEE to undertake in this topic area.

10. A WG will go into hibernation when there are no new projects to undertake. This status indicates a WG that has reached status quo.

11. The term “special symbol” requires explanation. The signaling scheme used in the token ring PHY standard is called Differential Manchester. In this signaling scheme, the signal is at a positive voltage for half of the bit time and at a negative voltage for the other half of the bit time, meaning that each bit has a sum total of 0 volts (resulting in what is sometimes called DC balancing). The J and K symbols are Differential Manchester code violations, where one symbol is at negative voltage for an entire bit time and the other at positive voltage for an entire bit

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 6 · 31

time. These code violations have the benefit of being able to indicate special events and can be used for synchronization. J and K symbols are always used in pairs to maintain DC balancing.

12. Source routing is a very rarely used option in IP and is, in fact, a security problem; firewall administrators routinely set up filters to block IP packets with source routing. Source routing in an 802.5 network, however, is a normal feature and is not considered to be a security threat because this information has no impact on the WAN.

13. In the IP environment, common routing protocols include the Border Gateway Pro- tocol (BGP), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).

14. This is a very simplistic firewall design with the internal and external network. The focus of this diagram is on the LAN components, however, rather than the specific security architecture.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7CHAPTER

ENCRYPTION

Stephen Cobb and Corinne LeFrançois

7.1 INTRODUCTION TO CRYPTOGRAPHY 7 · 1 7.1.1 Terminology 7·2 7.1.2 Role of Cryptography 7·3 7.1.3 Limitations 7·6

7.2 BASIC CRYPTOGRAPHY 7 · 6 7.2.1 Early Ciphers 7·6 7.2.2 More Cryptic Terminology 7·8 7.2.3 Basic Cryptanalysis 7·8 7.2.4 Brute Force Cryptanalysis 7·9 7.2.5 Monoalphabetical

Substitution Ciphers 7·11 7.2.6 Polyalphabetical

Substitution Ciphers 7·12 7.2.7 The Vigenère Cipher 7·13 7.2.8 Early-Twentieth-Century

Cryptanalysis 7·14 7.2.9 Adding up XOR 7·15

7.3 DES AND MODERN ENCRYPTION 7 · 17 7.3.1 Real Constraints 7·17 7.3.2 One-Time Pad 7·17 7.3.3 Transposition, Rotors,

Products, and Blocks 7·18 7.3.4 Data Encryption Standard 7·20 7.3.5 DES Strength 7·20 7.3.6 DES Weakness 7·21

7.4 PUBLIC KEY ENCRYPTION 7 · 21 7.4.1 Key-Exchange Problem 7·23 7.4.2 Public Key Systems 7·23 7.4.3 Authenticity and Trust 7·26 7.4.4 Limitations and

Combinations 7·27

7.5 PRACTICAL ENCRYPTION 7 · 27 7.5.1 Communications and

Storage 7·28 7.5.2 Securing the Transport

Layer 7·28 7.5.3 X.509v3 Certificate

Format 7·31

7.6 BEYOND RSA AND DES 7 · 36 7.6.1 Elliptic Curve

Cryptography 7·36 7.6.2 RSA Patent Expires 7·37 7.6.3 DES Superseded 7·38 7.6.4 Quantum Cryptography 7·39 7.6.5 Snake Oil Factor 7·44

7.7 STEGANOGRAPHY 7 · 44

7.8 FURTHER READING 7 · 45

7.9 NOTES 7 · 46

7.1 INTRODUCTION TO CRYPTOGRAPHY. The ability to transform data so that they are accessible only to authorized persons is just one of the many valuable services performed by the technology commonly referred to as encryption. This tech- nology has appeared in other chapters, but some readers may not be familiar with its principles and origins. The purpose of this chapter is to explain encryption technology in basic terms and to describe its application in areas such as file encryption, message scrambling, authentication, and secure Internet transactions. This is not a theoretical

7 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 2 ENCRYPTION

or scientific treatise on encryption, but a practical guide for those who need to employ encryption in a computer security context.

Organizations around the world increasingly rely on cryptography to communicate securely and to store information safely. Typically, the algorithms used by the Depart- ment of Defense (DoD) organizations are employed and maintained for many years. For example, the Data Encryption Standard (DES) has been used in some form for over 20 years.1

This chapter is a brief overview of cryptography and its practical applications to the needs of normal business users, as distinct from the needs of high-security government agencies. A thorough examination of the mathematics that are the foundation of these topics is beyond the scope of this chapter, but we provide suggested readings for further study.

7.1.1 Terminology. This list of basic terms will be helpful for readers as they continue through this chapter:

Algorithm—a finite list of well-defined instructions for accomplishing some task that, given an initial state, will terminate in a defined end state.

Cipher—the core algorithm used to encrypt data. A cipher transforms plaintext into ciphertext that is not reversible without a key.

Ciphertext—text in encrypted form, as opposed to the plain text. We show ciphertext in UPPERCASE throughout this chapter.

Codes—a list of equivalences (a codebook) allows the substitution of meaningful text for words, phrases, or sentences in an innocuous message; for example, “I will buy flowers for Mama tomorrow for her party at 7 pm” might be decoded to mean “Launch the attack on the mother ship next week on Sunday.”

Decrypt/Decipher—the process of retrieving the plaintext from the ciphertext. Encrypt/Encipher—to alter plaintext using a secret code so as to be unintelligible

to unauthorized parties.

Key—a word or system for solving a cipher or code. Plaintext—the original message to be encoded or enciphered. We show plaintext in

lowercase throughout this chapter.

The science of cryptology (sometimes abbreviated as crypto) is the study of secure communications, formed from the Greek words 𝜅𝜌𝜓𝜋𝜏o𝜎 (kryptos), meaning “hid- den,” and 𝜆o𝛾o𝜎 (logos), “word.” More specifically, it is the study of two distinct, yet highly intertwined, fields of study: cryptography and cryptanalysis. Cryptography is “the science of coding and decoding messages so as to keep these messages secure.”2

Cryptanalysis is the art and science of “cracking codes, decoding secrets, violating authentication schemes, and in general, breaking cryptographic protocols,”3 all with- out knowing the secret key. Systems for encrypting information are referred to as cryptosystems.

Systems for encrypting information may also be referred to as ciphersystems, from cipher, meaning “zero,” or “empty” (a word rooted in the Arabic sifr). Terms using cipher and crypto are interchangeable, with some authors preferring cipher to avoid the religious and cultural connotations of crypt, a word with the same root as “encryp- tion.” Thus, encryption may be referred to as encipherment, decryption referred to as decipherment, and so on.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION TO CRYPTOGRAPHY 7 · 3

Unscrambled

original message, file, document

= = = =

plaintext encryption ciphertext

dtryupi

decryption

key to decryptkey to encrypt

Scrambling

encoding, process

Scrambled

encoded message, file, document

Unscrambling

decoding process

Unscrambled

decoded message, file, document

=

plaintext

rosebudrosebud

EXHIBIT 7.1 Diagram of Cryptographic Terms

The most obvious use of encryption is to scramble the contents of a file or message, using some form of shared secret as a key. Without the key, the scrambled data remain hidden and cannot be unscrambled or decrypted. The total number of possible keys for an encryption algorithm is called the keyspace. The keyspace is a function of the length of the key and the number of possible values in each position of the key. For a keylength of n positions, with each position having v possible values, then the keyspace for that key would be vn. For example, with three positions and two values per position (e.g., 0 or 1), the possible keys would be 000, 001, 010, 011, 100, 101, 110, and 111 for a total keyspace of 8.

In cryptographic terms, the contents of a file before encryption are plaintext, while the scrambled or encoded file is known as ciphertext (see Exhibit 7.1). As a field of intellectual activity, cryptology goes back many millennia. Used in ancient Egyptian, China, and India, it was discussed by the Greeks and regularly employed by the Romans. The first European treatise on the subject appeared in the fourteenth century. The subject assumed immense historic importance during both world wars. The British success in breaking codes that the Germans used to protect military communications in World War II was a major factor in both the outcome of the war and in the development of the first electronic computer systems.

Since then, cryptography and computer science have developed hand in hand. In 1956, the United States National Security Agency (NSA), the U.S. Government de- partment in charge of monitoring the worldwide flow of information, began funding improvements in computer hardware, pumping some $25 million into Project Light- ning. This five-year development effort, intended to produce a thousand-fold increase in computing power, resulted in over 150 technical articles. It also gave rise to more than 300 patent applications and succeeded in advancing the frontiers of hardware design. The NSA, based in Fort Meade, Maryland, was also involved in the creation of DES as the commercial encryption standard for much of the last 20 years. Today, the NSA is widely believed to have the world’s largest collection of supercomputers and the largest staff of cryptanalysts.

7.1.2 Role of Cryptography. The central role of cryptography in computer security is ensuring the confidentiality of data. But cryptography can support other pillars of computer security, such as integrity and authenticity. This section looks at the different roles of cryptography.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 4 ENCRYPTION

7.1.2.1 Confidentiality. The role of encryption in protecting confidentiality can be seen in a classic definition of encryption: “Encryption is a special computation that operates on messages, converting them into a representation that is meaningless for all parties other than the intended receiver.”4

Much of the literature on cryptography discusses the technology in terms of ensuring the confidentiality of messages, but this is functionally equivalent to protecting the confidentiality of data. The use of the term “message” reflects the traditional use to which cryptography has been put, both before and after the advent of computers. For example, Julius Caesar encrypted messages to Cicero 2,000 years ago, while today messages between a Web browser and a Web server are encrypted when performing a “secure” transaction.

When applying cryptography to computer security, it is sometimes appropriate to substitute the term “files” for “messages.” For example, hard drive encryption programs protect data files stored on a hard drive. However, data files take the form of messages when they are transferred from one computer to another, across a network, the Internet, or via phone lines. Practically speaking, data being transferred in this manner are exposed to a different set of dangers from those that threaten data residing on a computer in an office. Thus, the use of encryption to render files useless to anyone other than an authorized user is relevant both to files in transit and to those that reside on a server or a stand-alone computer, particularly when the latter is a laptop, notebook, or PDA.

7.1.2.2 Integrity. In the second half of the last century, following the advent of programmable computer systems, the ability of cryptography to transform data was applied in many new and interesting ways. As will be seen in a moment, many cryptographic techniquesuse a lot of mathematical calculation. The abilityof computers to perform many calculations in a short period of time greatly expanded the usefulness of cryptography, and also inspired the development of ever-stronger ciphersystems.

Maintaining the integrity of data is often as important as keeping them confidential. When writing checks, people take pains to thwart alteration of the payee or the amount. In some cases, integrity is more important than confidentiality. Changing the contents of a company press release as it passes from the company to the press could have serious consequences. It is not only human actions that threaten data integrity; mechanical failures and logical errors can also change data. It is vital that such changes be detected, as was discussed in Chapter 4 of this Handbook, where it was observed that “[a]ll data movements and translations increase the likelihood of internal error, and for this reason parity checks and validity tests have become indispensable.”

That chapter covered the role of parity bits for error detection, the function of redun- dancy checks, and the use of checksums to provide a modification-detection capability. A type of cryptographic hash or checksum called a Message Authentication Code (MAC) can protect against intentional, but unauthorized, data modification as well as against accidental modification. A MAC is calculated by applying a cryptographic algorithm and a secret value, called the key, to the data. The data are later verified by applying the cryptographic algorithm and the same secret key to the data to produce another MAC; this MAC then is compared to the initial MAC. If the two MACs are equal, then the data are considered authentic (see diagram in Exhibit 7.2, which uses the public key cryptosystem, discussed later). Otherwise, an unauthorized modification is assumed (any party trying to modify the data without knowing the key would not know how to calculate the appropriate MAC corresponding to the altered data).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION TO CRYPTOGRAPHY 7 · 5

EXHIBIT 7.2 Message Authentication Code Using Public Key Cryptosystem Source: Copyright © 2008 M. E. Kabay. Used with permission.

7.1.2.3 Authentication. In the context of computer security, authentication is the ability to confirm the identity of users. For example, many computers now ask users to log on before they can access data. By requesting a user name and password, systems attempt to assure themselves that only authentic users can gain access. How- ever, this form of authentication is limited—it merely assures that the person logging on is someone who knows a valid user name and password pair. Cryptography plays a very important role in efforts to ensure stronger authentication, from encrypting the password data to the creation and verification of electronic identifiers such as digital signatures. These will be described in more detail later in this chapter, along with the differences between public key and private key cryptography, both of which may be used in these schemes.

Using a public key system, documents in a computer system can be electronically signed by applying the originator’s private key to the document. The resulting digital signature and document then can be stored or transmitted. The signature can be verified using the public key of the originator. If the signature verifies properly, the receiver has confidence that the document was signed using the private key of the originator and that the message had not been altered after it was signed. Because private keys are known only to their owner, it is also possible to verify the originator of the information to a third party.

7.1.2.4 Nonrepudiation. An aspect of computer security that has increased greatly in significance, due to the growth in internetwork transactions, is nonrepudia- tion. For example, if someone places an electronic order to sell stocks that later increase

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 6 ENCRYPTION

in value, it is important to prove that the order definitely originated with the individual who placed it. Made possible by public key cryptography, nonrepudiation helps ensure that the parties to a communication cannot deny having participated in all or part of the communication.

7.1.3 Limitations. One role that cryptography cannot fill is defense against data destruction. Although encryption does not assure availability, it does represent a very valuable extra line of defense for computer information when added to physical se- curity, system access controls, and secure channels of communication. Indeed, when computers are mobile, or data are being communicated over insecure channels, encryp- tion may be the main line of defense. However, even though applied cryptography can provide computer users with levels of security that cannot be overcome without spe- cialized knowledge and powerful computers, encryption of data should not be thought of as an alternative to, or substitute for, system access control. According to Seberry and Pieprzyk5, the role of cryptography is to protect “information to which illegal access is possible and where other protective measures are inefficient.”

Encryption-based file access controls should be a third barrier after site and system access controls, if for no other reason than that encryption systems alone do little to prevent people deleting files.

7.2 BASIC CRYPTOGRAPHY. The aim of cryptography is to develop systems that can encrypt plaintext into ciphertext that is indistinguishable from a purely random collection of data. This implies that all of the possible decrypted versions of the data except one will be hopelessly ambiguous, with none more likely to be correct than any of the others. One of the simplest ways to create ciphertext is to represent each character or word in the plaintext by a different character or word in the ciphertext, such that there is no immediately apparent relationship between the two versions of the same text.

7.2.1 Early Ciphers. It is believed that the earliest text to exhibit the baseline attribute of cryptography, having a slight modification of the text, occurred in Egypt nearly 4,000 years ago. A scribe used a number of unusual symbols to confuse or obscure the meaning of the hieroglyphic inscriptions on the tomb of a nobleman named Khnumhotep II.6

It is also believed that the first effective military use of cryptography was a simple transposition cipher (see Section 7.3.3) by the Spartans, who “as early as 400 BCE employed a cipher device called the scytale for secret communication between military commanders.”7 The scytale was a cylindrical or tapered stick with a thin strip of leather or parchment wrapped around it spirally.8 The message to be hidden was written lengthwise with no blank spaces. When unraveled, the parchment appeared to hold nothing but random letters. To read the parchment, the recipient had to have a stick with exactly the same dimensions as the sender. The distribution of appropriate decoding scytales took place before the military commanders departed for the field.9

For example, a particular combination of stick and strip could allow the cleartext (shown in lowercase):

atheniantroopswithinonedaysmarchofromebereadynow

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC CRYPTOGRAPHY 7 · 7

EXHIBIT 7.3 Scytale in Use Source: Copyright © 2008 M. E. Kabay. Used with permission.

to be broken into up to six rows of eight letters to be written across the rolled-up strip, in this way:

athenian

troopswi

thinoned

aysmarch

ofromebe

readynow

The message might appear on the scytale as shown schematically in Exhibit 7.3. Reading the unwrapped strip without the stick would produce this ciphertext (shown

in uppercase):

ATTAORTRHYFEHOISREEONMODNPOAMYISNRENAWECBONIDHEW

“The first attested use of [a substitution cipher] in military affairs comes from the Romans.”10 During that time, Julius Caesar encoded all his messages by simply replacing every letter with the letter three positions away. For example, the letterawould become the letter d, the letter b would become the letter e, and so on. Now called the Caesar cipher, this scheme is best-known of all the monoalphabetic algorithms (see Section 7.2.5).11 Consider the Caesar cipher illustrated in the next comparison using the modern English alphabet, with the letters of the alphabet simply shifted three places.

Plaintext: abcdefghijklmnopqrstuvwxyz Ciphertext: DEFGHIJKLMNOPQRSTUVWXYZABC

To encrypt a message, the sender finds each letter of the message in the plaintext alphabet and uses the letter below it in the ciphertext alphabet. Thus, the clear message:

Plaintext: beware the ides of march

is transformed into the encrypted message:

Ciphertext: EHZDUH WKH LGHV RI PDUFK

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 8 ENCRYPTION

EXHIBIT 7.4 Code Wheels and the NSA Seal

This type of cipher is known as a substitution cipher. Although the Caesar cipher is relatively simple, substitution ciphers can be very powerful. Most examples of the Caesar cipher shift the alphabet three places, as shown, so that the ciphertext line begins with d, but some authors suggest Caesar might have used other numbers, so the term “Caesar cipher” is used for all ciphers that conform to this algorithm (an algorithm being a formula or recipe for solving a problem).

This level of encryption might seem rudimentary, but it is an important starting point for much that follows. For example, one way to visualize the Caesar cipher is as a pair of rings, one inside the other, as shown in Exhibit 7.4. Both circles contain the letters of the alphabet. If one is rotated relative to the other, the result is a cipher wheel, something well suited to automation. Eventually this happened, at first mechanically, then electrically, and today digitally. Automation facilitates repetition, and messages encrypted with a substitution cipher can be more difficult to decipher if multiple different substitutions are used. Thus, the code wheel earned a place in the seal of the NSA, the U.S. government agency most influential in the development of encryption.

7.2.2 More Cryptic Terminology. The key or password for the Caesar cipher presented in the last section is the number of places the alphabet has been shifted, in this case three. Because this key must be kept private in order for the message to remain protected, it must be delivered to the recipient for the message to be decoded, or decrypted, back to plaintext. That is why the Caesar cipher is described as a private key algorithm and also a symmetrical encryption algorithm, the same private key being used to encrypt and decrypt the message. Algorithms of this type can be defeated by someone who has the key, an encrypted message, and knowledge of the algorithm used. This might sound like a statement of the obvious; however, as will be seen later in this chapter, there are encryption algorithms that use keys that can be openly exchanged without rendering the encrypted data accessible. Knowledge of the algorithm used can often be derived, or reverse-engineered, by analysis of its output.

Another seemingly obvious fact is that when a private key cipher is used in an effort to achieve confidentiality, one problem is swapped for another. The problem of exchanging messages while keeping the contents from unintended recipients is replaced by the problem of exchanging keys between sender and receiver without disclosing the keys. This new problem is known as the key-exchange problem. The key-exchange problem will be examined in more detail later.

7.2.3 Basic Cryptanalysis. “The first people to understand clearly the princi- ples of cryptography and to elucidate the beginnings of cryptanalysis were the Arabs.”12

By the fifteenth century, they had discovered the technique of letter frequency distri- bution analysis and had successfully decrypted a Greek message on its way to the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC CRYPTOGRAPHY 7 · 9

Byzantine Emperor.13 In 1492, a man known as al-Kalka-shandi described this tech- nique in an encyclopedia. He also described several cryptographic techniques, including substitution and transposition ciphers.14

Returning to the Caesar cipher, consider how this code could be broken using the science of cryptanalysis. When examined for a length of time, this particular code is fairly transparent. As soon as several letters are identified correctly, the rest fall into place. For example, because “the” is the most common three-letter word in the English language, testing “XLI” against “the” reveals that each letter of plaintext has a fixed relationship to the ciphertext: a shift of three to the right.

If that difference is applied to the rest of the message, the result is a piece of plaintext that is intelligible and thus assumed to be the correct solution to the problem. However, even in this simple example several sophisticated processes and assumptions are at work; they deserve closer attention before looking at more complex codes. First, the test of “the” against “XLI” assumes that the plaintext is English and that the attacker has some detailed knowledge of that language, such as the frequency of certain words. Second, it is assumed that the ciphertext follows the plaintext in terms of word breaks. Typically, this is not the case. Ciphertext usually is written in blocks of letters of equal length to further disguise it, as in:

Ciphertext: EHZDU HWKHL GHVRI PDUFK

When the recipient of the message decrypts it, the result, while not exactly easy reading, is nevertheless entirely intelligible:

Plaintext: bewar ethei desof march

Also note the convention of ignoring the case of individual letters and placing all plaintext in lowercase while all ciphertext is in capitals.

7.2.4 Brute Force Cryptanalysis. The next thing to note about the Caesar cipher is that, using the English alphabet, there are 26 possible keys. This means that someone intercepting the encrypted message could mount a standard form of attack known as brute force cryptanalysis. This method runs possible keys through the decryption algorithm until a solution is discovered. Statistically speaking, the correct key is reached after testing only half of all possible keys. In Exhibit 7.5, a spreadsheet table details a brute force attack on the Caesar ciphertext. In the example, the plaintext appears in line 6, Key #3.

Note that three items of information are required for this attack, and all three of them are relevant to encryption on personal computers:

1. A knowledge of the encryption algorithm used 2. The number of possible keys 3. The language of the plaintext

Using a computer in an office is somewhat different from sending messages on the field of battle (at least on a good day). Unlike an enemy spy, someone who is attempting to gain unauthorized access to data already has a fairly good idea of which algorithm is being used. (There are relatively few in use, and they often are directly associated with particular applications). This takes care of the first item. The primary obstacle to a brute force attack is the second item, number of keys. In the case of the Caesar

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 10 ENCRYPTION

EXHIBIT 7.5 Brute Force Attack on the Caesar Cipher

cipher, the number of possible keys is relatively small, so the work involved in carrying out the attack can be completed very quickly, which is highly significant. Time is often the most important factor in practical cryptanalysis. Being able to decrypt messages within 24 hours is of little use if the information pertains to events that are measured in minutes, such as orders to buy and sell stock, or to launch air raids. If the cipher consisted entirely of random letter substitutions, like this:

Plaintext: abcdefghijklmnopqrstuvwxyz Ciphertext: UTWFRAQOYSEDCKJVBXGZIPHLNM

The number of possible keys (the keyspace) is now 26!, or ∼4.03 × 1026, which looks even more daunting when written out:

403,291,461,126,606,000,000,000,000

Imagine a brute force attack using a computer that can perform 1 million decryptions per microsecond (considerably more number crunching than the average personal computer can perform). Using a single processor, it could take over 10 million years to execute a brute force attack on this code. Fortunately for the code breaker, there are other ways of cracking substitution ciphers, as discussed in a moment. The point is that, while brute force attacks are possible, they are not always practical.

Although it is true that by the central limit theorem of statistics, the most likely number of trials required to hit on the correct key is one-half the total keyspace, the average reduction by a factor of 2 is negligible in the face of computational periods measured in years and the difficulty of identifying cleartext in the morass of incorrect decryptions.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC CRYPTOGRAPHY 7 · 11

Functionally, brute force attacks depend on knowing which encryption algorithm is behind the ciphertext. Practically, they depend on the feasibility of successes within an appropriate time frame. They also depend on the third item of information in the list above: knowledge of the language of the plaintext. The solution to the Caesar cipher in Exhibit 7.5 tends to jump out because it is closer to plain English than any of the other solutions. However, without knowing what constitutes plaintext, a brute force attack will, at best, be inefficient, and, at worst, unsuccessful. This part of cryptanalysis, recognizing a positive result, is less amenable to automation than any other. The difficulty is compounded by encryption of purely numerical results where the correct cleartext can be impossible to determine without extensive additional knowledge.

7.2.5 Monoalphabetical Substitution Ciphers. Both the Caesar cipher and the random substitution cipher shown are examples of monoalphabetic ciphers. This means that one letter of ciphertext stands for one letter of plaintext. This renders such codes susceptible to an attack quite different from brute force. Suppose a customs officer attempts to discover when and how an illegal weapons shipment will be entering the country. The following message is intercepted:

YZYGJ KZORZ OYXZR RKZRK XUXRJ XRZXU YKQQQ

The person who encoded this text clearly substituted new letters for the original letters of the message. To the experienced code breaker or cryptanalyst, the task of deciphering this message is quite a simple one. First count how many times each letter occurs in the text. This produces a list like this:

Ciphertext: R Z X Y K J U O G Frequency: 6 6 5 4 4 2 2 2 1

Note that the last three letters are discounted as they are merely filling out the five- letter grouping. Next refer to a table of frequencies, which shows the relative frequency with which the letters of the alphabet occur in a specific language or dialect of that language. One such list is shown in Exhibit 7.6. This list was created for this example and proposes that the most commonly used letters in English in descending order of frequency are e, t, r, and so on. The actual order is more likely to be e, t, a, i, o, n, s, h, r, d, l, u, the order of keys on the English Linotype machine from the nineteenth century, although the precise order of frequencies can vary according to the region of origin or subject matter of the text.

Assuming that the original message is in English, a list that matches code letters to plaintext letters is easily derived.

Ciphertext: R Z X Y K J U O G Frequency: 6 6 5 4 4 2 2 2 1 Plaintext: e t r i n o a h s

The result is:

Ciphertext: YZYGJ KZORZ OYXZR RKZRK XUXRJ XRZXU YKQQQ Plaintext: itiso nthet hirte enten rareo retra inqqq

This is readable as “it is on the thirteen ten rare ore train.” Although this example ob- viously was contrived to make a point, it clearly illustrates an important cryptographic

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 12 ENCRYPTION

EXHIBIT 7.6 Frequency Lists for English

English by Letter English by Frequency

A 7.25 N 7.75 E 12.75 U 3.00 B 1.25 O 7.50 T 9.25 M 2.75 C 3.50 P 2.75 R 8.50 P 2.75 D 4.25 Q 0.50 I 7.75 Y 2.25 E 12.75 R 8.50 N 7.75 G 2.00 F 3.00 S 6.00 O 7.50 V 1.50 G 2.00 T 9.25 A 7.25 W 1.50 H 3.50 U 3.00 S 6.00 B 1.25 I 7.75 V 1.50 D 4.25 K 0.50 J 0.25 W 1.50 L 3.75 Q 0.50 K 0.50 X 0.50 C 3.50 X 0.50 L 3.75 Y 2.25 H 3.50 J 0.25 M 2.75 Z 0.25 F 3.00 Z 0.25

tool that can quickly decipher something that at first seems to be very forbidding. The encryption in the previous example could have been based on a simple substitution ci- pher. For example, after using the password “TRICK” followed by the regular alphabet minus the letters in the password for the plaintext, the ciphertext is the alphabet written backward:

Plaintext: TRICKABDEFGHJLMNOPQSUVWXYZ Ciphertext: ZYXWVUTSRQPONMLKJIHGFEDCBA

Frequency analysis also works if the substitution is entirely random, as in the example shown earlier, the key for which is entirely random. The specialized tools, such as frequency tables, that are required to break codes point out a basic trade-off: If a basic level of protection is needed, it is easy to get but also easy to break, at least for an expert. The qualification “for an expert” is important because users of encryption need to keep its role in perspective. The salient questions are: Who can gain from decrypting the data, and what means do they have at their disposal? There is no point investing in powerful encryption hardware or software if those likely to attempt to read your files are not particularly sophisticated, dedicated, or well equipped. For example, a person who mails a postcard knows it can be read by anyone who sees it. Envelopes can be used to prevent this, hardly the ultimate in confidentiality, but widely used and relatively successful nonetheless.

7.2.6 Polyalphabetical Substitution Ciphers. Even when the plaintext uses a wider range of letters than the contrived example, substitution ciphers can be cracked by frequency analysis. A powerful technique is to concentrate on the fre- quency of two-letter combinations, which are known as digraphs, the most common of which in English is “TH.” One way to counter frequency analysis is to use multiple substitutes for the more frequent letters. This cannot be done with a straightforward alphabetic coding. However, if using numbers for letters, it is possible to assign mul- tiple numbers to some letters, such as 13 17 19 23 for E, which would help dilute the natural frequency of this letter. It would appear that supplying multiple substitutions, known as homophones, in proportion to the frequency of each letter would effectively

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC CRYPTOGRAPHY 7 · 13

counter frequency analysis. However, some of the underlying structure of the plaintext still survives, notably digraphs, which the cryptanalyst can use to crack the code.

In Europe during the Middle Ages, advances in cryptography were being made by the Papal States and Italian city-states to protect diplomatic messages. Then, in 1379, an Italian man named Gabriele de Lavinde created the first European manual on cryptography. “This manual, now in the Vatican archives, contains a set of keys for 24 correspondents and embraces symbols for letters, nulls, and several two-character code equivalents for words and names.”15 The nomenclature described by Lavinde’s manual “was to hold sway over all Europe and America for the next 450 years.”16

Several other notable advances emerged in Europe during the period of Lavinde’s manual. First, in 1470, Leon Battista Alberti published the first description of a cipher disk.17 Next, in 1563, Giambattista della Porta provided the first example of a digraphic cipher in which two letters are represented by one symbol.18

One method of decreasing the extent to which the structure of the plaintext is reflected in the ciphertext is to encrypt multiple letters of the plaintext. For example, “AR” might be encrypted as “CM.” This is the theory behind what is known as the Playfair cipher, which was invented in 1854 by a British scientist, Sir Charles Wheatstone, but that was named after his friend Baron Playfair who fought for its adoption by the British Foreign Office.19 Although the Playfair cipher remained in use through both world wars, it does not do enough to disguise the plaintext and cannot withstand a concerted frequency analysis.

7.2.7 The Vigenère Cipher. A particularly important technique in the evolu- tion of polyalphabetic ciphers has its roots in the sixteenth century. In 1586, Blaise de Vigenère published a square encryption/decryption table, named after him as the Vi- genère Square, and descriptions of the first plaintext and ciphertext autokey systems.20

The Vigenère cipher involves a table of letters, like the one shown in Exhibit 7.7, that are used with a key to provide different monoalphabetic substitutions as the encryp- tion proceeds through the plaintext. Thus, each letter of the ciphertext has a different relationship with the plaintext, like this:

Key: doomsdaydoomsdaydoomsdaydoomsday plaintext: sellentireportfolionowandbuygold ciphertext: VSZXWQTGJIAZVGYWCMDBFPFBOJIKUKLQ

The message is enciphered by looking at the row in the table that begins with the first letter of the key. Then go along that row until the column headed by the first letter of the plaintext. The ciphertext substitution is the letter at that intersection in the table. Thus, row d, column s, yields V. Then proceed to the second letter, and so on. Note that the first time the letter e is encrypted the cipher is S, but the second time it is W. The two ls in sell are encoded as Z and X, respectively, and so on.

Does this cipher completely obscure the structure of the plaintext? Stallings notes: “If two identical sequences of plaintext letters occur at a distance that is an integer multiple of the keyword length, they will generate identical ciphertext sequences.”21

This means that the cryptanalyst can determine the length of the keyword. Once this is done, the cipher can be treated as a number of monoalphabetic substitutions, that number being equal to the key length. Frequency tables are again brought into play, and the code can be cracked. The cryptographer’s response to this weakness is to use a longer key so that it repeats less often. In fact, one technique, autokey, invented by

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 14 ENCRYPTION

EXHIBIT 7.7 Vigenère Table

Vigenère, is to form the key from the plaintext itself, together with one code word, like this

Key: doomsdaysellentireportfolionowan plaintext: sellentireportfolionowandbuygold ciphertext: VSZXWQTGJIAZVGYWCMDBFPFBOJILUKLQ

This system is very powerful, but it still can be attacked by statistical analysis based on frequencies, because the letters of the plaintext and key share roughly the same frequency distribution. The next level of defense is to use a keyword that is as long as the plaintext but bears no statistical relationship to it. This approach, which is of great cryptographic significance, was not hit upon until the twentieth century arrived, bringing with it binary code and global warfare.

7.2.8 Early-Twentieth-Century Cryptanalysis. The advent of modern cryptography began with the invention and development of the electromagnetic tele- graph system and the introduction of the Morse code. Samuel Morse brought a system of dots and dashes that allowed near real–time long-distance communication. He en- visioned this system as a means of secure communications. It would be up to others to devise systems to encrypt telegraphic communications. Anson Stager, the supervisor

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC CRYPTOGRAPHY 7 · 15

of the U.S. Military Telegraph during the Civil War, devised 10 ciphers for the Union Army that were never broken by the Confederacy.22

The use of telegraphic ciphers and codes continued into the two world wars. In fact, one of the most famous early successes of cryptanalysis prompted the entrance of the United States into World War I. When the war first started, the German transatlantic telegraph cable had been cut by the British, forcing all of Germany’s international communications to route through the United Kingdom before being sent on to the Swedish or American transatlantic lines.23 In 1917, “British cryptographers deciphered a telegram from German Foreign Minister Arthur Zimmermann to the German Minister to Mexico, von Eckhardt.”24 It promised Mexico ownership over territory that belonged to the United States (e.g., California), if Mexico joined the German cause and attacked the United States. The British informed President Wilson of their discovery, giving him a complete copy of the telegram, thus resulting in the United States declaring war on Germany.25 That telegram has become famous in the history of cryptanalysis as the Zimmermann Telegram.

World War II saw several Allied victories over the Axis powers by use of advanced cryptographic systems. Few of these victories are more widely known and celebrated than the cracking of the German Enigma cipher machine, described next:

Following the decryption of the Zimmerman Telegram during World War I and the effects that weak ciphers had on that war’s outcome, Germany was looking for an unbreakable cipher and was interested in leveraging automation and the use of machinery to replace traditional paper and pencil techniques. The Enigma machine consisted of a basic keyboard, a display that would reveal the cipher text letter, and a scrambling mechanism such that each plain text letter entered as input via the keyboard was transcribed to its corresponding cipher text letter. The machine was modular in design and multiple scrambling disks were employed to thwart attempts at frequency analysis.26

A British cryptanalysis group, with the help of a group of Polish cryptanalysts, first broke the Enigma early in World War II, and some of the first uses of computers were for decoding Enigma ciphers intercepted from the Germans. Breaking Enigma was a major victory for the Allies, and in order to keep exploiting it, they kept the fact that they had cracked it a secret.26

Thus far, the encryption schemes or devices described have encrypted messages consisting of words and nothing more. However, the emergence of the computer, even in its initial rudimentary form, revolutionized cryptology “to an extent even greater than the telegraph or radio.”27 Most cryptologic advances since World War II have involved, or made use of, computers. In the last few decades, cryptographic algorithms have advanced to the point where computing them by hand would be unfeasible, and only computers can do the required mathematics.28 Relying on computers has broadened the kind of information that can benefit from encryption. Computers use a unique language that transforms all information stored into bits, each a 1 or a 0.29 “This, in effect, means that plaintext is binary in form, and can therefore be anything; a picture, a voice, an email or even a video—it makes no difference, a string of binary bits can represent any of these.”30

7.2.9 Adding up XOR. In 1917, an engineer at AT&T, Gilbert Vernam, was working on a project to protect telegraph transmissions from the enemy. At that time, teletypewriters were used, based on a version of Morse code called Baudot code, after its French inventor. In Baudot code, each character of the alphabet is allotted five units, each of which is either an electrical current or absence of current, known as a

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 16 ENCRYPTION

mark or a space. For example, the letter a is represented by mark, mark, space, space, space. In binary terms, each unit constitutes a bit that is either 0 or 1 (the five-bit code for a would be 11000). This system of pulses allowed teletype machines to convert text to and from telegraph signals using a keyboard and punched paper tape for input (a hole represents a mark because it allows the reading device to make electrical contact and create a pulse, whereas a space is represented by leaving the paper intact). Anyone with a suitable machine could intercept and read the transmission.

The 32 possible combinations (25) in this code were assigned to the 26 letters plus six “shunts” that did various things like shift to capitals or go down to the next line. Vernam’s brilliant idea was to use a tape of random characters in Baudot code as a key that could be electromechanically added to the plaintext. Kahn describes the method of addition like this:

If the key and plaintext pulses are both marks or both spaces, the ciphertext pulse will be a space. If the key pulse is a space and the plaintext pulse is a mark, or vice-versa (in other words, if the two are different), the ciphertext will be a mark.31

Today, this is known as Exclusive-Or, sometimes referred to as bit-wise XOR or just XOR for short (see Exhibit 7.8). XOR is widely used in computerized encryption schemes. Consider what happens when encoding the letter a using B as the key:

Plaintext: 1 1 0 0 0 (=a) Key: 1 0 0 1 1 (=B) Ciphertext: 0 1 0 1 1

In the first column, 1 + 1 = 0, as indicated in Exhibit 7.8. To decipher the encrypted character, simply perform the same operation, but add the ciphertext to the key:

Ciphertext: 0 1 0 1 1 Key: 1 0 0 1 1 (=B) Plaintext: 1 1 0 0 0 (=a)

At the time of its discovery, the significance of this method lay in its capacity for automation. The operator could feed the plaintext and key tapes into the teletype machine, and it would transmit an encrypted message with no further human input. No offline preparation was required. Furthermore, as long as the receiver had the key tape, the teletype at the receiving end automatically printed out plaintext. This made Vernam’s system the first to integrate encryption into the communication process, an essential feature of encryption systems for today’s computer-based communications.

Various Ways of Stating XOR

Exclusive OR Truth Table

Exclusive OR is symmetrical:

0 XOR 0 = 0

0 XOR 1 = 1

1 XOR 0 = 1 1 XOR 1 = 0

Plaintext: Key: Ciphertext:

Key:

Plaintext:

Plaintext: Key: Ciphertext:

Ciphertext: Key: Plaintext:

11000 10011 01011 10011

11000

1

1 0

0

1 1

EXHIBIT 7.8 Diagram of XOR

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DES AND MODERN ENCRYPTION 7 · 17

7.3 DES AND MODERN ENCRYPTION. Although the use of XOR predated computers, the fact that it worked so well with binary code ensured that it would become an essential item in the modern cryptographer’s toolkit. And so the focus of this chapter turns to modern cryptography and two of the most widely used cryptosystems today. The first is Data Encryption Standard (DES) and the second is Rivest, Shamir, Adleman (RSA).

7.3.1 Real Constraints. As the preceding overview of the evolution of encryp- tion suggests, major advances, which are few and far between, often are linked with the individuals who made them, such as Vigenère, Playfair, and Vernam, none of whom had the benefit of computers. Today’s computerized encryption schemes typically employ a number of classic techniques that, when combined, eliminate or minimize the short- comings of any single method. Several techniques will be discussed here, including transposition and rotors, that point the way to the most widely used encryption scheme to date: DES. First, however, consider the practical problems encountered by Vernam’s otherwise brilliant scheme.

Vernam proposed a key that was a long series of random characters. This was coded on a loop of paper tape that eventually repeated (the tape held about 125 characters per foot). The length of the key made cryptanalysis of intercepted messages extremely difficult, but not impossible, because eventually the key repeated. With sufficient volume of ciphertext, the code would yield to frequency analysis. (Bear in mind that during time of war, or even military exercises, hundreds of thousands of words may be encrypted per day, providing a solid basis for cryptanalysis.)

7.3.2 One-Time Pad. Several improvements then were suggested to avoid the impracticality of simply creating longer and longer key tapes. Another AT&T engi- neer, Lyman Morehouse, suggested using two key tapes of about eight feet in length, containing some 1,000 characters, to generate over 999,000 combinations of characters that could be fed into the encryption process as the key. This was an improvement in terms of practicality and security, but, as Major Joseph Mauborgne of the U.S. Army Signal Corps pointed out, heavy message traffic encrypted in this way still could be decoded. It was Mauborgne who realized that the only unbreakable cipher would use keys that are, as Kahn puts it “endless and senseless.”32 Thus he came up with what we know as the one-time system, the one unbreakable encryption scheme.

The one-time system sometimes is referred to as a one-time pad,33 because this is the way it has been deployed by intelligence agents in the field. The agent is issued a pad that aligns columns and rows of entirely random characters, as shown in Exhibit 7.9. The first letter of the plaintext is encrypted using the appropriate ciphertext from row 1, the second letter is encrypted from row 2, and so on. The result is ciphertext that contains no statistical relationship to the plaintext. When the message is encrypted the pad is destroyed. The recipient, who has a copy of the pad, uses it to reverse the process and decrypt the message.

The one-time pad essentially is a polyalphabetic substitution cipher, but with the same number of alphabets as there are characters in the message, thus defeating any kind of frequency analysis. A brute force attack is defeated by the fact that every possible result is as statistically significant as every other. As Kahn points out, a four- letter group of ciphertext could just as easily yield kiss, fast, slow, or any other possible four-letter combination.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 18 ENCRYPTION

EXHIBIT 7.9 One-Time Pad

So why is the unbreakable one-time system not in universal use? Well, it remains a favorite of intelligence agents in the field who have an occasional need to send short messages. However, for large-scale commercial or military encryption, it fails to solve the key size problem that Vernam’s system brought to light. The key has to be as large as the total volume of encrypted information, and there is a constant demand for new keys. Furthermore, both sender and receiver have to hold and defend identical copies of this enormous key.

7.3.3 Transposition, Rotors, Products, and Blocks. A completely dif- ferent technique from substitution is transposition. Instead of substituting ciphertext characters for plaintext, the transposition cipher rearranges the plaintext characters. The simplest example is referred to as rail fence. For example, to encrypt “sell entire portfolio now and buy gold” each character is written on alternate lines, like this:

sletrprflooadugl elnieotoinwnbyod

which results in this ciphertext:

SLETRPRFLOOADUGLELNIEOTOINWNBYOD

So far, this does not present a serious challenge. More challenging is the next transposition into rows and columns that are numbered by a key (in this case, 37581426)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DES AND MODERN ENCRYPTION 7 · 19

so that the first set of ciphertext characters are under 1, the second under 2, and so on:

Key: 3 7 5 8 1 4 2 6 Plaintext: s e l l e n t i

r e p o r t f o l i o n o w a n d b u y g o l d

Ciphertext: EROGTFALSRLDNTWOLPOUIONDEEIBLONY

Although more complex, this transposition will still yield to cryptanalysis because it retains the letter frequency characteristics of the plaintext. The analyst also would look for digraphs and trigraphs while playing around with columns and rows of different length. (Kahn describes French code breakers during World War I literally cutting text into strips and sliding them up and down against each other to break German transposition ciphers.)

What makes transposition difficult to decipher is additional stages of encryption. For example, if the previous ciphertext is run through the system again, using the same key, all semblance of pattern seems to disappear.

Key: 3 7 5 8 1 4 2 6 Plaintext: e r o g t f a l

s r l d n t w o l p o u i o n d e e i b l o n y

Ciphertext: TNILAWNNESLEFTOOOLOILODYRRPEGDUB

The development of increasingly complex multiple-transposition ciphers pointed out the positive effects of multiple stages of encryption, which also apply to substitution ciphers. The prime examples of this are the rotor machines used by the Germans and Japanese in World War II. Some of the insights gained during the attack on German codes, such as Alan Turing’s 1940 work on the application of information statistics to cryptanalysis, were considered so important that they remained classified for more than 50 years.

Although they eventually were defeated by Allied cryptanalysts, electromechanical systems such as Enigma were not only the most sophisticated precomputer encryption systems, but the effort to crack them was also a major catalyst in the development of computer systems themselves. When people started applying computer systems to code making rather than code breaking, they quickly hit on the idea of chopping plaintext into pieces, or blocks, for easier handling. The term “block cipher” is used to describe ciphers that encrypt one block (e.g., 8 bytes of data) at a time, one block after another. Another result of computerizing the encryption process is a class of ciphers known as product ciphers. A product cipher has been defined as “a block cipher that iterates several weak operations such as substitution, transposition, modular addition/multiplication [such as XOR], and linear transformation.”34

The mathematics of product ciphers are beyond the scope of this chapter, but it is useful to note that “[n]obody knows how to prove mathematically that a product cipher is completely secure . . . [A] product cipher should act as a ‘mixing’ function

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 20 ENCRYPTION

which combines the plaintext, key, and ciphertext in a complex nonlinear fashion.”35

The parts of the product cipher that perform the rounds of substitution are referred to as S-boxes. The product cipher called Lucifer has two of these S-boxes, while DES encryption has eight S-boxes. The ability of a product cipher to produce truly random, nonlinear ciphertext depends on careful design of these S-boxes.

Examples of modern product ciphers include Lucifer (developed by IBM), DES (developed by IBM/NSA), LOKI (Brown, Pieprzyk, and Seberry), and FEAL (Shimizu and Miyaguchi). A class of product ciphers called Feistel ciphers operates on half of the ciphertext at each round, then swaps the ciphertext halves after each round. Examples of Feistel ciphers include Lucifer and DES, both of which are commercial systems, the subject of the next section of this chapter.

7.3.4 Data Encryption Standard. Traditionally, the primary markets for code makers and computer makers have been the same: governments and banks. After World War II, computers were developed for both military and commercial purposes. By the mid-1960s, the leading computer maker was IBM, which could see that the growing role of electronic communications in commerce would create a huge market for reliable encryption methods. Over a period of years, mathematicians and computer scientists, including Horst Feistel at the IBM research lab in Yorktown Heights, New York, developed a cipher called Lucifer that was sold to Lloyds of London in 1971 for use in a cash-dispensing system.36

The U.S. National Security Agency (NSA) was in close touch with the Lucifer project, making regular visits to the lab (the constant flow of personnel between the NSA, IBM, and the mathematics departments of the major American universities tended to ensure that all new developments in the field were closely monitored). At roughly the same time, the National Bureau of Standards (NBS) was developing standard security specifications for computers used by the federal government. In 1973, the NBS invited companies to submit candidates for an encryption algorithm to be adopted by the government for the storage and transmission of unclassified information. (The government handles a lot of information that is sensitive but not sufficiently relevant to national security to warrant classification.)

IBM submitted a variation of its Lucifer cipher to the NBS, and after extensive testing by the NSA, this cipher was adopted as the nation’s Data Encryption Standard (DES). The acronym actually refers to a document published as Federal Information Processing Standards Publication 46, or FIPS PUB 46 for short. This was published on January 15, 1977, and DES became mandatory for all “federal departments and agencies, for any . . . nonnational-security data.”37 The federal mandate also stated that commercial and private organizations were to be encouraged to use DES.38 As a result, DES became widely used, especially in the banking industry.39 The heart of DES is the Data Encryption Algorithm (DEA), which is described in a publication of the American National Standards Institute, titled American National Standard for In- formation Systems—Data Encryption Algorithm—Modes of Operation, 1983, referred to as ANSI X3.106-1983.

7.3.5 DES Strength. DES became, and remained, the de facto standard for commercial encryption until the late 1990s, when doubts about its strength relative to the rapid advances in computer hardware and software led to a quest for an eventual replacement. However, DES is still widely deployed, so more detailed discussion of its use is needed before discussing its replacement. The first thing to note is that the only

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PUBLIC KEY ENCRYPTION 7 · 21

known method of deciphering data encrypted with DES without knowledge of the key is the use of brute force. This involves the computerized comparison of plaintext data with encrypted versions of the same data, using every possible key until both versions of the data match. With DES, the number of possible combinations is about 70 quadrillion. That is a very big number, and trying all those combinations within anything less than years requires relatively expensive hardware (or the carefully orchestrated application of large amounts of cheap hardware).

Technically speaking, the DEA is a combined substitution/transposition cipher, a product cipher that operates on blocks of data 64 bits, or 8 bytes, in length. Using 56 bits for the key produces a keyspace of 256, or 72,057,594,037,927,940, a number in the region of 70 quadrillion. A diagram of DES is shown in Exhibit 7.10.

The difficulty of attacking DES can be increased fairly easily if double or triple encryption is used, but despite this, there has always been something of a cloud over DES. At the time the DEA was approved, two Stanford University professors who are preeminent in twentieth-century cryptography, Martin Diffie and Whitfield Hellman, pointed out that the algorithm, as approved by the NBS, would be increasingly vulnerable to attack as computer equipment increased in power and came down in cost.

7.3.6 DES Weakness. As the author George Sassoon writes, “Although both the U.S. Department of Commerce andIBMdenyit vigorously, everyone inthe knowinsists that the NSA enforced a halving of the DES key length to ensure that they themselves could break the ciphers even if nobody else could.” Although the NBS dismissed such criticisms, and the NSA flatly denied that they were behind any attempts to weaken the cipher, this opinion received some support from the NSA in 1986 when the agency announced it would no longer certify the DEA for nonclassified use, less than 10 years after the DES was approved. This move was prompted by the rapid development of parallel computers, which achieve amazing processing capabilities by using hundreds or even thousands of multiple processors, working in parallel. These machines offer enormous power at considerably less cost than traditional supercomputers. Perhaps the NSA could see the inevitability of something like the EFF DES Cracker, which was built in 1998 for less than $250,000 and broke a DES-encrypted message in fewer than three days.

The original Lucifer cipher used data blocks of 128 bits and a key of 112 bits. If this had been adhered to in the DEA, the difference in the number of possible key combinations would have been staggering. Although 256, the current keyspace, is a number greater than 7 with 16 zeroes behind it, 2112 is greater than 5 with 33 zeroes behind it. The practical consequence of this weakness in the DEA meant that the demand for stronger algorithms remained, and promising new ones emerged, such as Bruce Schneier’s Blowfish.

There are still some positive aspects to DES that make it viable for some commercial uses. As was mentioned earlier, the cryptographic weakness of DES can easily be strengthened by double encryption, which doubles the difficulty of decryption, taking the task well into the realm of supercomputers and purpose-built, massively parallel machines. The fact that DES has been a standard for so long means that DES now is available in many forms, such as single-chip implementations that can be inserted into ROM sockets and integrated into all manner of hardware, such as expansion cards, PCMCIA cards, and smart cards.

7.4 PUBLIC KEY ENCRYPTION. Even with a longer key, the DEA still would have a major weakness, one that it shares with all of the other private key encryption

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 22 ENCRYPTION

EXHIBIT 7.10 Diagram of DES

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PUBLIC KEY ENCRYPTION 7 · 23

systems mentioned so far. That weakness is the need to keep the key secret. In this section we examine this problem, and the “public key” solutions that are now available.

7.4.1 Key-Exchange Problem. When password-protected data are sent from one place to another, either electronically or by hand, the need to transmit the password to the recipient presents serious obstacles. In cryptography, these are known collectively as the key-exchange problem. This is the way it is described by the Crypt Cabal40:

If you want your friends to be able to send secret messages to you, you have to make sure nobody other than them sees the key. . . . [This is] one of the most vexing problems of all prior cryptography: the necessity of establishing a secure channel for the exchange of the key. To establish a secure channel, one uses cryptography, but private-key cryptography requires a secure channel!

So, even when using very powerful private key systems, such as DES, password or key distribution is a major problem. After all, the reason for encrypting valuable information in the first place is because it is assumed someone is trying to steal it or tamper with it. This implies a motivated and skilled adversary. Such an adversary is likelytouse everyopportunitytodiscover the passwordthat will unlockthe information. The password is perhaps most at risk from such an adversary when it is passed from one person to another. Although it sounds like the stuff of Bond movies, it actually is a very real and practical problem that had to be faced in many areas of legitimate organized activity, from businesses to public institutions, even when a powerful DEA- based computerized encryption system became available.

Suppose an encrypted file of sensitive accounting data needs to get to the head office. How does the recipient know the password needed to access the file? The sender could make a phone call. But will it be overheard? How is the identity of the person at the other end to be verified? A courier could be dispatched with a sealed envelope. The password could be encrypted. But all of these channels present problems. How to guarantee that the courier is honest or that the envelope will arrive intact? And if the password is encrypted, it will need a password itself, which will have to be transmitted. The recipient of the file can be provided with the password before the message is encrypted, but this is no guarantee that the password will not be intercepted. There are ways of making matters more difficult for the attacker, but the ideal solution would be to use a key that was useless to the attacker. This possibility is diagrammed in Exhibit 7.11.

7.4.2 Public Key Systems. A public key encryption system offers encryption that does not depend on the decryption key remaining a secret. It also allows the receiver of keys and messages to verify the source. The first published description of a public key cryptosystem appeared in 1976, authored by Stanford University professor Martin Hellman and researcher Whitfield Diffie. Ralph Merkle independently arrived at a similar system.

Ralph Merkle first proposed the idea of public key cryptography in 1974, and Martin Hellman and Whitfield Diffie brought the same idea to the public forum in 1976.41

The idea was considered a seminal breakthrough, “for it had not occurred to anyone else in the long history of cryptology that the deciphering key could be anything other than the inverse of the enciphering key.”42 The Diffie-Hellman system employs a form of mathematics known as modular arithmetic. “Modular arithmetic is a way of restricting the outcome of basic mathematical operations to a set of integers with

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 24 ENCRYPTION

Private Key Encryption

Unsafe Channel

Private Key requires a separate, safe channel between Bob and Alice

Bob and Alice both have a pair of linked keys (1 public, 1 private) and can share their public keys, no safe channel required

Public Key Encryption

Ciphertext

AliceBob

Ciphertext

Unsafe ChannelCiphertext

AliceBob

Ciphertext

EXHIBIT 7.11 Comparison of Private and Public Key Encryption

an upper bound.”43 An excellent example of this mathematical principle is found by examining a military clock:

Consider a clock on military time, by which hours are measured only in the range from zero to 23, with zero corresponding to midnight and 23 to 11 o’clock at night. In this system, an advance of 25 hours on 3 o’clock brings us not to 28 o’clock, but full circle to 4 o’clock (because 25 + 3 = 28 and 28 – 24 = 4). In this case, the number 24, an upper bound on operations involving the measurement of hours, is referred to as a modulus. When a calculation involving hours on a clock yields a large number, we subtract the number 24 until we obtain an integer between 0 and 23, a process known as modular reduction. This idea can be extended to moduli of different sizes.44

The Diffie-Hellman protocol allows two users to exchange a symmetric key over an unsecure medium without having any prior shared secrets. The protocol has two publicly known and widely distributed system parameters: p, a large prime integer that is 1,024 bits in length,45 and g, an integer less than p. The two users wishing to communicate are referred to as Alice and Bob for simplicity’s sake. They proceed in this way.

First, Alice generates a random private value a, and Bob generates a random private value b. Both a and b are [less than p]. Then they derive their public values using parameters p and g and their private values. Alice’s public value is ga mod p and Bob’s public value is gb mod p. They then exchange their public values. Finally, Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k.46

This protocol introduced a concept to cryptography known as the discrete log problem. “The discrete log problem is stated as follows: given g, p, and gx mod p,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PUBLIC KEY ENCRYPTION 7 · 25

what is x?”47 It is generally accepted throughout the mathematical and cryptologic communities that the discrete log problem is difficult to solve, difficult enough for algorithms to rely on it for security.48

An algorithm to perform public key encryption was published in 1977 by Ronald Rivest of MIT, Adi Shamir of the Weizmann Institute in Israel, and Leonard Adleman of the University of Southern California. These three men formed the RSA Data Security Company, which was granted an exclusive license to the patent that MIT obtained on their algorithm. A large number of companies licensed software based on this algorithm, from AT&T to IBM and Microsoft. The RSA algorithm is currently at work in everything from online shopping to cell phones. Because it resolved the secret key dilemma, public key cryptography was hailed by many as a revolutionary technology, “representing a breakthrough that makes routine communication encryption practical and potentially ubiquitous,” according to the Sci.Crypt FAQ, which states:

In a public-key cryptosystem, E K can be easily computed from some public key X, which in turn is computed from K. X is published, so that anyone can encrypt messages. If decryption D K cannot be easily computed from public key X without knowledge of private key K, but readily with knowledge of K, then only the person who generated K can decrypt messages.49

The mathematical principles that make this possible are beyond the scope of this chapter. Somewhat more detail can be found in the RSA Laboratories’ “Frequently Asked Questions About Today’s Cryptography,” which is distributed by RSA Data Security, the company that markets products based on the RSA algorithm. In brief, public key encryption is possible because some calculations are difficult to reverse, something pointed out by Diffie and Hellman, who first published the idea of public key encryption. Here is how RSA describes the calculations that make it possible (with minor clarification from the author):

Suppose Alice wants to send a private message, m, to Bob. Alice creates the ciphertext c by exponentiating:

c = me mod n

where e and n are Bob’s public key. To decrypt, Bob also exponentiates:

m = cd mod n

where d is Bob’s private key. Bob recovers the original message, m; the relationship between e and d ensures that Bob correctly recovers m. Because only Bob knows d, only Bob can decrypt.

This is diagrammed in Exhibit 7.12, which follows the scenario described. The lower part of the diagram uses numbers taken from an example given by Stallings. These numbers are much smaller than the actual numbers used by RSA. The point is that, given the ciphertext (c) and the public key (e,n) and knowledge of the algorithm, it is still impractical to decipher the message (m). This is because n is created by multiplying two prime numbers (normally represented as p and q) and e is derived from n combined with the secret key, d. To break the cipher, you need to factor a large number into a pair of prime numbers. How large? More than 150 digits in length (that is digits, not bits).

This cryptanalysis is very hard to do in a meaningful period of time, even with a very powerful computer. Large networks of computers have successfully factored

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 26 ENCRYPTION

4. Private key, calculated

Determine d, such that de = 1 mod 96 and d < 96 Because 77 × 5 = 385 = 4 × 96 + 1

Result; Public key, KU = 5,119 Private key, KR = 77,119

Plaintext

19

Ciphertext: 66

Encryption

Decryption

Plaintext 19

Private key, KR = 77,119

Public key, KU = 5,119

195 = 20807

= remainder 66

119 2476099

2. Public key, calculated

Calculate n = pq

1. Private key, chosen

Select two prime numbers, p and q p = 7 and q = 17

7 × 17 = 119

e = 5

d = 77

3. Public key, chosen

Calculate ø(n) = (p – 1)(q – 1) = 96 Select e, such that e is relatively prime to ø(n) and < ø(n)

66 77 = remainder

19119

1.27...×10140 =

1.06...×10138

EXHIBIT 7.12 Public Key Diagram

a 100-digit number into two primes, but the RSA algorithm can use numbers even bigger if computer power and factoring algorithms start to catch up to the current implementations.

7.4.3 Authenticity and Trust. The point of the public key cryptosystems is to provide a means of encrypting information that is not compromised by the distribution of passwords, but public key encryption does not solve all problems associated with key exchange. Because the keys are considered public knowledge, some means “must be developed to testify to authenticity, because possession of keys alone (sufficient to encrypt intelligible messages) is no evidence of a particular unique identity of the sender,” according to Sci.Crypt FAQ.50

This has led to key-distribution mechanisms that assure listed keys are actually those of the given entities. Such mechanisms rely on a trusted authority, which may not actually generate keys but does employ some mechanism which guarantees that “the lists of keys and associated identities kept and advertised for reference by senders and receivers are ‘correct.’ ”51 Another approach has been popularized by the program called Pretty Good Privacy, or PGP. This is the “Web of trust” approach that relies on users to distribute and track each other’s keys and trust in an informal, distributed fashion.

Here is how RSA can be used to send evidence of the sender’s identity in addition to an encrypted message. First, some information is encrypted with the sender’s private key. This is called the signature and is included in the message sent under the public key encryption to the receiver. The receiver can “use the RSA algorithm in reverse to

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PRACTICAL ENCRYPTION 7 · 27

Alice

Private key = d, n Public = e, n

Bob

Signed

document = m

Digital

signature = s

s = md mod n

m = se mod n

message authenticated

by public key could

only be from holder of private key

EXHIBIT 7.13 Authentication with RSA

verify that the information decrypts sensibly, such that only the given entity could have encrypted the plaintext by use of the secret key.”52

What does “decrypts sensibly” mean? The answer involves something called a message digest, which is “a unique mathematical ‘summary’ of the secret message.”53

In theory, only the sender of the message could generate his or her valid signature for that message, thereby authenticating it for the receiver. Here is how RSA describes authentication, as diagrammed in Exhibit 7.13.

Suppose Alice wants to send a signed document m to Bob. Alice creates a digital signature s by exponentiating: s = md mod n, where d and n belong to Alice’s key pair. She sends s and m to Bob. To verify the signature, Bob exponentiates and checks that the message m is recovered: m = se mod n, where e and n belong to Alice’s public key.

7.4.4 Limitations and Combinations. As mentioned earlier, many products use RSA today, including Microsoft Windows, Lotus Notes, Adobe Acrobat, Netscape Navigator, Internet Explorer, and many more. In most of these examples, RSA is used for its authentication capabilities rather than for large-scale data encryption. That is because public key systems have one very noticeable downside: They are slow. This is balanced by the fact that they are harder to break. According to RSA, DES generally is at least 100 times as fast as RSA when implemented in software. In hardware, DES is between 1,000 and 10,000 times as fast, depending on the implementations. RSA may narrow the gap in coming years as more specialized chips are developed. However, public key algorithms are unlikely to ever match the performance of private key ciphers such as DES. Fortunately, there is a simple solution: Use a fast private key algorithm for the data encryption, but use a public key system to handle the key exchange and authentication, as diagrammed in Exhibit 7.14.

The private key encryption system might be DES or a system such as RC2 and RC4, both of which are available from RSA Data Security, or Schneier’s Blowfish, which is freely available. Just as there are other private key systems besides DES, there are other public systems besides RSA. One method, called SEEK, is patented, trademarked, and marketed by Cylink of Sunnyvale, California. This method uses an alternative algorithm for public key distribution. Cylink manufactures a range of DES encryptors that use SEEK for key distribution.

7.5 PRACTICAL ENCRYPTION. The primary market for encryption systems and devices is communications. However, the development of Internet commerce has

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 28 ENCRYPTION

Ciphertext

Ciphertext

Bob Alice

Bob and Alice both have a pair of linked keys (1 public, 1 private) and can share their

public keys, no safe channel required.

Unsafe Channel

Bob encrypts a secret key using Alice’s public key and his private

key and sends it to her.

Alice decrypts the secret key using her private key and Bob’s public key.

Using the secret key that he sent to Alice, Bob encrypts a message with a block cipher and

sends the ciphertext to Alice.

Alice decrypts the ciphertext using the block cipher and the secret key that Bob sent her.

Plaintext

EXHIBIT 7.14 Combining Public and Private Key Encryption

resulted in a number of new and interesting crypto components that have considerable value for computer security.

7.5.1 Communications and Storage. If you look at the commercial prod- ucts on the National Institute of Standards and Technology (NIST)’s list of approved DES implementations, most are designed to protect information when it is being com- municated, not when it is sitting on a machine for local use. This is understandable when you look at the development of computing, which has spread outward from “fortress mainframe.” Centralized data storage facilities lend themselves to physical access con- trol. Encrypting data that stays behind walls and locked doors may be overkill in that scenario, particularly when there is a performance penalty involved.

Encryption was reserved for data in transit, between computers, across wires. This philosophy was extended to file servers on networks. File encryption on the server was not considered a priority as people assumed the server would be protected. Data encryption on stand-alone machines and removable media is a relatively recent devel- opment, particularly as more and more confidential data are packed into physically smaller and smaller devices. There are now many products with which to implement file encryption.

7.5.2 Securing the Transport Layer. One of the most visible examples of encryption at work in computer security today is the security icon people see in their Web browser; see Exhibit 7.15 for examples of Netscape Navigator and Microsoft Internet Explorer. This is an example of something called transport layer security, which uses protocols that go by the name of SSL and TLS.

7.5.2.1 Popular Protocols. SSL stand for Secure Sockets Layer, the software encryption protocol developed by Netscape and originally implemented in Netscape

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PRACTICAL ENCRYPTION 7 · 29

Encrypted Session Icons in Web Browsers

Netscape Navigator Microsoft Internet Explorer

EXHIBIT 7.15 SSL 3.0 in Action

Secure Server and the Netscape Navigator browser. SSL is also supported by Microsoft Internet Explorer and a number of other products. TLS stands for Transport Layer Security, the name given to an Internet standard based on SSL, by the IETF (as in Internet Engineering Task Force, RFC 2246). There are minor differences between SSLv3.0 and TLSv1.0 but no significant differences as far as security strength is concerned, and both protocols interoperate with each other.

The TLS is a protocol, a standardized procedure for regulating data transmission between computers. It is actually composed of two layers of protocol. At the lowest level is the TLS Record Protocol, which is layered on top of some reliable transport protocol, typically the TCP in TCP/IP, the set of protocols that run the Internet. The TLS Record Protocol provides connection security that is both private (using symmetric cryptography for data encryption) and reliable (using a message integrity check). Above the TLS Record Protocol, encapsulated by it, is the TLS Handshake Protocol. This allows the server and client to authenticate each other, a major role for TLS in various forms of e-commerce, such as Internet banking. The TLS Handshake Protocol can also negotiate an encryption algorithm and cryptographic keys before any application protocol sitting on top of it, such as HTTP, transmits or receives its first byte of data (see Exhibit 7.16).

7.5.2.2 Properties of TLS. In providing connection security, the TLS Hand- shake Protocol delivers three basic properties. The identity of the parties can be

Web Client

Client Hello Server Hello

Client Response server authentication

session keys Server Response

client authentication

session keys

SessionSession application data

server finish, signed session ID

server verify, signed challenge string

client finish, signed connection ID

confirmation, random connection ID

client certificate encrypted master key

server certificate, encryption suite

encryption suites, random challenge string

Creating a TLS session

between TLS-enabled

web client and server

Web Server

(key exchange algorithms, private key

encryption algorithm, hashing algorithm)

EXHIBIT 7.16 Creating a TLS Session

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 30 ENCRYPTION

authenticated using public key cryptography (such as RSA). This authentication can be made optional, but typically it is required for at least one of the parties (e.g., the Yahoo! Travel server authenticates itself to the user’s browser client, but the user’s client does not authenticate itself to the Yahoo! Travel server, a distinction discussed in a moment).

The second and third basic properties of the TLS Handshake Protocol are that a shared secret can be securely negotiated, unavailable to eavesdroppers, even by an attacker who can place itself in the middle of the connection; and the protocol’s nego- tiation is reliable. In the words of RFC 2246: “no attacker can modify the negotiation communication without being detected by the parties to the communication.”

TLS can use a variety of encryption algorithms. For the symmetric encryption that is part of the Record protocol, DES or RC4 can be used. The keys for this symmetric encryption are generated uniquely for each connection and are based on a secret negotiated by another protocol (such as the TLS Handshake Protocol). The record protocol includes a message integrity check using a keyed MAC, with secure hash functions such as SHA and MD5, used for MAC computations. The encryption suite to be used for a specific connection is specified during the initial exchange between client and server, as shown in Exhibit 7.16.

7.5.2.3 Tested in the Real World. TLS/SSL has been widely used and ex- tensively tested in the real world, and thoroughly probed by real cryptographers. Some of the caveats and limitations noted by these and other experts follow. The first is that neither a good standard nor a good design can guarantee a good implementation. For example, if TLS is implemented with a weak random number seed, or a random number generator that is not sufficiently random, the theoretical strength of the design will do nothing to protect the data that are thus exposed to potential compromise. (Although beyond the scope of this chapter, Pseudo-Random Number Generators, or PRNGs, play a vital part in many cryptographic operations, and they are surprisingly difficult to create; unless they closely simulate true randomness, an attacker will be able to predict the numbers they generate, thus defeating any scheme that relies on their “random” quality.)

The second major caveat is that, if clients do not have digital certificates, the client side of the TLS session is not authenticated. This presents numerous problems. Most of today’s “secure” Web transactions, from airline tickets booked at Yahoo Travel to shares traded at most online brokerages, represent a calculated risk on the part of the vendor. Although the client doing the buying is assured, by means of the merchant certificate, that the merchant at www.amazon.com really is Amazon, the merchant has no digital assurance that the client computer belongs to, or is being operated by, the person making the purchase. Of course, there are other assurances, such as the match between the credit card that the purchaser supplies and the other personal details that go along with it, such as billing address. But the merchant is still risking a charge-back and possibly other penalties for a fraudulent transaction.

In the case of larger and more sensitive financial transactions, the need to be assured of the client’s identity is greater. A digital certificate is a step in the right direction, but it is a step many merchants have not yet taken, for several reasons. The first is the cost of issuing certificates to customers, and the second is the difficulty of getting those certificates onto their systems. Some merchants have decided that the cost and effort are worth it. For example, the Royal Bank of Scotland took this approach with its online banking system back in 1998.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PRACTICAL ENCRYPTION 7 · 31

Storing certificate on hardware token enables location transparency and better protection

EXHIBIT 7.17 Using a Hardware Token for Digital Signatures

There are other issues. The user needs to protect the certificate, even from such threats as hardware failure (user reformats the drive, loses the certificate) or unauthorized use (a family member uses the computer and thus has access to the certificate). Furthermore, the user needs to be able to move the certificate, for example, onto a laptop computer so that the bank account can be accessed while traveling. The obvious answer is to place the certificate on a robust removable medium (see Exhibit 7.17). Such media are generically referred to as hardware tokens. A standard for tokens has not yet emerged. Smart cards are an obvious choice, but card readers need to be deployed. There are alternatives, such as putting the certificate on a floppy disk or on a small key fob that plugs into a USB port.

7.5.2.4 Cost of Secured Transactions. For companies looking to perform highly secure transactions today, using SSL without client-side authentication is prov- ing acceptable in the short term, at least for some categories of transaction. Even then it can be costly, in terms of either dollars or processing power. Although TLS is an open standard, and Netscape has provided crucial parts of the technology royalty free, there is still the question of which algorithms to use. Some algorithms are more expensive than others, and not always in obvious ways. For example, you have to license RC4, whereas DES is free, but RC4 is optimized for a 32-bit processor and DES is not.

Furthermore, research shows that the amount of “hits” that a Web server can handle drops dramatically when those hits require TLS (and it drops a whole lot more when processing client authentication as well as server authentication). The answer here may be specialized hardware. Several companies, such as IBM and Rainbow Technologies, make crypto-coprocessor cards that relieve the server’s CPU of the specialized math processing involved in crypto. They are cheaper than adding another server to keep up with the very demanding task of providing secure Web transactions.

7.5.3 X.509v3 Certificate Format. Another example of encryption widely used in computer security today is X.509. This is not a rocket ship but a standard for digital certificates, described earlier in this chapter. The International Telecommuni- cation Union’s Telecommunication Standardization Sector (ITU-T)’s X.509 standards document states: “Virtually all security services are dependent upon the identities of the communicating parties being reliably known, i.e. authentication.” Consider how this affects Web transactions. The preceding section described how SSL can encrypt

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 32 ENCRYPTION

EXHIBIT 7.18 Digital Certificate

Web pages sent from Web server to Web client, and vice versa, but it cannot assure the identity of the parties involved. The X.509 standard helps to address this problem, which negatively impacts the profitability of Web-based businesses.

When a Web user asks for assurance that the bn.com Web site is actually Barnes & Noble, it can be provided by way of a digital certificate (see Exhibit 7.18). This means that an entity, known as a certificate authority (CA), has taken considerable pains to reliably identify, and consequently certify, the merchant as the rightful owner of an encryption key. This key is the public half of a uniquely and mathematically related public/private key pair, such that a message encrypted with the public key can only be decrypted with the corresponding private key.

Individuals, as well as merchants, can have a public/private key pair. A bank might then access that public key, and use it, plus the bank’s private key, to encrypt the account details it sends to customers over the Web. Only the customer with the right private key can decrypt this information, using the bank’s public key. At the same time, customers know the statement information can only have come from the bank (otherwise the bank’s public key would not work to decrypt it). Customers also know,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PRACTICAL ENCRYPTION 7 · 33

EXHIBIT 7.19 X.509 Certificate Format

Version Identifies the Certificate Format

Certificate Serial Number Number that is unique within the issuing CA Signature Algorithm Identifier Identifies the algorithm used to sign the certificate,

together with any necessary parameters Issuer X.500 name of the issuing CA Validity Period Pair of dates between which the certificate is valid Subject X.500 name of the holder of the private key

corresponding to the public key certified by the certificate

Subject Public Key Information Public key for the subject, plus an identifier for the algorithm with which this public key is to be used

thanks to an encrypted message digest (a digital fingerprint of the message contents), that the data they get from the bank has not been altered. Thus, it is very difficult for either party to claim that it never took place. In this way, digital certificates can enhance confidentiality, integrity, and nonrepudiation.

7.5.3.1 ISO/IEC/ITU 9594-8 a.k.a. X.509. The management of public keys is the task of Public Key Infrastructure (PKI), of which the X.509 standard is an important part. For example, an organization’s employees can perform secure busi- ness communications over the Internet, such as contract negotiation, using PKI. To engage in a secure transaction with someone, it is necessary to find and access the other person’s public key, and vice versa. The answer is to publish public keys in the form of a digital certificate, then use some form of directory to locate them. In order for different systems to interoperate, standards for directories have been developed, notably X.500. This standard applies such elements of directory standardization as a hierarchical naming convention:

Country, Organization, Common Name. So Fred Jones of Megabank might have the X.500 name: [Country = US, Organization = Megabank, Inc., Common Name = Fred Jones]

A means of locating digital certificates to verify identities was a logical extension of the standard, thus X.509 was developed, officially known as ITU-T X.509 (formerly CCITT X.509) and also ISO/IEC/ITU 9594-8. In X.509 there is a definition of a basic certificate format, which consists of seven fields shown in Exhibit 7.19.

The certificate format has evolved considerably since 1988. The original format is now referred to as X.509v1. When X.500 itself was revised in 1993, two more fields were added to support directory access control, resulting in the X.509v2 format.54

X.509v2 added unique identifiers for the issuer and the subject, optional bit strings used to make the issuer and subject names unambiguous in the event that the same name is later reassigned to different entities. Suppose that Fred Jones, whose assigned X.500 name was given earlier, is an executive vice president of Megabank, but is then hired away by a competitor. Megabank deassigns his name, but if a different Fred Jones, a programmer, then comes to work for Megabank, he is effectively reassigned the same X.500 name:

[Country = US, Organization = Megabank, Inc., Common Name = Fred Jones]

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 34 ENCRYPTION

This poses authorization problems for any access control lists attached to X.500 data objects, due to the difficulty of identifying all of the access control lists that grant privileges to a particular user’s name. The unique identifier field added in X.509v2 provides somewhere to put a new value whenever a name is reused. In fact, a better solution is to use a better distinguisher in the X.500 name, such as:

[Common Name = Fred Jones, Employee Number = 1000002]

In 1993, when the Internet Privacy Enhanced Mail (PEM) RFCs were published, they included specifications for a public key infrastructure based on X.509v1 certifi- cates. Attempts to deploy PEM, however, revealed deficiencies in the Version 1 and 2 certificate formats. Consequently, ISO/IEC/ITU and ANSI X9 developed the X.509v3 format, which greatly extends the capabilities of the format by providing extension fields and broader naming options in X.509v3.

7.5.3.2 Extending the Standard. Extensions were added in Version 3 to address problems discovered while implementing Version 1 and 2 certificates. These can be seen in the diagram in Exhibit 7.20. Particular extension field types may now be specified in standards or defined and registered by any organization or community. Each extension field is assigned a type by means of an object identifier, registered in the same way that an algorithm is registered. Although theoretically anyone can define an extension type, to achieve practical interoperability, common extension types need to be understood by different implementations. Thus, the most important extension types are standardized. But when X509v3 is used within a closed group—for example,

X.509 Version 3

Certificate

Version

(of certificate format)

Certification

Authority’s

Private Key

Generate

Digital

Signature

Issuer (Certification Authority)

X.500 Name

Validity Period

(Start and Expiry Dates/Times)

Subject

X.500 Name

Version

(of certificate format)

Subject

Public Key

Information

Algorithm Identifier

Public Key Value

Issuer Unique Identifier

Subject Unique Identifier

Certification Authority’s

Digital Signature

Optional

(Extensions are

any number of

additional fields)

Extension

Type

Crit./

Non-Crit.

Crit./

Non-Crit.

Crit./

Non-Crit.

Extension

Field

Value

Extension

Field

Value

Extension

Field

Value

Extension

Type

Extension

Type

Extensions

Certificate

Serial Number

Signature Algorithm Identifier

(Certificate Issuer’s Signature)

EXHIBIT 7.20 X.509v3 Certificate

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PRACTICAL ENCRYPTION 7 · 35

a group of business partners—it is possible to define unique extension types to satisfy specific needs.

7.5.3.3 X.509 Sources, Issues, and CAs. Someone managing an e- commerce project does not necessarily need to know X.509 in detail but should at least read the Arsenault and Turner document (see Section 7.8, “Further Reading,” at the end of the chapter); it clearly describes not only X.509 but the role it plays in PKI (which they define as “the set of hardware, software, people, policies and procedures needed to create, manage, store, distribute, and revoke certificates based on public-key cryptography”55). Also very helpful are the presentations by VeriSign’s Warwick Ford, which NIST has online at its Web site. For the e-commerce developer who wants more detail, the next step is Ford’s book, coauthored with fellow VeriSign executive Michael Baum, Secure Electronic Commerce.56 This documents other important aspects of X.509, such as the Certificate Revocation List, used to revoke certificates before they expire (e.g., if the private key has been compromised). A copy of the standard, available online, at the International Telecommunication Union (ITU) Web site (www.itu.int), is also valuable.

The extensions and improvements in the X.509v3 certificate format greatly increase its usefulness, but providing a uniform method of going beyond the standard does raise the specter of a lack of standardization. This is something that the IETF’s PKIX working group is addressing. And there are other issues to consider when evaluating X.509 as a security technology, many of which are raised by Ed Gerck of the Meta-Certificate Group. Articles at the group’s Web site point out that X.509 does not address “the level of effort which is needed to validate the information in a certificate.”57 In other words, some security issues are beyond the scope of X.509, but they do need to be considered when deploying systems that rely on these certificates. For example, it does not make sense to rely on a digital certificate if the measures taken to assure the identity of the owner and user of the certificate are not commensurate with the risk involved in relying on the certificate. Furthermore, transactions that do not use certificates on both sides will remain inherently problematic.

These issues point to the importance of the role played by the CA. As mentioned earlier, CAs are the entities that issue and sign certificates. Each has a public key that is listed in the certificate. The CA is responsible for scheduling an expiration date and for revoking certificates when necessary. The CA maintains and publishes a Certificate Revocation List (CRL).

In other words, ensuring the validity of certificates entails a lot of maintenance. The CRL, for example, is crucial if certificates are compromised or found to be issued fraudulently. This happened in 2001 when a number of VeriSign certificates were found to be issued in error to someone posing as Microsoft. Because some computer users now rely on certificates to guarantee the authenticity of software upgrades and components, failure to check the revocation list before downloading certified code could result in malicious code attacks.

Problems with certificates have the potential for widespread impact because the authority in certificates is hierarchical, as shown in Exhibit 7.21. When a CA issues a certificate, it signs it with its own key. Anyone relying on certificates issued by that CA needs to know by what authority the CA is issuing that certificate. To simplify, there are two possible answers. The CA is self-certifying, that is, providing its own “root” key, or it is relying on another CA for the root key. Clearly, any compromise of the root key undermines all certificates that gain their authority from it.

See Chapter 37 of this Handbook for a more extensive discussion of PKI and CAs.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 36 ENCRYPTION

Root

CA

CA

CA

CA

Cert

Cert Cert Cert

Cert Cert Cert

Cert Cert

CA CA

Cert Cert Cert Cert Cert

Self- certified

CA

EXHIBIT 7.21 Certificate Authorities and the Root Key

7.6 BEYOND RSA AND DES. Cryptography research and development did not stop with the development of the RSA algorithms. Events in the last two decades of the twentieth century and the first decade of the twenty-first, and their implications, are discussed in this final section of the chapter, which concludes with some warnings on implementing encryption.

7.6.1 Elliptic Curve Cryptography. In 1985, Neal Koblitz from the Univer- sity of Washington and Victor Miller of IBM independently discovered the application of elliptic curve systems to cryptography. When applied to public key cryptography, elliptic curve arithmetic has been found to offer certain advantages over first-generation public key techniques such as Diffie-Hellman and RSA.

The security of elliptic curve algorithms is based on the same principle as the Diffie-Hellman algorithm, the discrete log problem, as described in Section 7.4.2. The advantages to elliptic curve algorithms lie in the key size needed to achieve certain levels of security. As one scales security upward over time to meet the evolving threat posed by eavesdroppers and hackers with access to greater computing resources, elliptic curves begin to offer dramatic savings over the old, first-generation techniques.58

Until 2010, public key systems used 1,024 bits or 2,048 bits for creating keys. NIST recommended that after 2010, these systems be upgraded to a system that can provide adequate security. One way of doing this would be to increase the key size that is used. However, systems that are in place today become increasingly cumbersome the larger the key size. The NSA is endorsing elliptic curve cryptography, stating on its Web site that it has implemented elliptic curve public key cryptography systems to protect both classified and unclassified information.59 Elliptic curve systems offer a way to increase key size moderately when more security is required. Exhibit 7.22 shows the NIST recommended key size that RSA or Diffie-Hellman should use to protect the transportation of symmetric keys of various sizes as well as the corresponding elliptic curve key size.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BEYOND RSA AND DES 7 · 37

EXHIBIT 7.22 NIST Recommended Key Sizes

Symmetric Key Size (bits)

RSA and Diffie-Hellman Key Size (bits)

Elliptic Curve Key Size (bits)

80 1024 160 112 2048 224 128 3072 256 192 8192 384 256 15360 521

Source: National Security Agency, “The Case for Elliptic Curve Cryptography,” www.nsa.gov/business/programs/elliptic curve.shtml.

Thus, in order to use RSA to protect a 256-bit AES key, one should use a key of 15,360 bits, which is an order of magnitude larger than the key sizes currently in use throughout the Internet. However, an elliptic curve key would need to be only 521 bits. Elliptic curve algorithms can use smaller keys, because the math involved makes the inverse, or decryption, operations harder as the key length increases.60

Another feature that makes elliptic curves appealing is the fact that they are more efficient than the current implementations of public key cryptography, which tend to be relatively slow, causing them to be used more as key distribution methods than data encryption methods. Exhibit 7.23 shows the ratio of Diffie-Hellman computations versus elliptic curve computations for each of the key sizes listed in Exhibit 7.22.61

7.6.2 RSA Patent Expires. On September 6, 2000, RSA Security released the RSA public key encryption algorithm into the public domain. This means that anyone can now create products that incorporate this algorithm (provided it is their own implementation and not one licensed from RSA). In effect, RSA Security waived its rights to enforce the patent for any development activities that include the RSA algorithm occurring after September 6, 2000. The U.S. patent for the RSA algorithm actually expired on September 20, 2000. The result has been an even broader use of public key encryption, at lower cost.

The RSA patent was always somewhat controversial, because it applied to a piece of mathematics, which is not what most people think of when they think of an in- vention. The owners of the patent were never able to expand protection beyond the United States. As a result, versions of public key encryption based on alternatives to the RSA algorithm were developed and marketed outside the country, by companies

EXHIBIT 7.23 Relative Computation Costs of Diffie-Hellman and Elliptic Curves

Security Level (bits) Ratio of DH Cost : EC Cost

80 3:1 112 6:1 128 10:1 192 32:1 256 64:1

Source: National Security Agency, “The Case for Elliptic Curve Cryptography,” www.nsa.gov/business/programs/elliptic curve.shtml.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 38 ENCRYPTION

like Ireland’s Baltimore Technologies, Finland’s F-Secure, and Israel’s Algorithmic Research. Now encryption companies can dispense with the costly maintenance of multiple versions of their public key products (U.S. and non-U.S.). In addition, U.S. companies can develop and market RSA-based products. Large companies actually can “roll their own” public key encryption schemes for internal use, based on a proven, royalty-free algorithm.

7.6.3 DES Superseded. RSA Security, the company that tried to make the RSA algorithm synonymous with public key encryption, played a leading role in the other watershed crypto event of 2000, the naming of a successor to DES, the Data Encryption Standard. As noted earlier, projects like the EFF DES Cracker showed that a computer built for less than $250,000 could decipher a DES-encrypted message in fewer than three days. In fact, this was part of the “DES Challenges” sponsored by RSA Security. DES Challenge I was won by Rocke Verser of Loveland, Colorado, who led a group of Internet users in a distributed brute force attack. The project, code-named DESCHALL, began on March 13, 1997, and was successfully completed some 90 days later. DES Challenge II consisted of two contests posted on January 13 and July 13, 1998. The first contest was cracked by a distributed computing effort coordinated by distributed.net, which met the challenge in 39 days. The second contest was the one solved by EFF’s purpose-built DES Cracker.

The effect of these projects was to focus attention on the need for stronger encryption. Companies and government agencies wanting to archive sensitive data need it to remain secure for decades, not days. However, as predicted in the 1970s, advances in computer power rendered “obsolete” the DEA, the widely used private key algorithm that forms the basis of the DES. Of course, the term “obsolete” is relative in this context. DES is not obsolete when applications need to encrypt bulk data to keep it confidential for a limited period of time, and a lot of data falls into this category. As Exhibit 7.24 shows, there is a direct relationship among time, technology, and the degree of protection that any ciphersystem provides.

In 1997, the U.S. Government began the process of establishing a more power- ful standard than DES, known as Advanced Encryption Standard (AES). This is a Federal Information Processing Standard (FIPS) Publication, FIPS 197, specifying “a

Very powerful and

expensive system

required

Mid-level computer systems required

No encryption

Requires only cheap, widely-

available system

Suitable for sensitive

but not top secret

Only for light

encryption

Over time, the relative cost of computing power declines, reducing protection afforded by given encryption scheme.

Can be used for

top-secret data

For unclassified material only

EXHIBIT 7.24 Relationship among Time, Technology, and Protection

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BEYOND RSA AND DES 7 · 39

cryptographic algorithm for use by U.S. Government organizations to protect sensitive (unclassified) information.” The government anticipated correctly that AES would be “widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government—and outside of the United States—in some cases.”

In essence, a competition was held to find the best possible algorithm for the job, and the winner, chosen in October 2000, was Rijndael (pronounced “Rhine Doll”). This algorithm was developed specifically for the AES by two cryptographers from Belgium, Dr. Joan Daemen and Dr. Vincent Rijmen. Rijndael is a block cipher with a variable block length and key length. So far, keys with a length of 128, 192, or 256 bits have been specified to encrypt blocks with a length of 128, 192, or 256 bits. (All nine combinations of key length and block length are possible.) However, both block length and key length can be extended very easily in multiples of 32 bits. Rijndael can be implemented very efficiently in hardware, even on smart cards.

7.6.4 Quantum Cryptography. A new basis for computation will profoundly affect cryptographic strength in the coming decades. This section provides a brief and nontechnical summary of the science of quantum computation and quantum cryptog- raphy.

7.6.4.1 Historical Perspective. The entirety of this chapter has focused on the status of cryptography as it currently exists. The classic computer has been sufficient to perform the computations and processes required of AES, RSA, and all of the cryptographic systems and algorithms that have been explored since the advent of cryptography. Although modern computers are fundamentally the same as they were in the 1950s, the machines we use today are significantly faster.62 Even though the speed has increased, the primary task of computers has remained the same: “to manipulate and interpret an encoding of binary bits into a useful computational result.”63 To push the bounds of computer performance ever forward, computer scientists’ goal has “been the reduction of size in the transistors used in modern processors.”64

Early computers were constructed of gates and storage “bits” made of many thou- sands of molecules. The components of today’s processors are moving in the direction of a few hundred molecules. The computing industry has always known that minia- turization would reach a barrier below which circuits could not be built, because their fundamental physical behavior would change.65

The components of modern computers are reaching this barrier; should transistors become much smaller, they will “eventually reach a point where individual elements would be no larger than a few atoms.”66 Computer scientists are concerned about this continual shrinking, because at the atomic level, the laws of quantum mechanics will govern the properties and behavior of circuits, not the laws of classical mechanics.67

The science of quantum mechanics is not fully understood by scientists; it was initially thought to be a major limitation to the evolution of computer technology.68

It was not until 1982 that the scientific community saw any benefit from the unusual effects associated with quantum mechanics. That year, Richard Feynman theorized about a new type of computer that would harness the effects of quantum mechanics and use these effects to its advantage.69 In 1985, David Deutsch of the University of Oxford published a “ground breaking theoretical paper describing how any physical process could be modeled perfectly (in theory) using a quantum computing system.”70

He further argued that a quantum system would be able to execute tasks that no modern computer could perform, such as true random number generation.71 “After

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 40 ENCRYPTION

Deutsch published this paper, the search began to find interesting applications for such a machine.”72

7.6.4.2 Fundamentals. A “quantum” is “the smallest amount of a physical quantity that can exist independently, especially a discrete quantity of electromag- netic radiation.”73 Quantum mechanics explains the physics and behaviors of particles, atoms, and energy.74 The idea of a quantum computer is based on the phenomena that occur at the atomic and subatomic level, which are explained by quantum mechanics and defy all classical laws of physics.75 These phenomena will be covered in more detail shortly; it is necessary at this point, however, to explain several fundamental differences between classical modern computers and the idea of a quantum computer.

Classical computers store and process information in units called bits, represented as a zero (0) or a one (1) in a computer’s transistors. Bits are then organized into bytes, a series of eight bits. Thus, the information stored on a computer is stored as individual bits grouped into bytes. Therefore, a document “comprised of n-characters stored on the hard drive of a typical computer is accordingly described by a string of 8n zeros and ones.”76 It is important to emphasize that bits “can only exist in one of two distinct states, a ‘0’ or a ‘1’.”77 This leads to the first difference between classical computers and quantum computers.

Quantum computers store and process information in units called quantum bits, referred to as “qubits.” “Qubits represent atoms, ions, photons or electrons and their respective control devices that are working together to act as computer memory and a processor.”78 Similar to a classic bit, a qubit is represented as a 0 or a 1. Unlike a classic bit, a qubit can also exist in a superposition of both a 0 and a 1. In other words, it is possible for a single qubit to exist as a 0, a 1, or simultaneously as both a 0 and a 1. A qubit that is in two positions at once is said to be in its coherent state.79 This can be explained more coherently with an example:

If a coin is flipped in a darkened room, the result of the coin being flipped is mathematically just as likely to be heads or tails. While the light is off, the coin is in a superposition—whereby it is both heads and tails at once, because an [observer] cannot see which it is. If [the observer] turns on the light, [he or she] “collapses” the superposition, and forces the coin to be either heads or tails by measuring it. Measuring something destroys the superposition, forcing it into being in just one classical state.80

This coherent state leads to the phenomenon that would make a quantum computer exponentially more powerful than any computer to date; this is the phenomenon called “quantum parallelism.”81 Essentially, because a qubit in a coherent state holds two values at once, a single operation done on such a qubit would act on both values at the same time.82 “Likewise, a two-qubit system would perform the operation on four values and a three-qubit system on eight [values].”83 To summarize, an operation done on a system of n qubits would act on 2n values simultaneously.84 Exhibit 7.25 shows this concept using a system containing three qubits, which represent eight states simultaneously.

“The very property that makes quantum computing so powerful also makes it very fragile and hard to control.”85 In order to harness the power of quantum parallelism, scientists need to be able to read and measure the output from the operations performed on groups of qubits. Herein lies the problem of decoherence. When a qubit in the coherent state measurably interacts with the environment, it will immediately decohere and resume one of the two classical states, either a 0 or a 1, and it will no longer exhibit

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BEYOND RSA AND DES 7 · 41

A Qubit

A 3-Bit Register

Q

Q Q Q

1

1 1 1

0 1

0

1 1 0

1 1 0 0

0 0 0 0 0 1

0 1 1 0 1 0

EXHIBIT 7.25 Three-Qubit System Source: Simon Bone and Matias Castro, “A Brief History of Quantum Computing,” Imperial College, London, www.doc.ic.ac.uk/∼nd/ surprise 97/journal/vol4/spb3/.

its dual-state ability. In other words, simply looking at a qubit can cause it to decohere, and this makes measuring qubits directly impossible.86

If scientists are unable to measure something directly, then they must find a way to measure indirectly, or a practical quantum computer will never be made. One possible answer lies in another property of quantum mechanics called entanglement. Entan- glement is an obscure attribute that involves two or more atoms or particles. When certain conditions are met or certain forces are applied to two or more particles, then they can become entangled, whereby the particles exhibit opposite properties. The entangled particles will remain entangled, no matter the physical distance between them, and one entangled particle will always be able to communicate with its partner. Particles spin either up or down, and this spin is how scientists measure information about the particles. The property of coherence tells us that a particle will spin both up and down simultaneously until a scientist looks at it and measures it. “The spin state of the particle being measured is . . . communicated to the correlated particle, which simultaneously assumes the opposite spin direction to that of the measured particle.”87

Thus, entanglement could allow scientists to know the value of a qubit without actu- ally looking at one. Scientists admit that entanglement is a difficult notion; they are still exploring the concept.88 They also acknowledge that it could be years before a workable solution to the problem of measuring information in a quantum system is discovered.89

7.6.4.3 Impacts. Although quantum computers, in theory, can perform any task that a classical computer can, this does not necessarily mean that a quantum computer will always outperform a classical computer. Multiplication is an often-cited example of something that would be done just as quickly on a classical computer as on a quantum computer.90 From the early stages of quantum computing, scientists knew that to demonstrate the superior computing power, new algorithms would have to be designed to exploit the phenomenon of quantum parallelism. Such algorithms are complex and difficult to devise, but two are driving the development of this highly theorized field: Shor’s algorithm and Grover’s algorithm.91

Peter Shor of Bell Labs designed the first quantum algorithm in 1994. Shor’s al- gorithm allows for rapid factoring of very large numbers into their prime factors. For example, scientific estimates state that it would take a modern computer 1024 years to

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 42 ENCRYPTION

factor a 1,000-digit number; it would take a quantum computer about 20 minutes.92

The implications of this quantum algorithm on classic algorithms that depend on the difficulty of factoring for security, such as the widely used RSA algorithm, are im- mense. “The ability to break the RSA coding system will render almost all current channels of communications unsecure.”93

Lov Grover, also of Bell Labs, invented the second quantum algorithm in 1996. Grover’s algorithm allows a quantum computer to search databases of all kinds much more quickly than any capability existing today. Grover notes that the greatest benefit is gained when his algorithm is used on an unsorted database.94 On average, it takes a classical computer n/2 number of searches to find a specific entry in a database of n entries. Grover’s algorithm allows the same search to be done in the square root of n number of searches. For example, in a database of 1 million entries, it would take a computer today on average of 500,000 searches to find the right answer; it would take a quantum computer using Grover’s algorithm only 1,000 searches. This could have implications for symmetric key algorithms such as DES, because this algorithm would allow an exhaustive search of all possible keys to occur quite rapidly.95

7.6.4.4 Current Status. Encouraged by the repercussions of quantum com- puting and the related algorithms on the security of information and cryptography, governments around the world are funding efforts to build a practical quantum com- puting system. The United States has many initiatives on-going. In 2001, the Defense Advanced Research Projects Agency (DARPA) of the Department of Defense launched a $100 million effort that would last five years. In addition, the National Science Foun- dation has $8 million in grant money for researching quantum capabilities. DARPA’s Quantum Information Science and Technology initiative will now exist indefinitely; it became a fully funded and permanent program in 2006.96 A number of other gov- ernments, primarily within Europe and Asia, are involved in quantum computation research and development. In 2000, the European Commission launched a comprehen- sive research effort with $20 million budgeted over three years. In Japan, the Ministry of Post and Telecommunications began an initiative in 2001 that will last 10 years with a total requested budget of $400 million. There are several commercial enterprises also involved in quantum projects. This includes IBM, Bell Labs, the Japanese firms of Fujitsu, Ltd., NEC Corporation, and Nippon Telephone and Telegraph Corporation.97

This list is by no means exhaustive, as there are universities and other organizations throughout the world with research efforts in full swing.

Because of the worldwide effort to understand quantum computing more thoroughly, several key advancements have been made. In 1998, researchers at Los Alamos National Laboratory and MIT were able to spread a qubit over three nuclear spins of certain types of molecules. According to the experiments, spreading the information (qubit) out made it more difficult to corrupt, or decohere. The researchers were able to accomplish this using a technique called nuclear magnetic resonance (NMR), which allows the manipulation and control of a nucleus’s spin. This technique allowed the researchers to use the property of entanglement to analyze indirectly the quantum information.98

In 2000, researchers at IBM developed a five-qubit computer, also using the nuclei of a liquid. The nuclei were programmed by radio frequency pulses and then detected by NMR techniques. Using this technique, the team was able to find the period of a particular function, or the length of the shortest interval over which it repeats its values. This problem would take a classical computer several repeated cycles to compute; the team at IBM was able to do it in one step. In 2001, a combined group of scientists from

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BEYOND RSA AND DES 7 · 43

IBM and Stanford University demonstrated Shor’s algorithm and were able to find the prime factors of 15. The seven-qubit computer correctly deduced that the prime factors were 3 and 5.99

In February 2007, a Canadian company called D-Wave claimed to demonstrate the first commercial quantum computer. It is a “supercooled, superconducted niobium chip housing an array of 16 qubits.”100 D-Wave chose not to focus on cryptographic efforts when building the Orion, as the computer is called. Instead, Orion focuses its energy on solving pattern-matching problems and nondeterministic polynomial problems (NP-complete problems). NP-complete problems are decision problems that contain searching and optimization problems, and are used when someone needs to know if a certain solution for a certain problem exists. Examples of such problems include database searches, pattern matching, identifying diseases from symptoms, and finding matches for genetic material.101 The company’s demonstrations were done via a television feed from a remote location, due to the sensitive nature of the machine and the difficulty in transporting equipment that is cooled to just above absolute zero. Despite the demonstrations and the claims of D-Wave, scientists are skeptical that Orion is actually performing quantum computations. Even the chief executive of D-Wave said that, although all evidence indicates that Orion is performing quantum computations, there is some uncertainty. Nevertheless, D-Wave announced plans to boost the Orion to 1,000 qubits by 2008.102

In July 2007, scientists from NIST (United States) and the Rutherford Appleton Laboratory (United Kingdom) teamed up to explore magnetic quantum effects. This team reports having chained together “100 atoms of yttrium barium nickel oxide into a quantum spin-chain that, in effect, turn[ed] the 30-nanometer long magnetic molecule into a single element.”103 This discovery is an important step toward putting qubits onto solid-state circuits. Thirty nanometers is well beyond the atomic length scale, and it is unusual to see quantum coherence beyond the atomic level. However, the team did report stable coherent states at this size, which is large enough for the lithographic techniques used to create circuit boards and conductors of classical computers.104

In April 2013, researchers “successfully transmitted a secure quantum code through the atmosphere from an aircraft to a ground station.” The author continues,

“This demonstrates that quantum cryptography can be implemented as an extension to existing systems,” says LMU’s Sebastian Nauerth. In the experiment, single photons were sent from the aircraft to the receiver on the ground. The challenge was to ensure that the photons could be precisely directed at the telescope on the ground in spite of the impact of mechanical vibrations and air turbulence. “With the aid of rapidly movable mirrors, a targeting precision of less than 3 m over a distance of 20 km was achieved,” reports Florian Moll, project leader at the DLR’s Institute for Communication and Navigation. With this level of accuracy, William Tell could have hit the apple on his son’s head even from a distance of 500 m.

With respect to the rate of signal loss and the effects of air turbulence, the conditions encoun- tered during the experiment were comparable to those expected for transmission via satellite. The same holds for the angular velocity of the aircraft. The success of the experiment therefore represents an important step towards secure satellite-based global communication.105

Even with the advances just mentioned, skeptics believe that practical quantum computers that outperform classical computers are still years, or even decades, away. After conducting many hours of research on the topic of quantum computing, this author’s opinion is that it is not a matter of if quantum computing will become a reality but a matter of when. That scientists have been able to demonstrate a few theoretical

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 44 ENCRYPTION

quantum computations on systems comprised of only a few qubits is highly promis- ing. Yet scientists need to overcome many obstacles. Systems containing hundreds or thousands of qubits will be needed to perform useful computations. In addition, precise controls will be required to accomplish operations while avoiding decoherence; in fact, decoherence is perhaps the biggest obstacle to the creation of a quantum system. Until scientists can reliably measure information produced by qubits at work, it is unlikely that a practical quantum system will be built in the near future.106

7.6.5 Snake Oil Factor. As encryption vendors and cryptographers come to grips with the implementation and extended testing of new algorithms, it is important to note these words from the AES competition requirements:

A complete written specification of the algorithm shall be included, consisting of all necessary mathematical equations, tables, diagrams, and parameters that are needed to implement the algorithm.

In other words, there is no secret about how the AES will make things secret, just as there is no secret about how DES works. This often strikes the crypto-novice as illogical. Why not keep the algorithm secret? Surely that will make any messages encrypted with it that much harder to decrypt. Not really. Any reliance on the secrecy of the algorithm inserts a weak link in the chain of security. Encrypting data does not guarantee that it will remain confidential. The keys must be kept secret, and the identity of persons requesting authorized access must be verified to ensure they are authentic, and so on. This is true of public key encryption as well as private key encryption.

This principle is known as Kerckhoffs’ Principle, based on an 1883 publication by military cryptographer Auguste Kerckhoffs:

1. The system must be practically, if not mathematically, indecipherable; 2. It must not be required to be secret, and it must be able to fall into the hands of

the enemy without inconvenience;

3. Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents;

4. It must be applicable to telegraphic correspondence; 5. It must be portable, and its usage and function must not require the concourse of

several people;

6. Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.107

There is no benefit to be gained by relying on an algorithm that has not been subject to open review, particularly when strong, reviewed algorithms exist. Beware of encryption vendors, or producers of any security products, that claim strength based on secret algorithms. Such claims are often a case of snake oil. (For more on bogus claims for crypto products, see Curtin’s “Snake Oil FAQ,” included in Section 7.8, “Further Reading,” at the end of this chapter.)

7.7 STEGANOGRAPHY. Instead of scrambling data through cryptography, one can also insert data covertly into other data streams. Steganography (literally covered writing in Greek) generally uses the low-order bits of a data stream—typically an

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

FURTHER READING 7 · 45

image—to convey the cleartext. In today’s high-resolution representations of color images, modifying the least significant bits of a pixel makes a negligible change in color, at least to the human eye. The steganographic software can make the changes and then extract them from the modified image.108

Such modified images are difficult to identify, but steganography detection tools, which rely on detecting abnormal patterns in the pixels of a carrier image, do exist.109

For example, StegoHuntTM and StegoAnalyst software from Wetstone Technologies can identify and analyze steganographically modified data; StegoBreak can extract the cleartext from the carrier file.110

7.8 FURTHER READING. As stated at the outset, this chapter was not designed to be an extensive treatise on cryptography or a complete guide to the implementation of encryption technology. There are many resources available to help readers deepen their understanding of this fundamental area of information security.

Books and Articles Bishop, M. Computer Security: Art and Science. Upper Saddle River, NJ: Addison-

Wesley/Pearson Education, 2003. Hinsley, F. H., and A. Stripp, eds. Codebreakers: The Inside Story of Bletchley Park.

Oxford, UK: Oxford University Press, 2001. Cobb, C. Cryptography for Dummies. Hoboken, NJ: John Wiley & Sons, 2003. Gilbert, G., Y. S. Weinstein, and M. Hamrick. Quantum Cryptography. World Scientific

Publications, 2013. Goldreich, O. Foundations of Cryptography: Volume I, Basic Tools. New York, NY:

Cambridge University Press, 2007. Juels, Ari. “ Encryption Basics.” In H. Bidgoli, ed., Handbook of Information Security,

Vol. 2. Hoboken, NJ: John Wiley & Sons, 2006. Kahn, D. The Codebreakers: The Comprehensive History of Secret Communica-

tion from Ancient Times to the Internet, Revised Edition. New York: Scribner, 1996.

Katz, J., and Y. Lindell. Introduction to Modern Cryptography, Second Edition. Lon- don: Chapman & Hall/CRC, 2014.

Mao, W. Modern Cryptography: Theory and Practice. Upper Saddle River, NJ: Prentice-Hall, 2003.

Mel, H. X., and D. Baker. Cryptography Decrypted. Addison-Wesley, Upper Saddle River, NJ 2000.

Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed. New York, NY: John Wiley & Sons, 1996.

Seberry, J., and J. Pieprzyk. Cryptography: An Introduction to Computer Security. Englewood Cliffs, NJ: Prentice-Hall, 1989.

Spillman, R. J. Classical and Contemporary Cryptology. Upper Saddle River, NJ: Prentice-Hall, 2004.

van Tilborg, H. C. A. & S. Jojodia, eds. Encyclopedia of Cryptography and Security, 2nd ed. Springer, 2013.

Yan, S. Y. Quantum Attacks on Public-Key Cryptosystems. Springer, 2013.

Web Resources Arsenault, A., and S. Turner. “Internet X.509 Public Key Infrastructure: PKIX

Roadmap,” 2000; www.ietf.org/proceedings/00jul/I-D/pkix-roadmap-05.txt

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 46 ENCRYPTION

Bacard, A. “Non-Technical PGP (Pretty Good Privacy) FAQ,” 2002; www.andrebacard. com/pgp.html

Beezer, R. “Cryptography Independent Study,” 2002; http://buzzard.ups.edu/ courses/2002spring/iscryptos2002.html

Cate, V. Vince Cate’s Cryptorebel/Cypherpunk Page, www.offshore.com.ai/security/ Cryptography Research Inc. Research Links: www.cryptography.com/resources/

researchlinks.html (URL inactive) Curtin, M. “Snake-Oil FAQ/Snake Oil Warning Signs: Encryption Software to Avoid,”

1998; www.interhack.net/people/cmcurtin/snake-oil-faq.html Electronic Frontier Foundation. “Frequently Asked Questions (FAQ) About the Elec-

tronic Frontier Foundation’s ‘DES Cracker’ Machine,” 1999; http://w2.eff.org/ Privacy/Crypto/Crypto misc/DESCracker/HTML/19980716 eff des faq.html

Electronic Frontier Foundation RSA. “Code-Breaking Contest Again Won by Distributed.Net and Electronic Frontier Foundation (EFF). DES Challenge III Broken in Record 22 Hours,” 1999; http://w2.eff.org/Privacy/Crypto/ Crypto misc/DESCracker/HTML/19990119 deschallenge3.html

Gerck, E. “Why Is Certification Harder than It Looks?” 1999; http://mcwg.org/mcg- mirror/whycert.htm

ICSA Labs’ Cryptography Community. www.icsalabs.com/icsa/main.php?pid= vjgj7567 (URL inactive)

International PGP Home Page. 2002; www.pgpi.org Kessler, G. “An Overview of Cryptography,” 2004; www.garykessler.net/library/

crypto.html PGP Home. www.pgp.com/index.php (URL inactive) RSA Security Content Library. www.rsasecurity.com/doc library/index.asp Schneier, B. Crypto-Gram newsletter archive, 1998–2008; www.schneier.com/crypto-

gram-back.html

7.9 NOTES 1. David Kahn, TheCodebreakers:TheStoryofSecretWriting (New York: Scribner,

1996), pp. 980–984. 2. The American Heritage R© New Dictionary of Cultural Literacy, 3rd ed. s.v “cryp-

tography,” http://dictionary.reference.com/browse/cryptography 3. RSA Laboratories, “What Is Cryptanalysis?” www.rsa.com/rsalabs/node.

asp?id=2200 (URL inactive) 4. J. Seberry and J. Pieprzyk, Cryptography: An Introduction to Computer Security

(Englewood Cliffs, NJ: Prentice-Hall, 1989). 5. Seberry and Pieprzyk, Cryptography 6. Kahn, Codebreakers, pp. 71–72. 7. Encyclopaedia Britannica Online Academic Edition, s.v. “cryptology,”

http://search.eb.com.library.norwich.edu/eb/article-25638. This article only available within the Norwich University system, or with a paid subscription to the Encyclopedia.

8. Brigitte Collard, “La cryptographie dans l’Antiquité gréco-romaine. III. Le chiffrement par transposition,” Folia Electronica Classica (Louvain-la-Neuve) 7 (January-June 2004): section II(2), “Définition de la scytale”; http://bcs.fltr. ucl.ac.be/FE/07/CRYPT/Crypto44-63.html#42047

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 7 · 47

9. Brad Stark, “A Closer Look at Cryptography,” Bucknell University, www.facstaff.bucknell.edu/udaepp/090/w3/brads.htm (URL inactive)

10. Kahn, Codebreakers, pp. 83–84. 11. “Time Table/Time-Travel through Cryptography and Cryptanalysis,” www. cryp-

tool.com/menu zeittafel.en.html 12. Oliver Pell, “Cryptology,” www.ridex.co.uk/cryptology/# Toc439908853 13. “Time Table/Time-Travel.” 14. Encyclopaedia Britannica Online Academic Edition, s.v. “cryptology.” 15. Encyclopaedia Britannica Online Academic Edition, s.v. “cryptology.” 16. Kahn, Codebreakers, p. 107. 17. Encyclopedia Britannica Online Academic Edition, s.v. “cryptology.” 18. National Security Agency, “The Rare Books Collection: Giovanni Battista Porta,”

www.nsa.gov/about/cryptologic heritage/center crypt history/publications/rare books.shtml#giovanni

19. D. Salomon, Coding for Data and Computer Communications (New York: Springer, 2005), p. 218; http://tinyurl.com/2dsmc8

20. Encyclopedia Britannica Online Academic Edition, s.v. “cryptology.” 21. Stallings, W. Network and Internetwork Security Principles and Practices.

Prentice-Hall, January, 1995 22. Kevin Romano, “The Stager Ciphers and the US Military’s First Cryptographic

System,” www.gordon.army.mil/AC/Wntr02/stager.htm 23. Cypher Research Laboratories, “A Brief History of Cryptography,” www.

cypher.com.au/crypto history.htm 24. National Archives, “Teaching with Documents: The Zimmermann Telegram,”

www.archives.gov/education/lessons/zimmermann 25. National Archives, “Teaching with Documents.” 26. Jacob Mathai, “History of Cryptography and Secrecy Systems,” Fordham Uni-

versity, www.dsm.fordham.edu/∼mathai/crypto.html#ENIGMA 27. Judson Knight, “Cryptology, History,” www.espionageinfo.com/Cou-De/

Cryptology-History.html 28. Knight, “Cryptology, History.” 29. Oli Cooper, “Cryptography,” University of Bristol, www.cs.bris.ac.uk/cooper/

Cryptography/crypto.html 30. Cooper, “Cryptology.” 31. Kahn, Codebreakers, 32. Kahn, Codebreakers, 33. Jacob Mathai, “History of Cryptography and Secrecy Systems,” Fordham Uni-

versity, www.dsm.fordham.edu/∼mathai/crypto.html#OneTimePad 34. Stallings, “Network and Internetwork Security” 35. SCI.CRYPT FAQ §5.2, www.faqs.org/faqs/cryptography-faq/part5 36. Kahn, Codebreakers, p. 979. 37. Ari Juels, “Encryption Basics,” in Handbook of Information Security, Vol. 2, ed.

H. Bidgoli, (Hoboken, NJ: John Wiley & Sons, 2006), p. 980. 38. Juels, “Encryption Basics,” p. 981. 39. Juels, “Encryption Basics,” p. 471.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 48 ENCRYPTION

40. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 41. Bruce Schneier, Applied Cryptography, 2nd ed. (New York: John Wiley & Sons,

1996), p. 461. 42. Kahn, Codebreakers, p. 982. 43. Juels, “Encryption Basics,” p. 474. 44. Juels, “Encryption Basics,” p. 474. 45. Juels, “Encryption Basics,” p. 474. 46. RSA Laboratories, “What Is Diffie-Hellman?” www.rsa.com/rsalabs/node.

asp?id=2248 47. Charlie Kaufman, “IPsec: IKE (Internet Key Exchange),” vol. 1, Handbook for

Information Security (Hoboken, NJ: John Wiley & Sons, 2006), p. 974. 48. Juels, “Encryption Basics,” pp. 474–475. 49. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 50. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 51. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 52. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 53. SCI.CRYPT FAQ, www.faqs.org/faqs/cryptography-faq/part6/ 54. For more on this evolution, see the excellent IETF document, “Internet X.509

Public Key Infrastructure: PKIX Roadmap,” by A. Arsenault and S. Turner. www.ietf.org/proceedings/00jul/I-D/pkix-roadmap-05.txt

55. A. Arsenault and S. Turner, “Internet X.509 Public Key Infrastructure: PKIX Roadmap.”

56. Michael Baum, Secure Electronic Commerce (Prentice-Hall, 1997) 57. E. Gerck, “Why Is Certification Harder than It Looks?” 1999, http://mcwg.

org/mcg-mirror/whycert.htm 58. National Security Agency, “The Case for Elliptic Curve Cryptography,”

www.nsa.gov/business/programs/elliptic curve.shtml 59. National Security Agency, “The Case for Elliptic Curve Cryptography.” 60. Certicom, “An Elliptic Curve Cryptography (ECC) Primer,” www.certicom.

com/pdfs/WP-ECCprimer login.pdf 61. National Security Agency, “The Case for Elliptic Curve Cryptography.” 62. Jacob West, “The Quantum Computer,” www.cs.rice.edu/∼taha/teaching/05F/

210/news/2005 09 16.htm 63. West, “Quantum Computer.” 64. Simon Bone and Matias Castro, “A Brief History of Quantum Computing,” Im-

perial College, London, www.doc.ic.ac.uk/∼nd/surprise 97/journal/vol4/spb3 65. Quantum Information Partners LLP, “Short History of Quantum Information

Processing,” www.qipartners.com/publications/Short History of QC.pdf. (URL inactive)

66. West, “Quantum Computer.” 67. West, “Quantum Computer.” 68. Bone and Castro, “Brief History.” 69. Bone and Castro, “Brief History.” 70. Simon Bone, “The Hitchhiker’s Guide to Quantum Computing,” www.doc.

ic.ac.uk/∼nd/surprise 97/journal/vol1/spb3/

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 7 · 49

71. Bone, “Hitchhiker’s Guide.” 72. West, “Quantum Computer.” 73. American Heritage R© Dictionary of the English Language, Fourth Edition, s.v.

“quanta,” http://dictionary.reference.com/browse/quantum 74. Genomics and Proteomics, “Glossary: Quantum Mechanics,” www.genpromag.

com/Glossary.aspx?LETTER=Q (URL inactive) 75. Stephen Jenkins, “Some Basic Ideas About Quantum Mechanics,” University of

Exeter, newton.ex.ac.uk/research/qsystems/people/jenkins/mbody/mbody2.html 76. West, “Quantum Computer.” 77. Bone and Castro, “Brief History.” 78. Bonsor and Strickland, “How Quantum Computers Work,” computer. www.

howstuffworks.com/quantum-computer3.htm 79. Bone and Castro, “Brief History.” 80. Duncan McKimm, “Quantum Entanglement,” www.abc.net.au/science/features/

quantum 81. West, “Quantum Computer.” 82. Bone and Castro, “Brief History.” 83. Bone and Castro, “Brief History.” 84. Bone and Castro, “Brief History.” 85. Bone and Castro, “Brief History.” 86. Bonsor and Strickland, “How Quantum Computers Work.” 87. SearchSMB.com, “Entanglement,” http://searchcio-midmarket.techtarget.com/

definition/entanglement 88. McKimm, “Quantum Entanglement.” 89. SearchSMB.com, “Entanglement.” 90. Bone and Castro, “Brief History.” 91. Bone and Castro, “Brief History.” 92. Bone and Castro, “Brief History.” 93. Bone, “Hitchhiker’s Guide.” 94. Lov Grover, “What’s a Quantum Phone Book?” www.bell-labs.com/user/

feature/archives/lkgrover 95. Bone and Castro, “Brief History.” 96. Confidential Source #3, “Quantum Computing,” Internal Research branch Web

site, August 10, 2007. 97. Confidential Source #3, “Quantum Computing.” 98. West, “Quantum Computer.” 99. Bonsor and Strickland, “How Quantum Computers Work.” 100. R. Colin Johnson “Quantum Computer ‘Orion’ Debuts,” EETimes, www.eetimes.

com/electronics-news/4069654/Quantum-computer-Orion-debuts 101. Johnson, “Quantum Computer ‘Orion’ Debuts.” 102. Jordon Robertson, “Scientists Dubious of Quantum Computer Claims,”

abcnews.go.com/Technology/wireStory?id=2875656. 103. R. Colin Johnson, “Circuit-Sized Quantum Effect Observed,” EETimes, www.

eetimes.com/electronics-news/4073585/Circuit-sized-quantum-effect-observed

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

7 · 50 ENCRYPTION

104. Johnson, “Circuit-Sized Quantum Effect Observed.” 105. ScienceDaily. “Quantum Cryptography: On Wings of Light.” Sci-

enceDaily Science News. 04 13, 2013. www.sciencedaily.com/releases/2013/04/ 130403071950.htm (accessed May 16, 2013).

106. Johnson, “Circuit-Sized Quantum Effect Observed.” 107. Petitcolas, Fabien. la cryptographie militaire. 2012. www.petitcolas.net/fabien/

kerckhoffs/#english (accessed May 21, 2013). 108. Kessler, Gary C. Steganography: Hiding Data Within Data. 2002.

www.garykessler.net/library/steganography.html (accessed May 21, 2013). 109. National Institute of Justice. Digital Evidence Analysis: Steganography De-

tection. 11 05, 2010. www.nij.gov/topics/forensics/evidence/digital/analysis/ steganography.htm (accessed 05 21, 2013).

110. Wetstone Technologies. “StegoHunt.” Wetstone. 2013. www.wetstonetech.com/ product/stegohunt/ (accessed May 21, 2013).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8CHAPTER

USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT INFORMATION

John D. Howard

8.1 INTRODUCTION 8 · 1

8.2 WHY A COMMON LANGUAGE IS NEEDED 8 · 2

8.3 DEVELOPMENT OF THE COMMON LANGUAGE 8 · 3

8.4 COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 4 8.4.1 Events 8·4 8.4.2 Attacks 8·11

8.4.3 Full Incident Information Taxonomy 8·15

8.5 ADDITIONAL INCIDENT INFORMATION TERMS 8 · 16 8.5.1 Success and Failure 8·17 8.5.2 Site and Site Name 8·17 8.5.3 Other Incident Terms 8·17

8.6 HOW TO USE THE COMMON LANGUAGE 8 · 18

8.7 NOTES 8 · 20

8.1 INTRODUCTION. A computer security incident is some set of events that involves an attack or series of attacks at one or more sites. (See Section 8.4.3 for a more formal definition of the term “incident.”) Dealing with these incidents is inevitable for individuals and organizations at all levels of computer security. A major part of dealing with these incidents is recording and receiving incident information, which almost always is in the form of relatively unstructured text files. Over time, these files can end up containing a large quantity of very valuable information. Unfortunately, the unstructured form of the information often makes incident information difficult to manage and use.

This chapter presents the results of several efforts over the last few years to develop and propose a method to handle these unstructured computer security incident records. Specifically, this chapter presents a tool designed to help individuals and organizations record, understand, and share computer security incident information. We call the tool the common language for computer security incident information. This common language contains two parts:

1. A set of “high-level” incident-related terms 2. A method of classifying incident information (a taxonomy)

8 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 2 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

The two parts of the common language, the terms and the taxonomy, are closely related. The taxonomy provides a structure that shows how most common-language terms are related. The common language is intended to help investigators improve their ability to:

� Talk more understandably with others about incidents � Gather, organize, and record incident information � Extract data from incident information � Summarize, share, and compare incident information � Use incident information to evaluate and decide on proper courses of action � Use incident information to determine effects of actions over time

This chapter begins with a brief overview of why a common language is needed, followed by a summary of how the incident common language was developed. We then present the common language in two parts: (1) incident terms and taxonomy and (2) additional incident information terms. The final section contains information about some practical ways to use the common language.

8.2 WHY A COMMON LANGUAGE IS NEEDED. When the first edition of this Handbook was published more than 30 years ago, computer security was a small, obscure, academic specialty. Because there were only a few people working in the field, the handling of computer security information could largely take place in an ad hoc way. In this environment, individuals and groups developed their own terms to describe computer security information. They also developed, gathered, organized, evaluated, and exchanged their computer security information in largely unique and unstructured ways. This lack of generalization has meant that computer security information has typically not been easy to compare or combine, or sometimes even to talk about in an understandable way.

Progress over the years in agreeing on a relatively standard set of terms for computer security (a common language) has had mixed results. One problem is that many terms are not yet in widespread use. Another problem is that the terms that are in widespread use often do not have standard meanings. An example of the latter is the term “computer virus.” We hear the term frequently, not only in academic forums but also in the news media and popular publications. It turns out, however, that even in academic publications, “computer virus” has no accepted definition.1 Many authors define a computer virus to be “a code fragment that copies itself into a larger program.”2

They use the term “worm” to describe an independent program that performs a similar invasive function (e.g., the Internet Worm in 1988). But other authors use the term “computer virus” to describe both invasive code fragments and independent programs.

Progress in developing methods to gather, organize, evaluate, and exchange com- puter security information also has had limited success. For example, the original records (1988–1992) of the Computer Emergency Response Team (now the CERT Coordination Center or CERT/CC) are simply a file of email and other files sent to the CERT/CC. These messages and files were archived together in chronological order, without any other organization. After 1992, the CERT/CC and other organizations developed methods to organize and disseminate their information, but the information remains difficult to combine or compare because most of it remains almost completely textual information that is uniquely structured for the CERT/CC.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DEVELOPMENT OF THE COMMON LANGUAGE 8 · 3

Such ad hoc terms and ad hoc ways to gather, organize, evaluate, and exchange computer security information are no longer adequate. Far too many people and orga- nizations are involved, and there is far too much information to understand and share. Today computer security is an increasingly important, relevant, and sophisticated field of study. Numerous individuals and organizations now regularly gather and disseminate computer security information. Such information ranges all the way from the security characteristics and vulnerabilities of computers and networks, to the behavior of people and systems during security incidents—far too much information for each individual and organization to have its own unique language.

One of the key elements to making systematic progress in any field of inquiry is the development of a consistent set of terms and taxonomies (principles of classification) that are used in that field.3 This is a necessary and natural process that leads to a growing common language, which enables gathering, exchanging, and comparing information. In other words, the more a field of inquiry such as computer security grows, the more a common language is needed to understand and communicate with one another.

8.3 DEVELOPMENT OF THE COMMON LANGUAGE. Two of the more sig- nificanteffortsintheprocessofdevelopingthiscommonlanguageforcomputersecurity incident information were (1) a project to classify more than 4,300 Internet security in- cidents completed in 1997,4 and (2) a series of workshops in 1997 and 1998 called the Common Language Project. Workshop participants included people primarily from the Security and Networking Research Group at the Sandia National Laboratories, Livermore, California, and from the CERT/CC at the Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania. Additional participation and re- view came from people in the Department of Defense (DoD) and the National Institute of Standards and Technology (NIST).

These efforts to develop the common language were not efforts to develop a com- prehensive dictionary of terms. Instead, the participants were trying to develop both a minimum set of “high-level” terms to describe computer security attacks and incidents, and a structure and classification scheme for these terms (a taxonomy), which could be used to classify, understand, exchange, and compare computer security attack and incident information.

Participants in the workshops hoped this common language would gain wide accep- tance because of its usefulness. There is already evidence that this acceptance is taking place, particularly at incident response teams and in the DoD.

In order to be complete, logical, and useful, the common language for computer security incident information was based initially and primarily on theory (i.e., it was a priori or nonempirically based).5 Classification of actual Internet security incident information was then used to refine and expand the language. More specifically, the common language development proceeded in six stages:

1. Records at the CERT/CC for incidents reported to them from 1988 through 1995 were examined to establish a preliminary list of terms used to describe computer security incidents.

2. The terms in this list, and their definitions, were put together into a structure (a preliminary taxonomy).

3. This preliminary taxonomy was used to classify the information in the 1988 through 1995 incident records.

4. The preliminary taxonomy and classification results were published in 1997.6

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 4 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

5. A series of workshops was conducted from 1997 through 1998 (the Common Language Project) to make improvements to the taxonomy and to add additional terms.

6. The results of the workshops (the “common language for security incidents”) were first published in 1998.

A taxonomy is a classification scheme (a structure) that partitions a body of knowl- edge and defines the relationship of the pieces.7 Most of the terms in this common lan- guage for security incident information are arranged in such a taxonomy, as presented in the next section. Classification is the process of using a taxonomy for separating and ordering. As discussed earlier, classification of information using a taxonomy is necessary for computer security incident information because of the rapidly expanding amount of information and the nature of that information (primarily text). Classification using the common-language taxonomy is discussed in the final section of this chapter.

Our experience has shown that satisfactory taxonomies have classification categories with these six characteristics8:

1. Mutually exclusive. Classifying in one category excludes all others because categories do not overlap.

2. Exhaustive. Taken together, the categories include all possibilities. 3. Unambiguous. The taxonomy is clear and precise, so that classification is not

uncertain, regardless of who is doing the classifying.

4. Repeatable. Repeated applications result in the same classification, regardless of who is doing the classifying.

5. Accepted. It is logical and intuitive, so that categories can become generally approved.

6. Useful. The taxonomy can be used to gain insight into the field of inquiry.

These characteristics were used to develop and evaluate the common-language taxonomy. A taxonomy, however, is merely an approximation of reality, and as such, even the best taxonomy will fall short in some characteristics. This may be especially true when the characteristics of the data being classified are imprecise and uncertain, as is typical for computer security incident information. Nevertheless, classification is an important, useful, and necessary prerequisite for systematic study of incidents.

8.4 COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY. We have been able to structure most of the terms in the common language for security incident information into a taxonomy. These terms and the taxonomy are presented in this section. Additional terms that describe the more general aspects of incidents are presented in Section 8.5.

8.4.1 Events. The operation of computers and networks involves innumerable events. In a general sense, an event is a discrete change of state or status of a system or device.9 From a computer security viewpoint, these changes of state result from actions that are directed against specific targets. An example is a user taking action to log in to the user’s account on a computer system. In this case, the action taken by the user is to authenticate to the login program by claiming to have a specific identity and

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 5

Action Target

AccountProbe

ProcessScan

Flood Data

ComponentAuthenticate

ComputerBypass

Spoof Network

Read Internetwork

Copy

Steal

Modify

Delete

event

EXHIBIT 8.1 Computer and Network Events

then presenting the required verification. The target of this action would be the user’s account. Other examples include numerous actions that can be targeted toward:

� Data (e.g., actions to read, copy, modify, steal, or delete) � A process (e.g., actions to probe, scan, authenticate, bypass, or flood a running computer process or execution thread)

� A component, computer, network, or internetwork (e.g., actions to scan or steal)

Exhibit 8.1 presents a matrix of actions and targets that represent possible computer and network events (although not all of the possible combinations shown are feasible). A computer or network event is defined as:

Event—action directed at a target that is intended to result in a change of state, or status, of the target.10

Several aspects of this definition are important to emphasize. First, in order for there to be an event, there must be an action that is taken, and it must be directed against a target, but the action does not have to succeed in actually changing the state of the target. For example, if a user enters an incorrect user name and password combination when logging in to an account, an authentication event has taken place, but the event was not successful in verifying that the user has the proper credentials to access that account.

A second important aspect is that an event represents a practical linkage between an action and a specific target against which the action is directed. As such, it represents the way people generally conceptualize events on computers and networks, and not all of the individual steps that actually take place during an event. For example, when a user logs in to an account, we classify the action as authenticate and the target as account. The actual action that takes place is for the user to access a process (e.g., a “login” program) in order to authenticate. Trying to depict all of the individual steps

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 6 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

is an unnecessary complication; the higher-level concepts presented here can describe correctly and accurately the event in a form well understood by people. In other words, it makes sense to abstract the language and its structure to the level at which people generally conceptualize the events.

By all means, supporting evidence should be presented so the evidence provides a complete idea of what happened. Stated another way, abstraction, conceptualization, and communication should be applied as close to the evidence as possible. For example, if a network switch is the target of an attack, then the target should normally be viewed as a computer or as a component (depending on the nature of the switch), and not the network, because assuming the network is the target may be an inaccurate interpretation of the evidence.

Another aspect of the definition of event is that it does not make a distinction between authorized and unauthorized actions. Most events that take place on computers or networks are both routine and authorized and, therefore, are not of concern to security professionals. Sometimes, however, an event is part of an attack or is a security concern for some other reason. This definition of event is meant to capture both authorized and unauthorized actions. For example, if a user authenticates properly, by giving the correct user identification and password combination while logging in to an account, that user is given access to that account. It may be the case, however, that this user is masquerading as the actual user, after having obtained the user identification and password from snooping on the network. Either way, this is still considered authentication.

Finally, an important aspect of events is that not all of the possible events (the action–target combinations depicted in Exhibit 8.1) are considered likely or even possible. For example, an action to authenticate is generally associated with an account or a process and not a different target, such as data or a component. Other examples include read and copy, which are generally targeted toward data; flooding, which is generally targeted at an account, process, or system; or stealing, which is generally targeted against data, a component, or a computer.

We define action and target as follows:

Action—step taken by a user or process in order to achieve a result,11 such as to probe, scan, flood, authenticate, bypass, spoof, read, copy, steal, modify, or delete.

Target—computer or network logical entity (account, process, or data) or a physical entity (component, computer, network or internetwork).

8.4.1.1 Actions. The actions depicted in Exhibit 8.1 represent a spectrum of activities that can take place on computers and networks. An action is a step taken by a user or a process in order to achieve a result. Actions are initiated by accessing a target, where access is defined as:

Access—establish logical or physical communication or contact.12

Two actions are used to gather information about targets: probe and scan. A probe is an action to determine one or more characteristics of a specific target. This is unlike a scan, which is an action where a user or process accesses a set of targets systematically, in order to determine which targets have one or more characteristics.

“Probe” and “scan” are terms commonly used by incident response teams. As a re- sult, they have common, accepted definitions. Despite this, there is a logical ambiguity: A scan could be viewed as multiple probes. In other words, if an attacker is testing

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 7

Test for One or More Characteristics

Test a Single Host Probe

Nonsystematically Test Multiple Hosts

Multiple probes

Systematically Test a Set of Hosts

Scan

EXHIBIT 8.2 Probe Compared to Scan

for one or more characteristics on multiple hosts, this can be (a) multiple attacks (all probes), or (b) one attack (a scan). This point was discussed extensively in the Common Language Project workshops, and the conclusion was that the terms in the common language should match, as much as possible, their common usage. This common usage is illustrated in Exhibit 8.2.

With probes and scans, it is usually obvious what is taking place. The attacker is either “hammering away” at one host (a probe), randomly testing many hosts (multiple probes), or using some “automatic” software to look for the same characteristic(s) systematically across a group of hosts (a scan). As a practical matter, incident response teams do not usually have a problem deciding what type of action they are dealing with.

One additional point about scan is that the term “systematic” is not meant to specify some specific pattern. The most sophisticated attackers try to disguise the systematic nature of a scan. A scan may, at first, appear to be multiple probes. For example, an attacker may randomize a scan with respect to hosts and with respect to the charac- teristic(s) being tested. If the attack can be determined to involve testing of one or more characteristics on a group of hosts with some common property (e.g., an Internet Protocol [IP] address range) or if tests on multiple hosts appear to be otherwise related (e.g., having a common origin in location and time), then the multiple probes should be classified as a scan.

Unlike probe or scan, an action taken toflood a target is not used to gather information about the target. Instead, the desired result of a flood is to overwhelm or overload the target’s capacity by accessing the target repeatedly. An example is repeated requests to open connections to a port over a network or repeated requests to initiate processes on a computer. Another example is a high volume of email messages, which may exceed the resources available for the targeted account. Authenticate is an action taken by a user to assume an identity. Authentication starts

with a user accessing an authentication process, such as a login program. The user must claim to have a certain identity, such as by entering a user name. Usually verification is also required as a second authentication step. For verification, the user must prove knowledge of some secret (e.g., a password), prove the possession of some token (e.g., a secure identification card), and/or prove to have a certain characteristic (e.g., a retinal scan pattern). Authentication can be used not only to log in to an account but also to access other objects, such as to operate a process or to access a file. In other words, the target of an authentication action is the entity (e.g., account, process, or data) that the user is trying to access, not the authentication process itself.

Two general methods might be used to defeat an authentication process. First, a user could obtain a valid identification and verification pair that could be used to authenticate, even though it does not belong to that user. For example, during an

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 8 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

incident, an attacker might use a process operating on an Internet host computer that captures user name, password, and IP address combinations that are sent in clear text across the Internet. The attacker could then use this captured information to authenticate (log in) to accounts that belong to other users. It is important to note, as mentioned earlier, that this action is still considered authenticate, because the attacker presents valid identification and verification pairs, even though they have been stolen.

The second method that might be used to defeat an authentication process is to exploit a vulnerability in order to bypass the authentication process and access the target. Bypass is an action taken to avoid a process by using an alternative method to access a target. For example, some operating systems have vulnerabilities that an attacker could exploit to gain privileges without actually logging in to a privileged account.

As was discussed with respect to authenticate, an action to bypass does not neces- sarily indicate that the action is unauthorized. For example, some programmers find it useful to have a shortcut (“back-door”) method to enter an account or run a pro- cess, particularly during development. In such a situation, an action to bypass may be considered authorized. Authenticate and bypass are actions associated with users identifying themselves. In

network communications, processes also identify themselves to each other. For exam- ple, each packet of information traveling on a network contains addresses identifying both the source and the destination, as well as other information. “Correct” information in these communications is assumed, since it is automatically generated. Thus, no ac- tion is included on the list to describe this normal situation. Incorrect information could, however, be entered into these communications. Supplying such false information is commonly called an action to spoof . Examples include IP spoofing, mail spoofing, and Domain Name System (DNS) spoofing.

Spoofing is an active security attack in which one machine on the network masquerades as a different machine. . . . [It] disrupts the normal flow of data and may involve injecting data into the communications link between other machines. This masquerade aims to fool other machines on the network into accepting the imposter as an original, either to lure the other machines into sending it data or to allow it to alter data.13

Some actions are closely associated with data found on computers or networks, particularly with files: read, copy, modify, steal, and delete. There has been some confusion over these terms because their common usage in describing the physical world sometimes differs from their common usage describing the electronic world. For example, if I say that an attacker stole a computer, then you can assume I mean the attacker took possession of the target (computer) and did not leave an identical computer in that location. If I say, however, that the attacker stole a computer file, what does that actually mean? It is often taken to mean that the attacker duplicated the file and now has a copy, but also it means that the original file is still in its original location. In other words, “steal” sometimes means something different in the physical world than it does in the electronic world.

It is confusing for there to be differences in the meaning of actions in the physical world and the electronic world. Workshop participants attempted to reconcile these differences by carefully defining each term (read, copy, modify, steal, or delete) so it would have a very specific and mutually exclusive meaning that matches the physical- world meaning as much as possible. Read is defined as an action to obtain the content of the data contained within a file or

other data medium. This action is distinguished conceptually from the actual physical steps that may be required to read. For example, in the process of reading a computer

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 9

file, the file may be copied from a storage location into the computer’s main memory and then displayed on a monitor to be read by a user. These physical steps (copy the file into memory and then onto the monitor) are not part of the abstract concept of read. In other words, to read a target (obtain the content in it), copying of the file is not necessarily required, and it is conceptually not included in our definition of read.

The same separation of concepts is included in the definition of the term “copy.” In this case, we are referring to acquiring a copy of a target without deleting the original. The term “copy” does not imply that the content in the target is obtained, just that a copy has been made and obtained. To get the content, the file must be read. An example is copying a file from a hard disk to a floppy disk. This copying is done by duplicating the original file while leaving the original file intact. A user would have to open the file and look at the content in order to read it. Copy and read are both different concepts from steal, which is an action that results

in the attacker taking possession of the target and the target also becoming unavailable to the original owner or user. This definition agrees with our concepts about physical property, specifically that there is only one object that cannot be copied. For example, if someone steals a car, then that person has deprived the owner of his or her possession. When dealing with property that is in electronic form, such as a computer file, often the term “steal” is used, when copy is what actually is meant. The term “steal” specifically means that the original owner or user has been denied access or use of the target. On the other hand, stealing also could mean physically taking a floppy disk that has the file located on it or stealing an entire computer.

Two other actions involve changing the target in some way. The first are actions to modify a target. Examples include changing the content of a file, changing the password of an account, sending commands to change the characteristics of an operating process, or adding components to an existing system. If the target is eliminated entirely, the term “delete” is used to describe the action.

As stated earlier, differences in usage of terms between the physical world and the electronic world are undesirable. As such, we tried to be specific and consistent in our usage. The resulting set of terms is exhaustive and mutually exclusive, but goes against the grain in some common usage for the electronic world, particularly with respect to the term “steal.” The situation seems unavoidable. Here are some examples that might clarify the terms:

� A user clicks on a link with the browser and sees the content of a Web page on the computer screen. We would classify this as a read. While what actually happens is that the content of the page is stored in volatile memory, copied to the cache on the hard drive, and displayed on the screen, from a logical (i.e., user) point of view, the Web page has not been copied (nor stolen). Now, if a user copies the content of the Web page to a file or prints it out, then the user has copied the Web page. Again, this would be a logical classification of the action, from the user’s point of view.

� A user duplicates a file that is encrypted. We would classify this as copy, not read. In this case, the file was reproduced, but the content not obtained, so it was not read.

� A user deletes several entries in a password or group file. Should this action be described as several delete actions or as one action to modify? We would describe this action as modify, and the target is data. There is no ambiguity here because of the definition of “data.” Data are defined to be either a stationary file or a file in transit (see the next section). If a user deletes a line out of the password file, then the file has been modified. The action would be described as delete only if

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 10 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

the whole file was deleted. If we had defined data to include part of a file, then we would indeed have an ambiguity.

� A user copies a file and deletes the original. We would classify this as steal. Although the steps actually include a copy followed by a delete, that is the electronic way of stealing a file, and therefore it is more descriptive to describe the action as steal.

In reality, the term “steal” is rarely used (correctly) because attackers who copy files usually do not delete the originals. The term “steal” often is used incorrectly, as in “stealing the source code,” when in fact the correct term is copy.

The list of actions was hashed over in numerous group discussions, off and on, for several years before being put into the common language. Most people who participated in these discussions were not entirely happy with the list, but it is the best we have seen so far. Specifically, the list seems to capture all of the common terms with their common usage (probe, scan, flood, spoof , copy, modify, and delete) and the other terms are logical (to the people who participated in the discussion groups) and are necessary to make the action category exhaustive (authenticate, bypass, read, and steal).

Here is a summary of our definitions of the actions shown in Exhibit 8.1.

Probe—access a target in order to determine one or more of its characteristics. Scan—access a set of targets systematically in order to identify which targets have

one or more specific characteristics.14

Flood—access a target repeatedly in order to overload the target’s capacity. Authenticate—present an identity to a process and, if required, verify that identity,

in order to access a target.15

Bypass—avoid a process by using an alternative method to access a target.16

Spoof—masquerade by assuming the appearance of a different entity in network communications.17

Read—obtain the content of data in a storage device or other data medium.18

Copy—reproduce a target leaving the original target unchanged.19

Steal—take possession of a target without leaving a copy in the original location. Modify—change the content or characteristics of a target.20

Delete—remove a target or render it irretrievable.21

8.4.1.2 Targets. Actions are considered to be directed toward seven categories of targets. The first three of these are “logical” entities (account,process,anddata), and the other four are “physical” entities (component, computer, network, and internetwork).

In a multiuser environment, an account is the domain of an individual user. This do- main includes the files and processes the user is authorized to access and use. A special program that records the user’s account name, password, and use restrictions controls access to the user’s account. Some accounts have increased or special permissions that allow access to system accounts, other user accounts, or system files and processes, and often are called privileged, superuser, administrator, or root accounts.

Sometimes an action may be directed toward aprocess, which is a program executing on a computer or network. In addition to the program itself, the process includes the program’s data and stack; its program counter, stack pointer, and other registers; and all other information needed to execute the program.22 The action may then be to supply information to the process or command the process in some manner.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 11

The target of an action may be data that are found on a computer or network. Data are representations of facts, concepts, or instructions in forms that are suitable for use by either users or processes. Data may be found in two forms: files or data in transit. Files are data that are designated by name and considered as a unit by the user or by a process. Commonly we think of files as being located on a storage medium, such as a storage disk, but files also may be located in the volatile or nonvolatile memory of a computer. Data in transit are data being transmitted across a network or otherwise emanating from some source. Examples of the latter include data transmitted between devices in a computer and data found in the electromagnetic fields that surround computer monitors, storage devices, processors, network transmission media, and the like.

Sometimes we conceptualize the target of an action as not being a logical entity (account, process, or data) but rather as a physical entity. The smallest of the physical entities is a component, which is one of the parts that make up a computer or network. A network is an interconnected or interrelated group of computers, along with the appropriate switching elements and interconnecting branches.23 When a computer is attached to a network, it is sometimes referred to as a host computer. If networks are connected to each other, then they are sometimes referred to as an internetwork.

Here is a summary of our definitions of the targets shown in Exhibit 8.1.

Account—domain of user access on a computer or network that is controlled ac- cording to a record of information which contains the user’s account name, password, and use restrictions.

Process—program in execution, consisting of the executable program, the program’s data and stack, its program counter, stack pointer and other registers, and all other information needed to execute the program.24

Data—representations of facts, concepts, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automatic means.25 Data can be in the form of files in a computer’s volatile memory or nonvolatile memory, or in a data storage device, or in the form of data in transit across a transmission medium.

Component—one of the parts that make up a computer or network.26

Computer—device that consists of one or more associated components, including processing units and peripheral units, that is controlled by internally stored programs and that can perform substantial computations, including numerous arithmetic operations or logic operations, without human intervention during execution. Note: may be stand-alone or may consist of several interconnected units.27

Network—interconnected or interrelated group of host computers, switching ele- ments, and interconnecting branches.28

Internetwork—network of networks.

8.4.2 Attacks. Sometimes an event that occurs on a computer or network is part of a series of steps intended to result in something that is not authorized to happen. This event is then considered part of an attack. An attack has three elements.

1. It is made up a series of steps taken by an attacker. Among these steps is an action directed at a target (an event, as described in the previous section) as well as the use of some tool to exploit a vulnerability.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 12 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

2. An attack is intended to achieve an unauthorized result as viewed from the perspective of the owner or administrator of the system involved.

3. An attack is a series of intentional steps initiated by the attacker. This differenti- ates an attack from something that is inadvertent.

We define an attack in this way:

Attack—a series of steps taken by an attacker to achieve an unauthorized result.

Exhibit 8.3 presents a matrix of possible attacks, based on our experience. Attacks have five parts that depict the logical steps an attacker must take. An attacker uses a (1) tool to exploit a (2) vulnerability to perform an (3) action on a (4) target in order to achieve an (5) unauthorized result. To be successful, an attacker must find one or more paths that can be connected (attacks), perhaps simultaneously or repeatedly. The first two steps in an attack, tool and vulnerability, are used to cause an event (action directed at a target) on a computer or network. The logical end of a successful attack is an unauthorized result. If the logical end of the previous steps is an authorized result, then an attack has not taken place.

The concept of authorized versus unauthorized is key to understanding what dif- ferentiates an attack from the normal events that occur. It is also a system-dependent concept in that what may be authorized on one system may be unauthorized on another.

Unauthorized Result

Target Action Vulnerability Tool

Physical attack Increased Account Probe Design

Access

Information

exchange

Disclosure of Process Scan Implementation

Information

User command Corruption of Data Flood Configuration

information

Script or

program

Denial of Component Authenticate

service

Autonomous

agent

Theft of Computer Bypass

resources

Network Spoof Toolkit

Distributed tool Internetwork Read

Copy Data tap

Steal

Modify

Delete

event

attack

EXHIBIT 8.3 Computer and Network Attacks

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 13

For example, some services, such as anonymous File Transfer Protocol (FTP), may be enabled on some systems and not on others. Even actions that are normally viewed as hostile, such as attempts to bypass access controls to gain entry into a privileged account, may be authorized in special circumstances, such as during an approved test of system security or in the use of a “back door” during development. System owners or their administrators make the determination of what actions they consider autho- rized for their systems by establishing a security policy.29 Here are the definitions for authorized and unauthorized.

Authorized—approved by the owner or administrator. Unauthorized—not approved by the owner or administrator.

The steps action and target in Exhibit 8.1 are the two parts of an event as discussed in Section 8.4.1. The following sections discuss the other steps: tool, vulnerability, and unauthorized result.

8.4.2.1 Tool. The first step in the sequence that leads attackers to their unautho- rized results is the tool used in the attack. A tool is some means that can be used to exploit a vulnerability in a computer or network. Sometimes a tool is simple, such as a user command or a physical attack. Other tools can be very sophisticated and elaborate, such as a Trojan horse program, computer virus, or distributed tool. We define tool in this way.

Tool—means of exploiting a computer or network vulnerability.

The term “tool” is difficult to define more specifically because of the wide variety of methods available to exploit vulnerabilities in computers and networks. When authors make lists of methods of attack, often they are actually making lists of tools. Based on our experience, these categories of tools are currently an exhaustive list. (See Exhibit 8.3)

Physical attack—means of physically stealing or damaging a computer, network, its components, or its supporting systems (e.g., air conditioning, electric power, etc.).

Information exchange—means of obtaining information either from other attackers (e.g., through an electronic bulletin board) or from the people being attacked (commonly called social engineering).

User command—means of exploiting a vulnerability by entering commands to a process through direct user input at the process interface. An example is entering UNIX commands through a telnet connection or commands at a protocol’s port.

Script or program—means of exploiting a vulnerability by entering commands to a process through the execution of a file of commands (script) or a program at the process interface. Examples are a shell script to exploit a software bug, a Trojan horse log-in program, or a password-cracking program.

Autonomous agent—means of exploiting a vulnerability by using a program or program fragment that operates independently from the user. Examples are computer viruses or worms.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 14 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

Toolkit—software package that contains scripts, programs, or autonomous agents that exploit vulnerabilities. An example is the widely available toolkit called rootkit.

Distributed tool—tool that can be distributed to multiple hosts, which then can be coordinated to anonymously perform an attack on the target host simultane- ously after some time delay.

Data tap—means of monitoring the electromagnetic radiation emanating from a computer or network using an external device.

With the exception of the physical attack, information exchange, and data tap cate- gories, each of the tool categories may contain the other tool categories within itself. For example, toolkits contain scripts, programs, and sometimes autonomous agents. So when a toolkit is used, the script or program category is also included. User commands also must be used for the initiation of scripts, programs, autonomous agents, toolkits, and distributed tools. In other words, there is an order to some of the categories in the tools block, from the simple user command category to the more sophisticated distributed tools category. In describing or classifying an attack, generally a choice must be made among several alternatives within the tools block. We chose to classify according to the highest category of tool used, which makes the categories mutually exclusive in practice.

8.4.2.2 Vulnerability. To reach the desired result, an attacker must take advan- tage of a computer or network vulnerability.

Vulnerability—weakness in a system allowing unauthorized action.30

A vulnerability in software is an error that arises in different stages of devel- opment or use.31 This definition can be used to give us three categories of vulnerabilities: Design vulnerability—vulnerability inherent in the design or specification of

hardware or software whereby even a perfect implementation will result in a vulnerability.

Implementation vulnerability—vulnerability resulting from an error made in the software or hardware implementation of a satisfactory design.

Configuration vulnerability—vulnerability resulting from an error in the configuration of a system, such as having system accounts with default passwords, having “world write” permission for new files, or having vulnerable services enabled.32

8.4.2.3 Unauthorized Result. As shown in Exhibit 8.3, the logical end of a successful attack is an unauthorized result. At this point, an attacker has used a tool to exploit a vulnerability in order to cause an event to take place.

Unauthorized result—unauthorized consequence of an event. If successful, an attack will result in one of the following33: Increased access—unauthorized increase in the domain of access on a com-

puter or network. Disclosure of information—dissemination of information to anyone who is

not authorized to access that information. Corruption of information—unauthorized alteration of data on a computer

or network.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER SECURITY INCIDENT INFORMATION TAXONOMY 8 · 15

Denial of service—intentional degradation or blocking of computer or net- work resources.

Theft of resources—unauthorized use of computer or network resources.

8.4.3 Full Incident Information Taxonomy. Often attacks on computers and networks occur in a distinctive group that we would classify as being part of one incident. What makes these attacks a distinctive group is a combination of three factors, each of which we may only have partial information about.

1. There may be one attacker, or there may be several attackers who are related in some way.

2. The attacker(s) may use similar attacks, or they may be trying to achieve a distinct or similar objective.

3. The sites involved in the attacks and the timing of the attacks may be the same or may be related.

Here is the definition of incident:

Incident—group of attacks that can be distinguished from other attacks because of the distinctiveness of the attackers, attacks, objectives, sites, and timing.

The three parts of an incident are shown in simplified form in Exhibit 8.4, which shows that an attacker, or group of attackers, achieves objectives by performing attacks. An incident may comprise one single attack or multiple attacks, as illustrated by the return loop in the figure.

Exhibit 8.5 shows the full incident information taxonomy. It shows the relationship of events to attacks and attacks to incidents, and suggests that preventing attackers from achieving objectives could be accomplished by ensuring that an attacker cannot make any complete connections through the seven steps depicted. For example, investiga- tions could be conducted of suspected terrorist attackers, systems could be searched periodically for attacker tools, system vulnerabilities could be patched, access controls could be strengthened to prevent actions by an attacker to access a targeted account, files could be encrypted so as not to result in disclosure, and a public education program could be initiated to prevent terrorists from achieving an objective of political gain.

8.4.3.1 Attackers and Their Objectives. People attack computers. They do so through a variety of methods and for a variety of objectives. What distinguishes the categories of attackers is a combination of who they are and their objectives (what they want to accomplish).

Attacker—individual who attempts one or more attacks in order to achieve an objective.

Objective—purpose or end goal of an incident.

ObjectivesAttacksAttackers

EXHIBIT 8.4 Simplified Computer and Network Incident

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 16 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

2. Tool

Physical attack

Information exchange

User command

Script or program

Autonomous agent

Toolkit

Distributed tool

Data tap

3. Vulnerability

Design

Implementation

Configuration

4. Action

Probe

Scan

Flood

Authenticate

Bypass

Spoof

Read

Copy

Steal

Modify

Delete

5. Target

Account

Process

Data

Component

Computer

Network

Internetwork

6. Unauthorized Result

Increased access

Disclosure of information

Corruption of information

Denial of service

Theft of resources

event Attack

7. Objectives

Challenge, status, thrill

Political gain

Financial gain

Damage

1. Attackers

Hackers

Spies

Terrorists

Corporate raiders

Professional criminals

Vandals

Voyeurs

Incident

EXHIBIT 8.5 Computer and Network Incident Information Taxonomy

Based on their objectives, we have divided attackers into a number of categories:

Hackers—attackers who attack computers for challenge, status, or the thrill of obtaining access. (Note: We have elected to use the term “hacker” because it is common and widely understood. We realize that the term’s more positive connotation was once more widely accepted.)

Spies—attackers who attack computers for information to be used for political gain. Terrorists—attackers who attack computers to cause fear, for political gain. Corporate raiders—employees (attackers) who attack competitors’ computers for

financial gain.

Professional criminals—attackers who attack computers for personal financial gain.

Vandals—attackers who attack computers to cause damage. Voyeurs—attackers who attack computers for the thrill of obtaining sensitive infor-

mation.

These seven categories of attackers and their four categories of objectives as shown in the leftmost and rightmost blocks of Exhibit 8.5 are fundamental to the difference between incidents and attacks. This difference is summed up in the phrase “attackers use attacks to achieve objectives.”

8.5 ADDITIONAL INCIDENT INFORMATION TERMS. The taxonomy of the last section presented all of the terms in the common language for computer security that describe how attackers achieve objectives during an incident. However, some other, more general terms are required to fully describe an incident. The next sections discuss these terms.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

ADDITIONAL INCIDENT INFORMATION TERMS 8 · 17

8.5.1 Success and Failure. Information on success or failure can be recorded at several levels in the overall taxonomy. In the broadest sense, overall success or failure is an indication of whether one or more attackers have achieved one or more objectives. A narrower focus would be to determine the success or failure of an individual attack by evaluating whether the attack leads to an unauthorized result. Information on success or failure, however, may simply not be known. For example, an attempt to log in to the root or superuser account on a system may be classified as a success a failure, or as being unknown.

8.5.2 Site and Site Name. “Site” is the common term used to identify Internet organizations as well as physical locations. A “site” is also the organizational level of the site administrator or other authority with responsibility for the computers and networks at that location.

The term “site name” refers to a portion of the fully qualified domain name in the Internet’s Domain Name System (DNS). For sites in the United States, site names generally are at the second level of the DNS tree. Examples would be cmu.edu or widgets.com. In other countries, the site name is the third or lower level of the DNS tree, such as widgets.co.uk. Some site names occur even farther down the DNS tree. For example, a school in Colorado might have a site name of myschool.k12.co.us.

Here are the definitions of site and site name.

Site—organizational level with responsibility for security events; the organizational level of the site administrator or other authority with responsibility for the computers and networks at that location.

Site name—portion of the fully qualified domain name that corresponds to a site.

Some organizations, such as larger universities and companies, are large enough to be physically divided into more than one location, with separate administration. This separation cannot easily be determined. Therefore, often these different locations must be treated as one site.

8.5.3 Other Incident Terms. Several additional terms are necessary to fully describe actual Internet incidents. The first of these terms concern dates.

Reporting date—first date that the incident was reported to a response team or other agency or individuals collecting data.

Starting date—date of the first known incident activity. Ending date—date of the last known incident activity.

Several terms concern the sites involved.

Number of sites—overall number of sites known to have reported or otherwise to have been involved in an incident.

Reporting sites—site names of sites known to have reported an incident. Other sites—site names of sites known to have been involved in an incident but

that did not report the incident.

For most incident response teams, actual site names are considered sensitive infor- mation. In our research, in order to protect the identities of the sites associated with an incident, we sanitize the site information by coding the site names prior to public

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 18 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

release. An example would be to replace a site name, such as the fictitious widgets.com, with numbers and the upper-level domain name, such as 123.com.

Response teams often use incident numbers to track incidents and to identify incident information.

Incident number—reference number used to track an incident or identify incident information.

The last term we found to be of use is corrective action, which indicates those actions taken in the aftermath of an incident. These actions could include changing passwords, reloading systems files, talking to the intruders, or even criminal prose- cution. Information on corrective actions taken during or after an incident is difficult to obtain for incident response teams, since response team involvement generally is limited to the early stages of an incident. CERT/CC records indicate that the variety of corrective actions is extensive, and a taxonomy of corrective actions may be a desirable future expansion of the common language.

Corrective action—action taken during or after an incident to prevent further at- tacks, repair damage, or punish offenders.

8.6 HOW TO USE THE COMMON LANGUAGE. Two things are important to emphasize about using the common language for computer security incident infor- mation. First, the common language really is a high-level set of terms. As such, it will not settle all the disputes about everything discussed concerning computer security incidents. For example, the common language includes “autonomous agent” as a term (a category of tool). Autonomous agents include computer viruses, worms, and the like, regardless of how those specific terms might be defined. In other words, the common language does not try to settle disputes on what should or should not be considered a computer virus but rather deals at a higher level of abstraction (“autonomous agent”) where, it is hoped, there can be more agreement and standardization. Stated another way, participants in the Common Language Project workshops anticipated that indi- viduals and organizations would continue to use their own terms, which may be more specific in both meaning and use. The common language has been designed to enable these lower-level terms to be classified within the common language structure.

The second point to emphasize is that the common language, even though it presents a taxonomy, does not classify an incident (or individual attacks) as any one thing. Classifying computer security attacks or incidents is difficult because attacks and incidents are a series of steps that an attacker must take. In other words, attacks and incidents are not just one thing but rather a series of things. That is why I say the common language provides a taxonomy for computer security incident information.

An example of the problem is found in the popular and simple taxonomies often used to attempt to classify incidents. They appear as a list of single, defined terms. The following terms from Icove, Seger, and VonStorch provide an example.34

Covert channels Data diddling Degradation of service Denial of service Dumpster diving Eavesdropping on emanations Excess privileges Harassment IP spoofing Logic bombs Masquerading Password sniffing Salamis Scanning Session hijacking Software piracy Timing attacks Traffic analysis Trap doors Trojan horses Tunneling Unauthorized data copying Viruses and worms Wiretapping

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

HOW TO USE THE COMMON LANGUAGE 8 · 19

Lists of terms are not satisfactory taxonomies for classifying actual attacks or incidents. They fail to have most of the six characteristics of a satisfactory taxonomy. First, the terms tend not to be mutually exclusive. For example, the terms “virus” and “logic bomb” are generally found on these lists, but a virus may contain a logic bomb, so the categories overlap. Actual attackers generally also use multiple methods so their attacks would have to be classified into multiple categories. This makes classification ambiguous and difficult to repeat.

A more fundamental problem is that, assuming that an exhaustive and mutually exclusive list could be developed, the taxonomy would be unmanageably long and difficult to apply. It also would not indicate any relationship between different types of attacks. Finally, none of these lists has become widely accepted, partly because it is difficult to agree on the definition of terms. In fact, many different definitions of terms are in common use.

The fundamental problems with these lists (and their variations) are that most incidents involve multiple attacks, and attacks involve multiple steps. As a result, information about the typical incident must be classified in multiple categories. For example, one of the attacks in an incident might be a flood of a host resulting in a denial of service. But this same incident might involve the exploitation of a vulnerability to compromise the host computer that was the specific origin of the flood. Should this be classified as a flood? As a root compromise? As a denial-of-service attack? In reality, the incident should be classified in all of these categories. In other words, this incident has multiple classifications.

In summary, in developing the common language, we have found that, with respect to attacks and incidents, we can really only hope to (1) present a common set of high-level terms that are in general use and have common definitions and (2) present a logical structure to the terms that can be used to classify information about an incident or attack with respect to specific categories.

Some examples may make this clear. As discussed earlier, most of the information about actual attacks and incidents is in the form of textual records. In a typical incident record at the CERT/CC, three observations might be reported:

1. We found rootkit on host xxx.xxx. 2. A flood of email was sent to account [email protected], which crashed the mail

server.

3. We traced the attack back to a teenager in Xyz city, who said he was not trying to cause any damage, just trying to see if he could break in.

For observation 1, we would classify rootkit in the “toolkit” category under “Tool” and the hostname in the “computer” category under “Target.” For observation 2, the “email flood” is a specific instantiation in the “flood” category under “Action” as well as in the “denial-of-service” category under “Unauthorized Result.” There is ambiguity as to the target for observation 2: Is it the account or the computer? As a practical matter, the observations would be classified as both, since information is available on both. For observation 3, it could be inferred that this is a “hacker” seeking “challenge, status, or thrill.”

What does this taxonomic process provide that is of practical value? First, the tax- onomy helps us communicate to others what we have found. When we say that rootkit is a type of toolkit, then our common set of terms (“common language”) provides us the general understanding of what we mean. When it is said that 22 percent of inci- dents reported to CERT/CC from 1988 through 1995 involved various problems with

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

8 · 20 USING A COMMON LANGUAGE FOR COMPUTER SECURITY INCIDENT

passwords (a correct statistic35), then the taxonomy has proven useful in communicat- ing valuable information.

The application of the taxonomy, in fact, is a four-step process that can be used to determine the biggest security problems. Specifically, the process is to:

1. Take observations from fragmentary information in incident reports. 2. Classify those observations. 3. Perform statistical studies of these data. 4. Use this information to determine the best course(s) of action.

Over time, the same process can be used to determine the effects of these actions. Two more points are important to emphasize about this taxonomy. First, an attack is

a process that, with enough information, is always classified in multiple categories. For example: in a “Tool” category, in a “Vulnerability” category, in an “Action” category, in a “Target” category, and in an “Unauthorized Result” category. Second, an incident can involve multiple, perhaps thousands, of attacks. As such, the information gathered in an incident theoretically could be classified correctly into all of the taxonomy categories.

Within these guidelines, the common language for computer security incidents has proven to be a useful and increasingly accepted tool to gather, exchange, and compare computer security information. The taxonomy itself has proven to be simple and straightforward to use.

8.7 NOTES 1. E. G. Amoroso, Fundamentals of Computer Security Technology (Upper Saddle

River, NJ: Prentice-Hall PTR, 1994), p. 2. 2. Deborah Russell and G. T. Gangemi Sr., Computer Security Basics (Sebastopol,

CA: O’Reilly & Associates, 1991), p. 79. 3. Bill McKelvey, Organization Systematics: Taxonomy, Evolution, Classification

(Berkeley: University of California Press, 1982), p. 3. 4. John D. Howard, “An Analysis of Security Incidents on the Internet,

1989–1995” (PhD diss., Department of Engineering and Public Policy, Carnegie Mellon University, Pittsburgh, PA, April 1997). Also available online at www.cert.org/archive/pdf/JHThesis.pdf.

5. Ivan Victor Krsul, “Software Vulnerability Analysis” (PhD diss., Computer Sci- ences Department, Purdue University, Lafayette, IN, May 1998), p. 12.

6. Howard, “Analysis of Security Incidents on the Internet.” 7. John Radatz, ed., The IEEE Standard Dictionary of Electrical and Electronics Terms, 6th ed. (New York: Institute of Electrical and Electronics Engineers, 1996), p. 1087.

8. Amoroso, Fundamentals of Computer Security Technology, p. 34. 9. Radatz, IEEE Standard Dictionary, p. 373. 10. Radatz, IEEE Standard Dictionary, p. 373. 11. Radatz, IEEE Standard Dictionary, p. 11. 12. Radatz, IEEE Standard Dictionary, p. 5. 13. Derek Atkins et al., Internet Security Professional Reference (Indianapolis: New

Riders Publishing, 1996), p. 258.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 8 · 21

14. Radatz, IEEE Standard Dictionary, p. 947, and K. M. Jackson and J. Hruska, eds., Computer Security Reference Book (Boca Raton, FL: CRC Press, 1992), p. 916.

15. Merriam-Webster,Merriam-Webster’sCollegiateDictionary,10thed. (Springfield, MA: Author, 1996), pp. 77, 575, 714, and Radatz, IEEEStandardDictionary, p. 57.

16. Merriam-Webster’s Collegiate Dictionary, p. 157. 17. Radatz, IEEE Standard Dictionary, p. 630, and Atkins et al., Internet Security,

p. 258. 18. Radatz, IEEE Standard Dictionary, p. 877. 19. Radatz, IEEE Standard Dictionary, p. 224. 20. Radatz, IEEE Standard Dictionary, p. 661. 21. Radatz, IEEE Standard Dictionary, p. 268. 22. Andrew S. Tanenbaum, Modern Operating Systems (Englewood Cliffs, NJ:

Prentice-Hall, 1992), p. 12. 23. Radatz, IEEE Standard Dictionary, p. 683. 24. Tanenbaum, Modern Operating Systems, p. 12, and Radatz, IEEE Standard Dic-

tionary, p. 822. 25. Radatz, IEEE Standard Dictionary, p. 250. 26. Radatz, IEEE Standard Dictionary, p. 189. 27. Radatz, IEEE Standard Dictionary, p. 192. 28. Radatz, IEEE Standard Dictionary, p. 683. 29. Krsul, “Software Vulnerability Analysis,” pp. 5–6. 30. National Research Council, Computers at Risk: Safe Computing in the Information

Age (Washington, DC: National Academy Press, 1991), p. 301; and Amoroso, Fundamentals of Computer Security Technology, p. 2.

31. Krsul, Software Vulnerability Analysis, pp. 10–11. 32. Atkins et al., Internet Security, p. 196. 33. Amoroso, Fundamentals of Computer Security Technology, pp. 3–4, 31; Russell

and Gangemi, Computer Security Basics, pp. 9–10; and Frederick B. Cohen, Pro- tection and Security on the Information Superhighway (New York: John Wiley & Sons, 1995), pp. 55–56.

34. David Icove, Karl Seger, and William VonStorch, Computer Crime: A Crime- fighter’s Handbook (Sebastopol, CA: O’Reilly & Associates, 1995), pp. 31–52; Cohen, Protection and Security on the Information Superhighway, pp. 40–54 (39 terms); and Frederick B. Cohen, “Information System Attacks: A Preliminary Classification Scheme,” Computers and Security 16, No. 1 (1997): 29–46 (96 terms).

35. Howard, “Analysis of Security Incidents on the Internet,” p. 100.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9CHAPTER

MATHEMATICAL MODELS OF COMPUTER SECURITY

Matt Bishop

9.1 WHY MODELS ARE IMPORTANT 9 · 1

9.2 MODELS AND SECURITY 9 · 3 9.2.1 Access-Control Matrix

Model 9·3 9.2.2 Harrison, Ruzzo, and

Ullman and Other Results 9·5

9.2.3 Typed Access-Control Model 9·6

9.3 MODELS AND CONTROLS 9 · 6 9.3.1 Mandatory and

Discretionary Access-Control Models 9·6

9.3.2 Originator-Controlled Access-Control Model and DRM 9·6

9.3.3 Role-Based Access-Control Models and Groups 9·7

9.3.4 Summary 9·9

9.4 CLASSIC MODELS 9 · 9 9.4.1 Bell-LaPadula Model 9·9 9.4.2 Biba’s Strict Integrity

Policy Model 9·12 9.4.3 Clark-Wilson Model 9·14 9.4.4 Chinese Wall Model 9·17 9.4.5 Summary 9·18

9.5 OTHER MODELS 9 · 18

9.6 CONCLUSION 9 · 19

9.7 FURTHER READING 9 · 19

9.8 NOTES 9 · 21

9.1 WHY MODELS ARE IMPORTANT. When you drive a new car, you look for specific items that will help you control the car: the accelerator, the brake, the shift, and the steering wheel. These exist on all cars and perform the function of speeding the car up, slowing it down, and turning it left and right. This forms a model of the car. With these items properly working, you can make a convincing argument that the model correctly describes what a car must have in order to move and be steered properly.

A model in computer security serves the same purpose. It presents a general descrip- tion of a computer system (or collection of systems). The model provides a definition of “protect” (e.g., “keep confidential” or “prevent unauthorized change to”) and condi- tions under which the protection is provided. With mathematical models, the conditions can be shown to provide the stated protection. This provides a high degree of assurance that the data and programs are protected, assuming the model is implemented correctly.

This last point is critical. To return to our car analogy, notice the phrase “with these items properly working.” This also means that the average driver must be able to work

9 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 2 MATHEMATICAL MODELS OF COMPUTER SECURITY

them correctly. In most, if not all, cars the model is implemented in the obvious way: The accelerator pedal is to the right of the brake pedal, and speeds the car up; the brake pedal slows it down; and turning the steering wheel moves the car to the left or right, depending on the direction that the wheel is turned. The average driver is familiar with this implementation and so can use it properly. Thus, the model and the implementation together show that this particular car can be driven.

Now, suppose that the items are implemented differently. All the items are there, but the steering wheel is locked so it cannot be turned. Even though the car has all the parts that the model requires, they do not work the way the model requires them to work. The implementation is incorrect, and the argument that the model provides does not apply to this car, because the model makes assumptions—like the steering wheel turning—that are incorrect for this car. Similarly, in all the models we present in this chapter, the reader should keep in mind the assumptions that the models make. When one applies these models to existing systems, or uses them to design new systems, one must ensure that the assumptions are met in order to gain the assurance that the model provides.

This chapter presents several mathematical models, each of which serves a different purpose. We can divide these models into several types.

The first set of models is used to determine under what conditions one can prove types of systems secure. The access-control matrix model presents a general description of a computer system that this type of model uses, and it will give some results about the decidability of security in general and for particular classes of systems.

The second type of model describes how the computer system applies controls. The mandatory access-control model and the discretionary access-control model form the basis for components of the models that follow. The originator-controlled access- control model ties control of data to the originator rather than the owner, and has obvious applications for digital rights management systems. The role-based access- control model uses job function, rather than identity, to provide controls and so can implement the principle of least privilege more effectively than many models.

The next few models describe confidentiality and integrity. The Bell-LaPadula model describes a class of systems designed to protect confidentiality and was one of the earliest, and most influential, models in computer security. The Biba model’s strict integrity policy is closely related to the Bell-LaPadula model and is in widespread use today; it is applied to programs to determine when their output can be trusted. The Clark-Wilson model is also an integrity model, but it differs fundamentally from Biba’s model because the Clark-Wilson model describes integrity in terms of processes and process management rather than in terms of attributes of the data.

The fourth type of model is the hybrid model. The Chinese Wall model examines conflicts of interest, and is an interesting mix of both confidentiality and integrity requirements. This type of model arises when many real-world problems are abstracted into mathematical representations, for example, when analyzing protections required for medical records and for the process of recordation of real estate.1

The main goal of this chapter is to provide the reader with an understanding of several of the main models in computer security, of what these models mean, and of when they are appropriate to use. An ancillary goal is to make the reader sensitive to how important assumptions in computer security are. Dorothy Denning said it clearly and succinctly in her speech when accepting the National Computer Systems Security Award in 1999:

The lesson I learned was that security models and formal methods do not establish security. They only establish security with respect to a model, which by its very nature is extremely

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MODELS AND SECURITY 9 · 3

simplistic compared to the system that is to be deployed, and is based on assumptions that represent current thinking. Even if a system is secure according to a model, the most common (and successful) attacks are the ones that violate the model’s assumptions. Over the years, I have seen system after system defeated by people who thought of something new.2

Given this, the obvious question is: Why are models important? Models provide a framework for analyzing systems and for understanding where to focus our security efforts: on either validating the assumptions or ensuring that the assumptions are met in the environment in which the system exists. The mechanisms that do this may be technical; they may be procedural. Their quality determines the security of the system. So the model provides a basis for asserting that, if the mechanisms work correctly, then the system is secure—and that is far better than simply implementing security mechanisms without understanding how they work together to meet security requirements.

9.2 MODELS AND SECURITY. Some terms recur throughout our discussion of models.

� A subject is an active entity, such as a process or a user. � An object is a passive entity, such as a file. � A right describes what a subject is allowed to do to an object; for example, the read right gives permission for a subject to read a file.

� The protection state of a system simply refers to the rights held by all subjects on the system.

The precise meaning of each right varies from actual system to system. For example, on Linux systems, if a process has write permission for a file, that process can alter the contents of the file. But if a process has write permission for a directory, that process can create, delete, or rename files in that directory. Similarly, having read rights over a process may mean the possessor can participate as a recipient of interprocess communications messages originating from that process. The point is that the meaning of the rights depends on the interpretation of the system involved. The assignment of meaning to the rights used in a mathematical model is called instantiating the model.

The first model we explore is the foundation for much work on the fundamental difficulty of analyzing systems to determine whether they are secure.

9.2.1 Access-Control Matrix Model. The access-control matrix model3 is perhaps the simplest model in computer security. It consists of a matrix, the rows of which correspond to subjects and the columns of which correspond to entities (subjects and objects). Each entry in the matrix contains the set of rights that the subject (row) has over the entity (column). For example, the access-control matrix in Exhibit 9.1 shows a system with two processes and two files. The first process has own rights over itself; read rights over the second process; read and execute rights over the first file; and read, write, and own rights over the second file. The second process can write to the first process; owns itself; can read, write, execute, and owns the first file; and can read the second file.

The access-control matrix captures a protection state of a system. But systems evolve; their protection state does not remain constant. So the contents of the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 4 MATHEMATICAL MODELS OF COMPUTER SECURITY

Process 1

Process 1 own read read, write, ownread, execute

readread, write, execute, ownownwrite

Process 2

Process 2

File 2File 1

EXHIBIT 9.1 Example Access-Control Matrix with Two Processes and Two Files

access-control matrix must change to reflect this evolution. Perhaps the simplest set of rules for changing the access-control matrix are these primitive operations4:

� Create subject s creates a new row and column, both labeled s � Create object o creates a new column labeled o � Enter r into A[s, o] adds the right r into the entry in row s and column o; it corresponds to giving the subject s the right r over the entity o

� Delete r from A[s, o] removes the right r from the entry in row s and column o; it corresponds to deleting the subject s’s right r over the entity o

� Destroy subject s removes the row and column labeled s � Destroy object o removes the column labeled o

These operations can be combined into commands. The next command creates a file f and gives the process p read and own rights over that file:

command createread(p, f) create object f enter read into A[p, f] enter own into A[p, f]

end.

A mono-operational command consists of a single primitive operation. For example, the command

command grantwrite(p, f) enter write into A[p, f]

end.

which gives p write rights over f, is mono-operational. Commands may include conditions. For example, the next command gives the

subject p execute rights over a file f if p has read rights over f :

command grantexec(p, f) if read in A[p, f] then

enter execute into A[p, f] end.

If p does not have read rights over f when this command is executed, it does nothing. This command has one condition and so is called monoconditional. Biconditional commands have two conditions joined by and:

command copyread(p, q, f) if read in A[p, f] and own in A[p, f] then

enter read into A[q, f] end.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MODELS AND SECURITY 9 · 5

This command gives a subject q read rights over the object f if the subject p owns f and has read rights over f .

Commands may have conditions only at the beginning, and if the condition is false, the command terminates. Commands may contain other commands as well as primitive operations.

If all commands in a system are mono-operational, the system is said to be mono- operational; if all the commands are monoconditional or biconditional, then the system is said to be monoconditional or biconditional, respectively. Finally, if the system has no commands that use the delete or destroy primitive operations, the system is said to be monotonic.

The access-control matrix provides a theoretical basis for two widely used security mechanisms: access-control lists and capability lists. In the realm of modeling, it provides a tool to analyze the difficulty of determining how secure a system is.

9.2.2 Harrison, Ruzzo, and Ullman and Other Results. The question of how to test whether systems are secure is critical to understanding computer security. Define secure in the simplest possible way: A system is secure with respect to a generic right r if that right cannot be added to an entity in the access-control matrix unless that square already contains it. In other words, a system is secure with respect to r if r cannot leak into a new entry in the access-control matrix. The question then becomes: Safety Question. Is there an algorithm to determine whether a given system with

initial state 𝜎 is secure with respect to a given right? In the general case: Theorem (Harrison, Ruzzo, and Ullman [HRU] Result).5 The safety question is

undecidable. The proof is to reduce the halting problem to the safety question.6 This means

that, if the safety question were decidable, so would the halting problem be. But the undecidability of the halting problem is well known,7 so the safety problem must also be undecidable.8

These results mean that one cannot develop a general algorithm for determining whether systems are secure. One can do so in limited cases, however, and the models that follow are examples of such cases. The characteristics that classes of systems must meet in order for the safety question to be decidable are not yet known fully, but for specific classes of systems, the safety question can be shown to be decidable. For example:

Theorem.9 There is an algorithm that will determine whether mono-operational systems are secure with respect to a generic right r.

But these classes are sensitive to the commands allowed: Theorem.10 The safety question for monotonic systems is undecidable. Limiting the set of commands to biconditional commands does not help: Theorem.11 The safety question for biconditional monotonic systems is undecid-

able. But limiting them to monoconditional operations: Theorem.12 There is an algorithm that will determine whether monoconditional

monotonic systems are secure with respect to a generic right r. In fact, adding the delete primitive operation does not affect this result (although the

proof is different): Theorem.13 There is an algorithm that will determine whether monotonic systems

that do not use the destroy primitive operations are secure with respect to a generic right r.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 6 MATHEMATICAL MODELS OF COMPUTER SECURITY

9.2.3 Typed Access-Control Model. A variant of the access-control matrix model adds type to the entities. The typed access-control matrix model, called TAM,14

associates a type with each entity and modifies the rules for matrix manipulation accord- ingly. This notion allows entities to be grouped into finer categories than merely subject and object, and enables a slightly different analysis than the HRU result suggests.

In TAM, a rule set is acyclic if neither an entity E nor any of its descendants can create a new entity with the same type as E. Given that definition:

Theorem.15 There is an algorithm that will determine whether acyclic, monotonic typed matrix models are secure with respect to a generic right r.

Thus, a system being acyclic and monotonic is sufficient to make the safety question decidable. But we still do not know exactly what properties are necessary to make the safety question decidable.

We now turn to models that have direct application to systems and environments and that focus on more complex definitions of “secure” and the mechanisms needed to achieve them.

9.3 MODELS AND CONTROLS. Models of computer security focus on control: who can access files and resources, and what types of access are allowed. The next characterizations of these controls organize them by flexibility of use and by the roles of the entities controlling the access. These are essential to understanding how more sophisticated models work.

9.3.1 Mandatory and Discretionary Access-Control Models. Some access-control methods are rule based; that is, users have no control over them. Only the system or a special user called (for example) the system security officer (SSO) can change them. The government classification system works this way. Someone without a clearance is forbidden to read TOP SECRET material, even if the person who has the document wishes to allow it. This rule is called mandatory because it must be followed, without exception. Examples of other mandatory rules are the laws in general, which are to be followed as written, and one cannot absolve another of liability for breaking the laws; or the Multics ring-based access-control mechanism, in which accessing a data segment from below the lower bound of the segment’s access bracket is forbidden regardless of the access permissions. This type of access control is called a mandatory accesscontrol, or MAC. These rules base the access decision on attributes of the subject and object (and possibly other information).

Other access-control methods allow the owner of the entity to control access. For example, a person who keeps a diary decides who can read it. She need not show it to anyone, and if a friend asks to read it, she can say no. Here the owner allows access to the diary at her discretion. This type of control is called discretionary. Discretionary access control, or DAC, is the most common type of access-control mechanism on computers.

Controls can be (and often are) combined. When mandatory and discretionary con- trols are combined to enforce a single access-control policy, the mandatory controls are applied first. If they deny access, the system denies access and the discretionary con- trols need never be invoked. If the mandatory rules permit access, then the discretionary controls are consulted. If both allow the accesses, access is granted.

9.3.2 Originator-Controlled Access-Control Model and DRM. Other types of access controls contain elements of both mandatory and discretionary access

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

MODELS AND CONTROLS 9 · 7

controls. Originator-controlled access control,16 or ORCON,17 mechanisms allow the originator to determine who can access a resource or data.

Consider a large government research agency that produces a study of projected hoe-handle sales for the next year. The market for hoe handles is extremely volatile, and if the results of the study leak out prematurely, certain vendors will obtain a huge market advantage. But the study must be circulated to regulatory agencies so they can prepare appropriate regulations that will be in place when the study is released. Thus, the research agency must retain control of the study even as it circulates it among other groups.

More precisely, an originator-controlled access control satisfies two conditions. Suppose an object o is marked as ORCON for organization X. X decides to release o to subjects acting on behalf of another organization Y. Then

1. The subjects to whom the copies of o are given cannot release o to subjects acting on behalf of other organizations without X’s consent; and

2. Any copies of o must bear these restrictions.

Consider a control that implements these requirements. In theory, mandatory access controls could solve this problem. In practice, the required rules must anticipate all the organizations to which the data will be made available. This requirement, combined with the need to have a separate rule for each possible set of objects and organizations that are to have access to the object, makes a mandatory access control that satisfies the requirements infeasible. But if the control were discretionary, each entity that received a copy of the study could grant access to its copy without permission of the originator; so originator-controlled access control is neither discretionary nor mandatory.

However, a combination of discretionary and mandatory access controls can imple- ment this control. The mandatory access-control mechanisms forbid the owner from changing access permissions on an object o and require that every copy of that object have the same access-control permissions as are on o. The discretionary access control says that the originator can change the access-control permissions on any copy of o.

As an example of the use of this model in a more popular context, record companies want to control the use of their music. Conceptually, they wish to retain control over the music after it is sold in order to prevent owners from distributing unauthorized copies to their friends. Here the originator is the record company and the protected resource is the music.

In practice, originator-controlled access controls are difficult to implement tech- nologically. The problem is that access-control mechanisms typically control access to entities, such as files, devices, and other objects. But originator-controlled access control requires that access controls be applied to information that is contained in the entities—a far more difficult problem for which there is not yet a generally accepted mechanism.

9.3.3 Role-Based Access-Control Models and Groups. In real life, job function often dictates access permissions. The bookkeeper of an office has free access to the company’s bank accounts, whereas the sales people do not. If Anne is hired as a salesperson, she cannot access the company’s funds. If she later becomes the bookkeeper, she can access those funds. So the access is conditioned not on the identity of the person but on the role that person plays.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 8 MATHEMATICAL MODELS OF COMPUTER SECURITY

This example illustrates role-based access control (RBAC).18 It assigns a set of roles, called the authorized roles of the subject s, to each subject s. At any time, s may assume at most one role, called the active role of s. Then

Axiom. The rule of role authorization says that the active role of s must be in the set of authorized roles of s.

This axiom restricts s to assuming those roles that it is authorized to assume. Without it, s could assume any role, and hence do anything.

Extending this idea, let the predicate canexec(s, c) be true when the subject s can execute the command c.

Axiom. The rule of role assignment says that if canexec(s, c) is true for any s and any c, then s must have an active role.

This simply says that in order to execute a command c, s must have an active role. Without such a role, it cannot execute any commands. We also want to restrict the commands that s can execute; the next axiom does this.

Axiom. The rule of transaction authorization says that if canexec(s, c) is true, then only those subjects with the same role as the active role of s may also execute transaction.

This means that every role has a set of commands that it can execute, and if c is not in the set of commands that the active role of s can execute, then s cannot execute it.

As an example of the power of this model, consider two common problems: contain- ment of roles and separation of duty. Containment of roles means that a subordinate u is restricted to performing a limited set of commands that a superior s can also perform; the superior may also perform other commands. Assign role a to the superior and role b to the subordinate; as everything a subject with active role b can do, a subject with active role a can do, we say that role a contains role b. Then we can say that if a is an authorized role of s, and a contains b, then b is also an authorized role of s. Taking this further, if a subject is authorized to assume a role that contains other (subordinate) roles, it can also assume any of the subordinate roles.

Separation of duty is a requirement that multiple entities must combine their efforts to perform a task. For example, a company may require two officers to sign a check for more than $50,000. The idea is that a single person may breach security, but two people are less likely to combine forces to breach security.19 One way to handle separation of duty is to require that two distinct roles complete the task and make the roles mutually exclusive. More precisely, let r be a role and meauth(r), the mutually exclusive authorization set of r, be the set of roles that a subject with authorized role r can never assume. Then separation of duty is:

Axiom. The rule of separation of duty says that if a role a is in the set meauth(b), then no subject for which a is an authorized role may have b as another authorized role.

This rule is applied to a task that requires two distinct people to complete. The task is broken down into steps that two people are to complete. Each person is assigned a separate role, and each role is in the mutually exclusive authorization set of the other. This prevents either person from completing the task; they must work together, each in their respective role, to complete it.

Roles bear a resemblance to groups, but the goals of groups and roles are different. Membership in a group is defined by essentially arbitrary rules, set by the managers of the system. Membership in a role is defined by job function and is tied to a specific set of commands that are necessary to perform that job function. Thus, a role is a type of group, but a group is broader than a role and need not be tied to any particular set of commands or functions.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CLASSIC MODELS 9 · 9

9.3.4 Summary. The four types of access controls discussed in this section have different focuses. Mandatory, discretionary, and originator-controlled access controls are data-centric, determining access based on the nature or attributes of the data. Role- based access control focuses on the subject’s needs. The difference is fundamental.

The principle of least privilege20 says that subjects should have no more privileges than necessary to perform their tasks. Role-based access control, if implemented prop- erly, does this by constraining the set of commands that a subject can execute. The other three controls do this by setting attributes on the data to control access to the data rather than by restricting commands. Mandatory access controls have the attributes set by a system security officer or other trusted process; discretionary access controls, by the owner of the object; and originator-controlled access controls, by the creator or originator of the data.

As noted, these mechanisms can be combined to make the controls easier to use and more precise in application. We now discuss several models that do so.

9.4 CLASSIC MODELS. Three models have played an important role in the de- velopment of computer security. The Bell-LaPadula model, one of the earliest formal models in computer security, influenced the development of much computer security technology, and it is still in widespread use. Biba, its analog for integrity, now plays an important role in program analysis. The Clark-Wilson model describes many com- mercial practices to preserve integrity of data. We examine each of these models in this section.

9.4.1 Bell-LaPadula Model. The Bell-LaPadula model21 is a formalization of the famous government classification system using UNCLASSIFIED, CONFIDEN- TIAL, SECRET, and TOP SECRET levels. We begin by using those four levels to explain the ideas underlying the model and then augment those levels to present the full model. Because the model involves multiple levels, it is an example of a multilevel security model.

The four-level version of the model assumes that the levels are ordered from lowest to highest as UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET. Objects are assigned levels based on their sensitivity. An object at a higher level is more sensitive than an object at a lower level. Subjects are assigned levels based on what objects they can access. A subject is cleared into a level, and that level is called the subject’s security clearance. An object is classified at a level, and that level is called the object’s security classification. The goal of the classification system is to prevent information from leaking, or flowing downward (e.g., a subject at CONFIDENTIAL should not be able to read information classified TOP SECRET).

For convenience, we write level(s) for a subject’s security clearance and level(o) for an object’s security classification. The name of the classification is called a label. So an object classified at TOP SECRET has the label TOP SECRET.

Suppose Tom is cleared into the SECRET level. Three documents, called Paper, Article, and Book, are classified as CONFIDENTIAL, SECRET, and TOP SECRET, respectively. As Tom’s clearance is lower than Book’s classification, he cannot read Book. As his clearance is equal to or greater than Article’s and Paper’s classification, he can read them.

Definition. The simple security property says that a subject s can read an object o if and only if level(o) ≤ level(s).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 10 MATHEMATICAL MODELS OF COMPUTER SECURITY

This is sometimes called the no-reads-up rule, and it is a mandatory access control. But that is insufficient to prevent information from flowing downward. Suppose

Donna is cleared into the CONFIDENTIAL level. By the simple security property, she cannot read Article because

level(Article) = SECRET > CONFIDENTIAL = level(Donna).

But Tom can read the information in Article and write it on Paper. And Donna can read Paper. Thus, SECRET information has leaked to a subject with CONFIDENTIAL clearance.

To prevent this, Tom must be prevented from writing to Paper: Definition. The ∗-property says that a subject s can write an object o if and only if

level(s) ≤ level(o). This is sometimes called the no-writes-down rule, and it too is a mandatory access

control. It is also known as the star property and the confinement property. Under this rule, as level(Tom) = SECRET > level(Paper), Tom cannot write to Paper.

This solves the problem. Finally, the Bell-LaPadula model allows owners of objects to use discretionary

access controls: Definition. The discretionary security property says that a subject s can read an

object o only if the access-control matrix entry for s and o contains the read right. So, in order to determine whether Tom can read Paper, the system checks the simple

security property and the discretionary security problem. As both hold for Tom and Paper, Tom can read Paper. Similarly, the system checks the ∗-property to determine whether Tom can write to Paper. As the ∗-property does not hold for Tom and Paper, Tom cannot write to Paper. Note that the discretionary security property need not be checked, because the relevant mandatory access-control property (the ∗-property) denies access.

The basic security theorem states that, if a system starts in a secure state, and every operation obeys the three properties, then the system remains secure:

Basic Security Theorem. Let a system Σ have a secure initial state 𝜎0. Further, let every command in this system obey the simple security property, the ∗-property, and the discretionary security property. Then every state 𝜎i, i ≥ 0, is also secure.

We can generalize this to an arbitrary number of levels. Let L0, …, Ln be a set of security levels that are linearly ordered (i.e., L0 < … < Ln). Then the simple security property, the ∗-property, and the discretionary security property all apply, as does the Basic Security Theorem. This allows us to have many more than the four levels described.

Now suppose Erin works for the European Department of a government agency, and Don works for the Asia Department for the same agency. Erin and Don are both cleared for SECRET. But some information Erin will see is information that Don has no need to know, and vice versa. Introducing additional security levels will not help here, because then either Don would be able to read all of the documents that Erin could, or vice versa. We need an alternate mechanism.

The alternate mechanism is an expansion of the idea of “security level.” We define a category to be a kind of information. A security compartment is a pair (level, category set) and plays the role that the security level did previously.

As an example, suppose the category for the European Department is EUR, and the category for the Asia Department is ASIA. Erin will be cleared into the compart- ment (SECRET, {EUR}) and Don into the compartment (SECRET, {ASIA}). Doc- uments have security compartments as well. The paper EurDoc may be classified as

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CLASSIC MODELS 9 · 11

(CONFIDENTIAL, {EUR}), and the paper AsiaDoc may be (SECRET, {ASIA}). The paper EurAsiaDoc contains information about both Europe and Asia, and so would be in compartment (SECRET, {EUR, ASIA}). As before, we write level(Erin) = (SE- CRET, {EUR}), level(EurDoc) = (CONFIDENTIAL, {EUR}), and level(EurAsiaDoc) = (SECRET, {EUR, ASIA}).

Next, we must define the analog to “greater than.” As noted earlier, security com- partments are no longer linearly ordered, because not every pair of compartments can be compared. For example, Don’s compartment is not “greater” than Erin’s, and Erin’s is not “greater” than Don’s. But the classification of EurAsiaDoc is clearly “greater” than that of both Don and Erin.

We compare compartments using the relation dom, for “dominates.” Definition. Let L and L′ be security levels and let C and C′ be category sets. Then

(L, C)dom(L′, C′) if and only if L′ = L and C′ ⊆ C

The dom relation plays the role that “greater than or equal to” did for security levels. Continuing our example, level(Erin) = (SECRET, {EUR}), dom (CONFIDENTIAL, {EUR}) = level(EurDoc), and level(EurAsiaDoc) = (SECRET, {EUR, ASIA}) dom (SECRET, {EUR}) = level(Erin).

We now reformulate the simple security property and ∗-property in terms of dom: Definition. The simple security property says that a subject s can read an object o if

and only if level(s) dom level(o). Definition. The ∗-property says that a subject s can write to an object o if and only

if level(o) dom level(s). In our example, assume the discretionary access controls are set to allow any subject

all types of access. In that case, as level(Erin) dom level(EurDoc), Erin can read EurDoc (by the simple security property) but not write EurDoc (by the ∗-property). Conversely, as level(EurAsiaDoc) dom level(Erin), Erin cannot read EurAsiaDoc (by the simple security property) but can write to EurAsiaDoc (by the ∗-property).

A logical question is how to determine the highest security compartment that both Erin and Don can read and the lowest that both can write. In order to do this, we must review some properties of dom.

First, note that level(s) dom level(s); that is, dom is reflexive. The relation is also antisymmetric, because if both level(s) dom level(o) and level(o) dom level(s) are true, then level(s) = level(o). It is transitive, because if level(s1) dom level(o) and level(o) dom level (s2), then level(s1) dom level (s2).

We also define the greatest lower bound (glb) of two compartments as: Definition. Let A = (L, C) and B = (L′, C′). Then glb(A, B) = (min(L, L′), C ∩ C′). This answers the question of the highest security compartment that two subjects s

and s′ can read an object in. It is glb(level(s), level(s′)). For example, Don and Erin can both read objects in:

glb(level(Don), level(Erin)) = (SECRET, χ; ).

This makes sense because Don cannot read an object in any compartment except those with the category set {ASIA} or the empty set, and Erin can only read objects in a compartment with the category set {EUR} or the empty set. Both are at the SECRET level, so the compartment must also be at the SECRET level.

We can define the least upper bound (lub) of two compartments analogously: Definition. Let A = (L, C) and B = (L′, C′). Then lub(A, B) = (max(L, L′), C ∪ C′).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 12 MATHEMATICAL MODELS OF COMPUTER SECURITY

We can now determine the lowest security compartment into which two subjects s and s′ can write. It is lub(level(s), level(s′)). For example, Don and Erin can both write to objects in:

glb((level(Don), level(Erin)) = (SECRET, {EUR, ASIA}).

This makes sense because Don cannot write to an object in any compartment except those with ASIA in the category set, and Erin can only write to objects in a compartment with EUR in the category set. The smallest category set meeting both these requirements is {EUR, ASIA}. Both are at the SECRET level, so the compartment must also be at the SECRET level.

The five properties of dom (reflexive, antisymmetric, transitive, existence of a least upper bound for every pair of elements, and existence of a greatest lower bound for every pair of elements) mean that the security compartments form a mathematical structure called a lattice. This has useful theoretical properties, and is important enough so models exhibiting this type of structure are called lattice models.

When the model is implemented on a system, the developers often make some mod- ifications. By far the most common one is to restrict writing to the current compartment or to within a limited set of compartments. This prevents confidential information from being altered by those who cannot read it. The structure of the model can also be used to implement protections against malicious programs that alter files, such as system binaries. To prevent this, place the system binaries in a compartment that is dominated by those compartments assigned to users. By the simple security property, then users can read the system binaries, but by the ∗-property, users cannot write them. Hence, if a computer virus infects a user’s programs or documents,22 it can spread within that user’s compartment but not to system binaries.

The Bell-LaPadula model is the basis for several other models. We explore one of its variants that models integrity rather than confidentiality.

9.4.2 Biba’s Strict Integrity Policy Model. Biba’s strict integrity policy model,23 usually called Biba’s model, is the mathematical dual of the Bell-LaPadula model.

Consider the issue of trustworthiness. When a highly trustworthy process reads data from an untrusted file and acts based on that data, the process is no longer trustworthy—as the saying goes, “garbage in, garbage out.” But if a process reads data more trustworthy than the process, the trustworthiness of that process does not change. In essence, the trustworthiness of the result is as trustworthy as the least trustworthy of the process and the data.

Define a set of integrity classes in the same way that we defined security compart- ments for the Bell-LaPadula model, and let i-level(s) be the integrity compartment of s. Then the preceding text says that “reads down” (a trustworthy process reading untrustworthy data) should be banned, because it reduces the trustworthiness of the process. But “reads up” is allowed, because it does not affect the trustworthiness of the process. This is exactly the opposite of the simple security property.

Definition. The simple integrity property says that a subject s can read an object o if and only if i-level(o) dom i-level(s).

This definition captures the notion of allowing “reads up” and disallowing “reads down.”

Similarly, if a trustworthy process writes data to an untrustworthy file, the trustwor- thiness of the file may (or may not) increase. But if an untrustworthy process writes

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CLASSIC MODELS 9 · 13

data to a trustworthy file, the trustworthiness of that file drops. s “writes down” should be allowed and “writes up” forbidden.

Definition. The ∗-integrity property says that a subject s can write to an object o if and only if i-level(s) dom i-level(o).

This property blocks attempts to “write up” while allowing “writes down.” A third property relates to execution of subprocesses. Suppose process date wants

to execute the command time as a subprocess. If the integrity compartment of date dominates that of time, then any information date passes to time is passed to a less trustworthy process, and hence is allowed under the ∗-integrity property. But if the integrity compartment of time dominates that of date, then the ∗-integrity property is violated. Hence:

Definition. The execution integrity property says that a subject s can execute a subject s′ if and only if i-level(s′) dom i-level(s).

Given these three properties, one can show: Theorem. If information can be transferred from object o1 to object on, then by the

simple integrity property, the ∗-integrity property, and the execution integrity property, i-level(o1) dom i-level(on).

In other words, if all the rules of Biba’s model are followed, the integrity of infor- mation cannot be corrupted because information can never flow from a less trustworthy object to a more trustworthy object.

This model suggests a method for analyzing programs to prevent security breaches. When the program runs, it reads data from a variety of sources: itself, the system, the network, and the user. Some of these sources are trustworthy, such as the process itself and the system. The user and the network are under the control of ordinary users (or remote users) and so are less trustworthy. So, apply Biba’s model with two integrity compartments, (UNTAINTED, Ø) (this means the set of categories in the compartment is empty) and (TAINTED, Ø), where (UNTAINTED, Ø)dom(TAINTED, Ø). For notational convenience, we shall write (UNTAINTED, Ø) as UNTAINTED and (TAINTED, Ø) as TAINTED; and dom as ≥. Thus, UNTAINTED ≥ TAINTED.

The technique works with either static or dynamic analysis but is usually used for dynamic analysis. In this mode, all constants are assigned the integrity label UN- TAINTED. Variables are assigned labels based on the data flows within the program. For example, in an assignment, the integrity label of the variable being assigned to is set to the integrity label of the expression assigned to it. When UNTAINTED and TAINTED variables are mixed in the expression, the integrity label of the expression is TAINTED. If a variable is assigned a value from an untrusted source, the integrity label of the variable is set to TAINTED.

When data are used as (for example) parameters of system calls or library functions, the system checks that the integrity label of the variable dominates that of the parameter. If it does not, the program takes some action, such as aborting, or logging a warning, or throwing an exception. This action either prevents an exploit or alerts the administrator of the attack.

For example, suppose a programmer wishes to prevent a format string attack. This is an attack that exploits a vulnerability in the C printing function printf . The first argument to printf is a format string, and the contents of that string determine how many other arguments printf expects. By manipulating the contents of a format string, an attacker can overwrite values of variables and corrupt the stack, causing the program to malfunction—usually to the attacker’s benefit. The key step of the attack is to input an unexpected value for the format string. Here is a code fragment with the flaw:

if (fgets(buf, sizeof(buf), stdin) != NULL) printf(buf);

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 14 MATHEMATICAL MODELS OF COMPUTER SECURITY

This reads a line of characters from the input into an array buf and immediately prints the contents of the array. If the input is “xyzzy%n”, then some element of the stack will be overwritten by the value 5.24 Hence, the first parameter to printf must always have integrity class UNTAINTED.

Under this analysis technique, when the input function fgets is executed, the variable buf would be assigned an integrity label of TAINTED, because the input (which is untrusted) is stored in it. Then, at the call to printf , the integrity class of buf is compared to that required for the first parameter of printf . The former is TAINTED; the latter is UNTAINTED. But we require that the variable’s integrity class (TAINTED) dominate that of the parameter (UNTAINTED), and here TAINTED ≤ UNTAINTED. Hence, the analysis has found a disallowed flow and acts accordingly.

9.4.3 Clark-Wilson Model. Lipner25 identified five requirements for commer- cial integrity models:

1. Users may not write their own programs to manipulate trusted data. Instead, they must use programs authorized to access that data.

2. Programmers develop and test programs on nonproduction systems, using non- production copies of production data if necessary.

3. Moving a program from nonproduction systems to production systems requires a special process.

4. That special process must be controlled and audited. 5. Managers and system auditors must have access to system logs and the system’s

current state.

Biba’s model can be instantiated to meet the first and last conditions by appropriate assignment of integrity levels, but the other three focus on integrity of processes. Hence, while Biba’s model works well for some problems of integrity, it does not satisfy these requirements for a commercial integrity model.

The Clark-Wilson model26 was developed to describe processes within many com- mercial firms. There are several specialized terms and concepts needed to understand the Clark-Wilson mode; these are best introduced using an example:

� Consider a bank. If D are the day’s deposits, W the day’s withdrawals, I the amount of money in bank accounts at the beginning of the day, and F the amount of money in bank accounts at the end of the day, those values must satisfy the constraint I + D – W = F.

� This is called an integrity constraint because, if the system (the set of bank accounts) does not satisfy it, the bank’s integrity has been violated.

� If the system does satisfy its integrity constraints, it is said to be in a consistent state.

� When in operation, the system moves from one consistent state to another. The operations that do this are called well-formed transactions. For example, if a customer transfers money from one account to another, the transfer is the well- formed transaction. Its component actions (withdrawal from the first account and deposit in the second) individually are not well-formed transactions, because if only one completes, the system will be in an inconsistent state.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CLASSIC MODELS 9 · 15

� Procedures that verify that all integrity constraints are satisfied are called integrity verification procedures (IVPs).

� Data that must satisfy integrity constraints are called constrained data items (CDIs), and when they satisfy the constraints are said to be in a valid state.

� All other data are called unconstrained data items (UDIs). � In addition to integrity constraints on the data, the functions implementing the well-formed transactions themselves are constrained. They must be certified to be well formed and to be implemented correctly. Such a function is called a transformation procedure (TP).

The model provides nine rules, five of which relate to the certification of data and TPs and four of which describe how the implementation of the model must enforce the certifications.

The first rule captures the requirement that the system be in a consistent state: Certification Rule 1. An IVP must ensure that the system is in a consistent state. The relation certified associates some set of CDIs with a TP that transforms those

CDIs from one valid state to a (possibly different) valid state. The second rule captures this.

Certification Rule 2. For some set of associated CDIs, a TP transforms those CDIs from a valid state to a (possibly different) valid state.

The first enforcement rule ensures that the system keeps track of the certified relation and prevents any TP from executing with a CDI not in its associated certified set:

Enforcement Rule 1. The system must maintain the certified relation, and ensure that only TPs certified to run on a CDI manipulates that CDI.

In a typical firm, the set of users who can use a TP is restricted. For example, in a bank, a teller cannot move millions of dollars from one bank to another; doing that requires a bank officer. The second enforcement rule ensures that only authorized users can run TPs on CDIs by defining a relation allowed that associates a user, a TP, and the set of CDIs that the TP can access on that user’s behalf:

Enforcement Rule 2. The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If a user is not associated with a particular TP and set of CDIs, then the TP cannot access those CDIs on behalf of that user.

This implies that the system can correctly identify users. The next rule enforces this: Enforcement Rule 3. The system must authenticate each user attempting to execute

a TP. This ensures that the identity of a person trying to execute a TP is correctly bound to

the corresponding user identity within the computer. The form of authentication is left up to the instantiation of the model, because differing environments suggest different authentication requirements. For example, a bank officer may use a biometric device and a password to authenticate herself to the computer that moves millions of dollars; a teller whose actions are restricted to smaller amounts of money may need only to supply a password.

Separation of duty, already discussed, is a key consideration in many commercial operations. The Clark-Wilson model captures it in the next rule:

Certification Rule 3. The allowed relation must meet the requirements imposed by separation of duty.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 16 MATHEMATICAL MODELS OF COMPUTER SECURITY

A cardinal principle of commercial integrity is that the operations must be auditable. This requires logging of enough information to determine what the transaction did. The next rule captures this requirement:

Certification Rule 4. All TPs must append enough information to reconstruct the operation to an append-only CDI.

The append-only CDI is, of course, a log. So far we have considered all inputs to TPs to be CDIs. Unfortunately, that is

infeasible. In our bank example, the teller will enter account information and deposit and withdrawal figures; but those are not CDIs; the teller may mistype something. Before a TP can use that information, it must be vetted to ensure it will enable the TP to work correctly. The last certification rule captures this:

Certification Rule 5. A TP that takes a UDI as input must perform either a well- formed transaction or no transaction for any value of the UDI. Thus, it either rejects the UDI or transforms it into a CDI.

This also covers poorly crafted TPs; if the input can exploit vulnerabilities in the TP to cause it to act in unexpected ways, it cannot be certified under this rule.

Within the model lies a possible conflict. In the preceding rules, one user could certify a TP to operate on a CDI and then execute the TP on that CDI. The problem is that a malicious user may certify a TP that does not perform a well-formed transaction, causing the system to violate the integrity constraints. Clearly, an application of the principle of separation of duty would solve this problem, and indeed the last rule in the model does just that:

Enforcement Rule 4. Only the certifier of a TP may change the certified relation for that TP. Further, no certifier of a TP, or of any CDI associated with that TP, may execute the TP on the associated CDI.

This separates the ability to certify a TP from the ability to execute that TP and the ability to certify a CDI for a given TP from the ability to execute that TP on that CDI. This enforces the separation of duty requirement.

Now, revisit Lipner’s requirements for commercial integrity models. The TPs corre- spond to Lipner’s programs and the CDIs to the production data. To meet requirement 1, the Clark-Wilson certifiers need to be trusted, and ordinary users cannot certify either TPs or CDIs. Then Enforcement Rule 4 and Certification Rule 5 enforce this require- ment. Requirement 2 is met by not certifying the development programs; as they are not TPs, they cannot be run on production data. The “special process” in requirement 3 is a TP. Certification Rule 4 describes a log; the special process in requirement 3 being a TP, it will append information to the log that can be audited. Further, the TP is by definition a controlled process, and Enforcement Rule 4 and Certification Rule 5 control its execution. Before the installation, the program being installed is a UDI; after it is installed, it is a CDI (and a TP). Thus, requirement 4 is satisfied. Finally, the Clark-Wilson model has a log that captures all aspects of what a TP does, and that is the log the managers and auditors will have access to. They also have access to the system state because they can run an IVP to check its integrity. Thus, Lipner’s requirement 5 is met. So the Clark-Wilson model is indeed a satisfactory commercial integrity model.

This model is important for two reasons. First, it captures the way most commercial firms work, including applying separation of duty (something that Biba’s model does not capture well). Second, it separates the notions of certification and enforcement. Enforcement typically can be done within the instantiation of the model. But the model cannot enforce how certification is done; it can only require that a certifier claim to have done it. This is true of all models, of course, but the Clark-Wilson model specifically states the assumptions it makes about certification.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CLASSIC MODELS 9 · 17

9.4.4 Chinese Wall Model. Sometimes called the Brewer-Nash model, the goal of the Chinese Wall model27 is to prevent conflicts of interest. It does so by group- ing objects that belong to the same company into company data sets and company data sets into conflict-of-interest classes. If two companies (represented by their associated company data sets) are in the same conflict-of-interest class, then a lawyer or stockbro- ker representing both would have a conflict of interest. The rules of the model ensure that a subject can read only one company data set in each conflict-of-interest class.

In general, objects are documents or resources that contain information that the company wishes to (or is required to) keep secret. There is, however, an exception. Companies release data publicly, in the form of annual reports; that information is carefully sanitized to remove all confidential content. To reflect business practice, the model must allow all subjects to see that data. The model therefore defines a conflict- of-interest class called the sanitized class that has one company data set holding only objects containing sanitized data.

Now consider a subject reading an object. If the subject has never read any object in the object’s conflict-of-interest class, reading the object presents no conflict of interest. If the subject has read an object in the same company data set, then the only information that the subject has seen in that conflict-of-interest class is from the same company as the object it is trying to read, which is allowed. But if the subject has read an object in the same conflict-of-interest class but a different company data set, then were the new read request granted, the subject would have read information from two different companies for which there is a conflict of interest—exactly what the model is trying to prevent. So that is disallowed.

The next rule summarizes this: Definition. The CW-simple security property says that a subject s can read an object

o if and only if either:

1. s has not read any other object in o’s conflict-of-interest class; or 2. The only objects in o’s conflict-of-interest class that s has read are all in o’s

company data set.

To see why this works, suppose all banks are in the same conflict-of-interest class. A stockbroker represents The Big Bank. She is approached to represent The Bigger Bank. If she agreed, she would need access to The Bigger Bank’s information, specifically the objects in The Bigger Bank’s company data set. But that would mean she could read objects from two company data sets in the same conflict-of-interest class, something the CW-simple security property forbids. The temporal element of the model is important; even if she resigned her representation of The Big Bank, she cannot represent The Bigger Bank because condition 2 of the CW-simple security property considers all objects she previously read. This makes sense, because she has had access to The Big Bank, and could unintentionally compromise the interests of her previous employer while representing The Bigger Bank.

The CW-simple security property implicitly says that s can read any sanitized object. To see this, note that if s has never read a sanitized object, condition 1 holds. If s has read a sanitized object, then condition 2 holds because all sanitized objects are in the same company data set.

Writing poses another problem. Suppose Barbara represents The Big Bank, and Percival works for The Bigger Bank. Both also represent The Biggest Toy Company, which—not being a financial institution—is in a different conflict-of-interest class from

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 18 MATHEMATICAL MODELS OF COMPUTER SECURITY

either bank. Thus, there is no conflict of interest in either Barbara’s or Percival’s repre- sentation of a bank and the toy company. But there is a path along which information can flow from Barbara to Percival, and vice versa, that enables a conflict of interest to occur. Barbara can read information from an object in The Big Bank’s company data set and write it to an object in The Biggest Toy Company’s company data set. Percival can read the information from the object in The Biggest Toy Company’s company data set, thereby effectively giving him access to The Big Bank’s information—which is a conflict of interest. That he needs Barbara’s help does not detract from the problem. The goal of the model requires that this conspiracy be prevented. The next rule does so:

Definition. The CW-∗-property says that a subject s can write to an object o if and only if both of the following conditions are met:

1. The CW-simple security property allows s to read o; and 2. All unsanitized objects that s can read are in the same company data set as o.

Now Barbara can read objects in both The Big Bank’s company data set and The Biggest Toy Company’s data set. But when she tries to write to The Biggest Toy Company’s data set, the CW-∗-property prevents her from doing so as condition 2 is not met (because she can read an object in The Big Bank’s company data set).

This also accounts for sanitized objects. Suppose that Skyler represents The Biggest Toy Company and no other company. He can also read information from the sanitized class. When he tries to write to an object in The Biggest Toy Company’s company data set, he meets both conditions of the CW-simple security property (because he has only read objects in that company data set), and all unsanitized objects that he can read are in the same company data set as the object he can read. Thus, both conditions of the CW-∗-property are met, so Skyler can write the object.

The conditions of the CW-∗-property are very restrictive; effectively, a subject can write to an object only if it has access to the company data set containing that object, and no other company data set except the company data set in the sanitized class. But without this restriction, conflicts of interest are possible.

9.4.5 Summary. The four models discussed in this section have played critical roles in the development of our understanding of computer security. Although it is not the first model of confidentiality, the Bell-LaPadula model describes a widely used security scheme. The Biba model captured notions of “trust” and “trustworthiness” in an intuitive way, and recent advances in the analysis of programs for vulnerabilities have applied that model to great effect. The Clark-Wilson model moved the notion of commercial integrity models away from multilevel models to models that examine process integrity as well as data integrity. The Chinese Wall model explored conflict of interest, an area that often arises when one is performing confidential services for multiple companies or has access to confidential information from a number of companies. These models are considered classic because their structure and ideas underlie the rules and structures of many other models.

9.5 OTHER MODELS. Some models examine specific environments. The Clini- cal Information Systems Security model28 considers the protection of health records, emphasizing accountability as well as confidentiality and integrity. Traducement29

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

FURTHER READING 9 · 19

describes the process of real estate recordation, which requires a strict definition of integrity and accountability with little to no confidentiality.

Other models generalize the classic models. The best known are the models of noninterference security and deducibility security. Both are multilevel security models with two levels, HIGH and LOW. The noninterference model30 defines security as the ability of a HIGH subject to interfere with what the LOW subject sees. For example, if a HIGH subject can prevent a LOW subject from acquiring a resource at a particular time, the HIGH subject can transmit information to the LOW subject. In essence, the interference is a form of writing, and must be prevented, just as the Bell-LaPadula model prevents a HIGH subject from writing to a LOW object. The deducibility model31 examines whether a LOW subject can infer anything about a HIGH subject’s actions by examining only the LOW outputs. Both these models are useful in analyzing the security of systems32 and intrusion detection mechanisms,33 and led to work that showed connecting two secure compute systems may produce a nonsecure system.34

Further work is focusing on establishing conditions under which connecting two secure systems produces a secure system.35

9.6 CONCLUSION. The efficacy of mathematical modeling depends on the ap- plication of those models. Typically, the models capture system-specific details and describe constraints ensuring the security of the system or the information on the sys- tem. If the model does not correctly capture the details of the entire system, the results may not be comprehensive, and the analysis may miss ways in which security could be compromised.

This is an important point. For example, the Bell-LaPadula model captures a notion of what the system must do to prevent a subject cleared for TOP SECRET leaking information to a subject cleared for CONFIDENTIAL. But if the system enforces that model, the TOP SECRET subject could still meet the CONFIDENTIAL subject and hand her a printed version of the TOP SECRET information. That is outside the system and so was not captured by the model. But if the model also embraces procedures, then a procedure is necessary to prevent this “writing down.” In that case, the flaw would be in the implementation of the procedure that failed to prevent the transfer of information—in other words, an incorrect instantiation of the model, exactly what Dorothy Denning’s comment in the introduction to this section referred to.

The models described in this section span the foundational (access-control matrix model) to the applied (Bell-LaPadula, Biba, Clark-Wilson, and Chinese Wall). All play a role in deepening our understanding of what security is and how to enforce it.

The area of mathematical modeling is a rich and important area. It provides a basis for demonstrating that the design of systems is secure, for specific definitions of secure. Without these models, our understanding of how to secure systems would be diminished.

9.7 FURTHER READING Anderson, R. “A Security Policy Model for Clinical Information Systems,” Proceedings

of the 1996 IEEE Symposium on Security and Privacy (May 1996): 34–48. Bell, D., and LaPadula, L. “Secure Computer Systems: Unified Exposition and Mul-

tics Interpretation,” Technical Report MTR-2997 rev. 1, MITRE Corporation, Bedford, MA (March 1975).

Biba, K. “Integrity Considerations for Secure Computer Systems,” Technical Report MTR-3153, MITRE Corporation, Bedford, MA (April 1977).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 20 MATHEMATICAL MODELS OF COMPUTER SECURITY

Bishop, M.ComputerSecurity:ArtandScience. Boston: Addison-Wesley Professional, 2002.

Brewer, D., and M. Nash. “The Chinese Wall Security Policy,” Proceedings of the 1989 IEEE Symposium on Security and Privacy (May 1989): 206–212.

Clark, D., and D. Wilson. “A Comparison of Commercial and Military Security Poli- cies,” Proceedings of the 1987 IEEE Symposium on Security and Privacy (April 1987): 184–194.

Cortier, V., and S. Kremer. Formal Models and Techniques for Analyzing Security Protocols—Volume 5 Cryptology and Information Security Series. IOS Press, 2011.

Cremers, C., and S. Mauw. Operational Semantics and Verification of Security Proto- cols. Springer, 2012.

Demillo, D., D. Dobkin, A. Jones, and R. Lipton, eds. Foundations of Secure Comput- ing. New York: Academic Press, 1978.

Denning, D. “The Limits of Formal Security Models,” National Infor- mation Systems Security Conference, October 18, 1999; available at www.cs.georgetown.edu/∼denning/infosec/award.html

Denning, P. “ Third Generation Computer Systems,” Computing Surveys 3, No. 4 (December 1976): 175–216.

Engeler, E. Introduction to the Theory of Computation. New York: Academic Press, 1973.

Ferraiolo, D., J. Cugini, and D. Kuhn. “Role-Based Access Control (RBAC): Fea- tures and Motivations,” Proceedings of the Eleventh Annual Computer Security Applications Conference (December 1995): 241–248.

Gougen, J., and J. Meseguer. “Security Policies and Security Models,” Proceedings of the 1982 IEEE Symposium on Privacy and Security (April 1982): 11–20.

Graubert, R. “On the Need for a Third Form of Access Control,” Proceed- ings of the Twelfth National Computer Security Conference (October 1989): 296–304.

Haigh, J., R. Kemmerer, J. McHugh, and W. Young. “ An Experience Using Two Covert Channel Analysis Techniques on a Real System Design,” IEEE Transactions in Software Engineering 13, No. 2 (February 1987): 141–150.

Harrison, M., and W. Ruzzo, “ Monotonic Protection Systems.” In D. Demillo et al., eds. FoundationsofSecureComputing, pp. 337–363. New York: Academic Press, 1978.

Harrison, M., W. Ruzzo, and J. Ullman. “ Protection in Operating Systems,” Commu- nications of the ACM 19, No. 8 (August 1976): 461–471.

Ko, C., and T. Redmond. “Noninterference and Intrusion Detection,” Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002): 177–187.

Lampson, B. “Protection.” Proceedings of the Fifth Princeton Symposium of Informa- tion Science and Systems (March 1971): 437–443.

Lipner, S. “Non-Discretionary Controls for Commercial Applications,” Proceedings of the 1982 IEEE Symposium on Privacy and Security (April 1982): 2–10.

Mantel, H. “ On the Composition of Secure Systems,” Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002): 88–101.

McCullough, D. “Non-Interference and the Composability of Security Properties,” Proceedings of the 1987 IEEE Symposium on Privacy and Security (April 1988): 177–186.

Sandhu, R. “ The Typed Access Matrix Model,” Proceedings of the 1992 IEEE Sym- posium on Security and Privacy (April 1992): 122–136.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 9 · 21

Seacord, R. Secure Coding in C and C++. Boston: Addison-Wesley, 2005. Walcott, T., and M. Bishop. “ Traducement: A Model for Record Security,” ACMTrans-

actions on Information Systems Security 7, No. 4 (November 2004): 576–590.

9.8 NOTES 1. Recordation of real estate refers to recording deeds, mortgages, and other informa-

tion about property with the county recorder. See http://ag.ca.gov/erds1/index.php 2. D. Denning, “The Limits of Formal Security Models,” National In-

formation Systems Security Conference, October 18, 1999; available at www.cs.georgetown.edu/∼denning/infosec/award.html

3. B. Lampson, “Protection,” Proceedings of the Fifth Princeton Symposium of Infor- mation Science and Systems (March 1971): 437–443; P. Denning, “Third Genera- tion Computer Systems,” Computing Surveys 3, No. 4 (December 1976): 175–216.

4. Harrison, 1976. 5. M. Harrison, W. Ruzzo, and J. Ullman, “Protection in Operating Systems,” Com- munications of the ACM 19, No. 8 (August 1976): 461–471.

6. The halting problem is the question “Is there an algorithm to determine whether any arbitrary program halts?” The answer, “No,” was proved by Alan Turing in 1936. See www.nist.gov/dads/HTML/haltingProblem.html. See also E. Engeler, Introduction to the Theory of Computation (New York: Academic Press, 1973).

7. E. Engeler, Introduction to the Theory of Computation (New York: Academic Press, 1973).

8. The interested reader is referred to Harrison et al., “Protection in Operating Sys- tems,” or to M. Bishop, Computer Security: Art and Science (Boston: Addison- Wesley Professional, 2002), p. 47 ff., for the proof.

9. Harrison et al., “Protection in Operating Systems.” 10. M. Harrison and W. Ruzzo, “Monotonic Protection Systems,” in D. Demillo et al.,

eds., Foundations of Secure Computing, pp. 337–363 (New York: Academic Press, 1978).

11. Harrison and Ruzzo, “Monotonic Protection Systems.” 12. Harrison and Ruzzo, “Monotonic Protection Systems.” 13. Harrison and Ruzzo, “Monotonic Protection Systems.” 14. R. Sandhu, “The Typed Access Matrix Model,” Proceedings of the 1992 IEEE

Symposium on Security and Privacy (April 1992): 122–136. 15. Sandhu, “The Typed Access Matrix Model.” 16. Also sometimes called organization-controlled access control, or ORGCON. 17. R. Graubert, “On the Need for a Third Form of Access Control,” Proceedings of

the Twelfth National Computer Security Conference (October 1989): 296–304. 18. D. Ferraiolo, J. Cugini, and D. Kuhn, “Role-Based Access Control (RBAC): Fea-

tures and Motivations,” Proceedings of the Eleventh Annual Computer Security Applications Conference (December 1995): 241–248.

19. As Benjamin Franklin once said, “Three can keep a secret if two of them are dead.” 20. Saltzer and Schroeder 1975. 21. D. Bell and L. LaPadula, “Secure Computer Systems: Unified Exposition and

Multics Interpretation,” Technical Report MTR-2997 rev. 1, MITRE Corporation, Bedford, MA (March 1975).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

9 · 22 MATHEMATICAL MODELS OF COMPUTER SECURITY

22. A macro virus can infect a document. See, for example, Bishop, M., Computer Security: Art and Science. (Boston, MA: Addison-Wesley Professional, 2002), section 22.3.8, and Chapter 16 in this Handbook.

23. Biba proposed three models: the Low-Water-Mark Policy model, the Ring Policy model, and the Strict Integrity Policy model. See Bishop, Computer Security, Section 6.2.

24. The explanation is too complex to go into here. The interested reader is referred to R. Seacord, Secure Coding in C and C++ (Boston: Addison-Wesley, 2005), Chapter 6, for a discussion of this problem.

25. S. Lipner, “Non-Discretionary Controls for Commercial Applications,” Proceed- ings of the 1982 IEEE Symposium on Privacy and Security (April 1982): 2–10.

26. D. Clark and D. Wilson, “A Comparison of Commercial and Military Security Policies,” Proceedings of the 1987 IEEE Symposium on Security and Privacy (April 1987): 184–194.

27. D. Brewer and M. Nash, “The Chinese Wall Security Policy,” Proceedings of the 1989 IEEE Symposium on Security and Privacy (May 1989): 206–212.

28. R. Anderson, “A Security Policy Model for Clinical Information Systems,” Pro- ceedings of the 1996 IEEE Symposium on Security and Privacy (May 1996): 34–48.

29. T. Walcott and M. Bishop, “Traducement: A Model for Record Security,” ACM TransactionsonInformationSystemsSecurity7, No. 4 (November 2004): 576–590.

30. J. Gougen and J. Meseguer, “Security Policies and Security Models,” Proceedings of the 1982 IEEE Symposium on Privacy and Security (April 1982): 11–20.

31. Gougen and Meseguer, “Security Policies and Security Models.” 32. J. Haigh, R. Kemmerer, J. McHugh, and W. Young, “An Experience Using Two

Covert Channel Analysis Techniques on a Real System Design,”IEEETransactions in Software Engineering 13, No. 2 (February 1987): 141–150.

33. C. Ko and T. Redmond, “Noninterference and Intrusion Detection.” Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002): 177–187.

34. D. McCullough, “Non-Interference and the Composability of Security Properties,” Proceedings of the 1987 IEEE Symposium on Privacy and Security (April 1988): 177–186.

35. H. Mantel, “On the Composition of Secure Systems,” Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002): 88–101.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10CHAPTER

UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

M. E. Kabay

10.1 INTRODUCTION 10 · 1 10.1.1 Value of Statistical

Knowledge Base 10·1 10.1.2 Limitations on Our

Knowledge of Computer Crime 10·2

10.1.3 Limitations on the Applicability of Computer Crime Statistics 10·2

10.2 BASIC RESEARCH METHODOLOGY 10 · 3

10.2.1 Some Fundamentals of Statistical Design and Analysis 10·3

10.2.2 Research Methods Applicable to Computer Crime 10·9

10.3 SUMMARY 10 · 11

10.4 FURTHER READING 10 · 12

10.5 NOTES 10 · 12

10.1 INTRODUCTION. This chapter provides guidance for critical reading of research results about computer crime. It will also alert designers of research instru- ments who may lack formal training in survey design and analysis to the need for professional support in developing questionnaires and analyzing results.

10.1.1 Value of Statistical Knowledge Base. Security specialists are often asked about computer crime; for example, customers want to know who is attacking which systems, how often, using what methods. These questions are perceived as important because they bear on the strategies of risk management; in theory, in order to estimate the appropriate level of investment in security, it would be helpful to have a sound grasp of the probability of different levels of damage. Ideally, one would want to evaluate an organization’s level of risk by evaluating the experiences of other organizations with similar system and business characteristics. Such comparisons would be useful in competitive analysis and in litigation over standards of due care and diligence in protecting corporate assets.

10 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 2 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

10.1.2 Limitations on Our Knowledge of Computer Crime. Unfortu- nately, in the current state of information security, no one can give reliable answers to such questions. There are two fundamental difficulties preventing us from devel- oping accurate statistics of this kind. These difficulties are known as the problems of ascertainment.

10.1.2.1 Detection. The first problem is that an unknown number of crimes of all kinds are undetected. For example, even outside the computer crime field, we do not know how many financial frauds are being perpetrated. We do not know because some of them are not detected. How do we know they are not detected? Because some frauds are discovered long after they have occurred. Similarly, computer crimes may not be detected by their victims but may be reported by the perpetrators.

In a landmark series of tests at the Department of Defense (DoD), the Defense Information Systems Agency found that very few of the penetrations it engineered against unclassified systems within the DoD seem to have been detected by system managers. These studies were carried out from 1994 through 1996 and attacked 38,000 systems. About two-thirds of the attacks succeeded; however, only 4 percent of these attacks were detected.1

A commonly held view within the information security community is that only one-tenth or so of all the crimes committed against and using computer systems are detected.

10.1.2.2 Reporting. The second problem of ascertainment is that even if at- tacks are detected, few seem to be reported in a way that allows systematic data collection. This commonly held belief is based in part on the unquantified experience of information security professionals who have conducted interviews of their clients; it turns out that only about 10 percent of the attacks against computer systems revealed in such interviews were ever reported to any kind of authority or to the public. The DoD studies mentioned earlier were consistent with this belief; of the few penetrations detected, only a fraction of 1 percent were reported to appropriate authorities.

Given these problems of ascertainment, computer crime statistics generally should be treated with skepticism.

10.1.3 Limitations on the Applicability of Computer Crime Statistics. Generalizations in this field are difficult to justify. Even if we knew more about types of criminals and the methods they use, it still would be difficult to have the kind of actuarial statistic that is commonplace in the insurance field. For example, the establishment of uniform building codes in the 1930s in the United States led to the growth in fire insurance as a viable business. With official records of fires in buildings that could be described using a standard typology, statistical information began to provide an actuarial basis for using probabilities of fires and associated costs to calculate reasonable insurance rates.

In contrast, even if we had access to accurate reports, it would be difficult to make meaningful generalizations about vulnerabilities and incidence of successful attacks for the information technology field. We use a bewildering variety and versions of pro- cessors, operating systems, firewalls, encryption, application software, backup meth- ods and media, communications channels, identification, authentication, authorization, compartmentalization, and operations.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC RESEARCH METHODOLOGY 10 · 3

How would we generalize from data about the risks at (say) a mainframe-based network running Multiple Virtual Systems (MVS) in a military installation to the kinds of risks faced by a UNIX-based intranet in an industrial corporation, or to a Windows New Technology (NT)–based Web server in a university setting? There are so many differences among systems that if we were to establish a multidimensional analytical table where every variable was an axis, many cells would likely contain no or only a few examples. Such sparse matrices are notoriously difficult to use in building statistical models for predictive purposes.

10.2 BASIC RESEARCH METHODOLOGY. This is not a chapter about so- cial sciences research. However, many discussions of computer crime seem to take published reports as gospel, even though these studies may have no validity what- soever. In this short section, we look at some fundamentals of research design so that readers will be able to judge how much faith to put in computer crime research results.

10.2.1 Some Fundamentals of Statistical Design and Analysis. The way in which a scientist or reporter represents data can make an enormous difference in the readers’ impressions.

10.2.1.1 Descriptive Statistics. Suppose three companies reported these losses from penetration of their computer systems: $1 million, $2 million, and $6 million. We can describe these results in many ways. For example, we can simply list the raw data; however, such lists could become unacceptably long as the number of reports increased, and it is hard to make sense of the raw data.

We could define classes such as “2 million or less” and “more than 2 million” and count how many occurrences there were in each class:

Class Freq

≤ $2M 2 > $2M 1

Alternatively, we might define the classes with finer granularity as < $1M, ≥ $1M but < $2M, and so on; such a table might look like this:

Class Freq

< $1M 0 ≥ $1M & < $2M 1 ≥ $2M & < $3M 1 ≥ $3M & < $4M 0 ≥ $4M & < $5M 0 ≥ $5M & < $6M 0 ≥ $6 1

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 4 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

Notice how the definition of the classes affects perception of the results: The first table gives the impression that the results are clustered around $2 million and gives no information about the upper or lower bounds.

10.2.1.1.1 Location. One of the most obvious ways we describe data is to say where they lie in a particular dimension. The central tendency of our three original data ($1 million, $2 million, and $6 million) can be represented in various ways; for example, two popular measures are:

� Arithmetic mean or average = $(1+2+6)M/3 = $3M � Median (the middle of the sorted list of losses) = $2M

Note that if we tried to compute the mean and the median from the first table (with its approximate classes), we would get the wrong value. Such statistics should be computed from the original data, not from summary tables.

10.2.1.1.2 Dispersion. Another aspect of our data that we frequently need is dispersion—that is, variability. The simplest measure of dispersion is the range: the difference between the smallest and the largest value we found; in our example, we could say that the range was from $1 million to $6 million or that it was $5 million. Sometimes the range is expressed as a percentage of the mean; then we would say that the range was 5∕3 = 1.6 . . . or ∼167 percent.

The variance (𝜎2) of these particular data is the average of the squared deviations from the arithmetic mean; the variance of the three numbers would be 𝜎2 = (1−3)2 + (2−3)2 + (6−3)2∕3 = (4+1+9)∕3 ≈ 4.67.

The square root of the variance (𝜎) is called the standard deviation and is often used to describe dispersion. In our example, 𝜎 =

√ 4.67 ≈ 2.16.

Dispersion is particularly important when we compare estimates about information from different groups. The greater the variance of a measure, the more difficult it is to form reliable generalizations about an underlying phenomenon, as described in the next section.

10.2.1.2 Inference: Sample Statistics versus Population Statistics. We can accurately describe any data using descriptive statistics; the question is what we then do with those measures.

Usually we expect to extend the findings in a sample or subset of a population to make generalizations about the population. For example, we might be trying to estimate the losses from computer crime in commercial organizations with offices in the United States and with more than 30,000 employees. Or perhaps our sample would represent commercial organizations with offices in the United States and with more than 30,000 employees and whose network security staff was willing to respond to a survey questionnaire.

In such cases, we try to infer the characteristics of the population from the charac- teristics of the sample. Statisticians say that we try to estimate the parametric statistics by using the sample statistics.

For example, we estimate the parametric (population) variance (usually designated 𝜎 2) by multiplying the variance of the sample by n∕(n–1). Thus, we would say that the

estimate of the parametric variance (s2) in our sample would be s2 = 4.67 ∗ 3∕2 = 7. The estimate of the parametric standard deviation (s) would be s =

√ 7 ≈ 2.65.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC RESEARCH METHODOLOGY 10 · 5

10.2.1.3 Hypothesis Testing. Another kind of inference that we try to make from data is hypothesis testing. For example, suppose we were interested in whether there was any association between the presence or absence of firewalls and the occur- rence of system penetration. We can imagine collecting these data about penetrations into systems with or without firewalls:

Penetration

Firewalls No Yes Totals

No 25 75 100 Yes 70 130 200 Totals 95 205 300

We would frame the hypothesis (the null hypothesis, sometimes represented as H0) that there was no relationship between the two independent variables, penetration and firewalls, and test that hypothesis by performing a test of independence of these variables. In our example, a simple chi-square test of independence would give a test statistic of 𝜒2[1] = 2.636. If there really were no association between penetration and firewalls in the population of systems under examination, the parametric value of this statistic would be zero. In our imaginary example, we can show that such a large value (or larger) of 𝜒2[1] would occur in only 10.4 percent of the samples taken from a population where firewalls had no effect on penetration. Put another way, if we took many samples from a population where the presence of firewalls was not associated with any change in the rate of penetration, we would see about 10.4 percent of those samples producing 𝜒2[1] statistics as large as or larger than 2.636.

Statisticians have agreed on some conventions for deciding whether a test statistic deviates enough from the value expected under the null hypothesis to warrant inferring that the null hypothesis is wrong. Generally, we describe the likelihood that the null hypothesis is true—often shown as p(H0)—in this way:

� When p(H0) > 0.05, we say the results are not statistically significant (often designated with the symbols ns);

� When 0.05 ≥ p(H0) > 0.01, the results are described as statistically significant (often designated with the symbol

∗ );

� When 0.01 ≥ p(H0) > 0.001, the results are described as highly statistically significant (often designated with the symbols

∗∗ );

� When p(H0) ≤ 0.001, the results are described as extremely statistically significant (often designated with the symbols

∗∗∗ ).

10.2.1.4 Random Sampling, Bias, and Confounded Variables. The most important element of sampling is randomness. We say that a sample is random or randomized when every member of the population we are studying has an equal probability of being selected. When a population is defined one way but the sample is drawn nonrandomly, the sample is described as biased. For example, if the population we are studying was designed to be, say, all companies worldwide with more than 30,000 full-time employees, but we sampled mostly from such companies in the United States, the sample would be biased toward U.S. companies and their characteristics.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 6 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

Similarly, if we were supposed to be studying security in all companies in the United States with more than 30,000 full-time employees, but we sampled only from those companies that were willing to respond to a security survey, we would be at risk of having a biased sample.

In this last example, involving studying only those who respond to a survey, we say that we are potentially confounding variables: We are looking at people-who-respond- to-surveys and hoping they are representative of the larger population of people from all companies in the desired population. But what if the people who are willing to respond are those who have better security and those who do not respond have terrible security? Then responding to the survey is confounded with quality of security, and our biased sample could easily mislead us into overestimating the level of security in the desired population.

Another example of how variables can be confounded is comparisons of results from surveys carried out in different years. Unless exactly the same people are interviewed in both years, we may be confounding individual variations in responses with changes over time; unless exactly the same companies are represented, we may be confounding differences among companies with changes over time; if external events have led people to be more or less willing to respond truthfully to questions, we may be confounding willingness to respond with changes over time. If the surveys are carried out with different questions or used by different research groups, we may be confounding changes in methodology with changes over time.

10.2.1.5 Confidence Limits. Because random samples naturally vary around the parametric (population) statistics, it is not very helpful to report a point estimate of the parametric value. For example, if we read that the mean damage from computer crimes in a survey was $180,000 per incident, what does that imply about the population mean?

To express our confidence in the sample statistic, we calculate the likelihood of being right if we give an interval estimate of the population value. For example, we might find that we would have a 95 percent likelihood of being right in asserting that the mean damage was between $160,000 and $200,000. In another sample, we might be able to narrow these 95 percent confidence limits to $175,000 and $185,000.

In general, the larger the sample size, the narrower the confidence limits will be for particular statistics.

The calculation of confidence limits for statistics depends on some necessary as- sumptions:

� Random sampling � A known error distribution (usually the Normal distribution—sometimes called a Gaussian distribution)

� Equal variance at all values of the measurements

If any of these assumptions is wrong, the calculated confidence limits for our esti- mates will be wrong; that is, they will be misleading. There are tests of these assump- tions that analysts should carry out before reporting results; if the data do not follow Normal error distributions, sometimes one can apply normalizing transformations.

In particular, percentages do not follow a Normal distribution. Here is a refer- ence table of confidence limits for various percentages in a few representative sample sizes.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC RESEARCH METHODOLOGY 10 · 7

95 Percent Confidence Limits for Percentages

Sample size

Percentage 100 500 1000

0 0–3.0% 0–0.6% 0–0.3% 10 4.9–17.6% 7.5–13.0% 8.2–12.0% 20 12.7–29.1% 16.6–23.8% 17.6–22.6% 50 40.0–60.1% 45.5–54.5% 46.9–53.1% 80 70.9–87.3% 76.2–83.4% 77.4–82.4% 90 82.4–95.1% 87.0–92.5% 88.0–91.8%

100 97.0–100% 99.4–100% 99.7–100%

10.2.1.6 Contingency Tables. One of the most frequent errors in reporting results of studies is to provide only part of the story. For example, one can read statements such as “Over 70 percent of the systems without firewalls were penetrated last year.” Such a statement may be true, but it cannot be interpreted correctly as meaning that systems with firewalls were necessarily more or less vulnerable to penetration than systems without firewalls. The statement is incomplete; to make sense of it, we need the other part of the implied contingency table—the percentage of systems with firewalls that were penetrated last year—before making any assertions about the relationship between firewalls and penetrations. Compare, for example, these two hypothetical tables:

Without Firewalls

With Firewalls in Default

Configuration Without Firewalls

With Firewalls Properly

Configured

Penetrated 70% 70% Penetrated 70% 10% Not Penetrated 30% 30% Not Penetrated 30% 90%

In both cases, someone could say that “70 percent of the systems without firewalls were penetrated,” but the implications would be radically different in the two data sets. Without knowing the right-hand column, the original assertion would be meaningless.

10.2.1.7 Association versus Causality. Continuing our example with rates of penetration, another error that untrained people often make when studying statistical information is to mistake association for causality. Imagine that a study showed that a lower percentage of systems with fire extinguishers was penetrated than systems with- out fire extinguishers and that this difference was statistically highly significant. Would such a result necessarily mean that fire extinguishers caused the reduction in penetra- tion? No. We know that it is far more reasonable to suppose that the fire extinguishers were installed in organizations whose security awareness and security policies were more highly developed than in the organizations where no fire extinguishers were in- stalled. In this imaginary example, the fire extinguishers might actually have no causal effect whatever on resistance to penetration. This result would illustrate the effect of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 8 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

confounding variables: presence of a fire extinguisher with state of security awareness and policies.

10.2.1.8 Control Groups. Finally, to finish our penetration example, one way to distinguish between association and causality is to control for variables. For example, one could measure the state of security awareness and policy as well as the presence or absence of fire extinguishers and make comparisons only among groups with the same level of awareness and policy. There are also statistical techniques for mathematically controlling for differences in such independent variables.

10.2.1.9 A Priori versus a Posteriori Testing. Amateurs or beginners sometimes forget the principle of random sampling that underlies all statistical in- ference (see Section 10.2.1.4). None of the hypothesis tests or confidence limit calcu- lations work if a sample is not random. For example, if someone is wandering through a supermarket and notices that Granny Smith apples seem to be bigger than Macintosh apples, selecting a sample—even a random sample—of the apples that specifically gave rise to the hypothesis will not allow reliable computations of probability that the applies have the same average weight. The problem is that those particular apples would not have been sampled at all had the observer not been moved to formulate the hypothesis. So even if a particular statistical comparison produces a sample statistic that appears to have a probability of, say, 0.001, it is not possible to know how much the sampling deviated from randomness.

Applying statistical tests to data after one notices an interesting descriptive value, comparison, or trend is known as a posteriori testing. Formulating a hypothesis, ob- taining a random sample, and computing the statistics and probabilities in accordance with the assumptions of those statistics and probabilities is known as a priori testing.

A well-used example of the perils of a posteriori testing is the unfortunate habit of searching through sequences of results such as long strings of guesses collected in student tests of paranormal abilities and calculating statistical values on carefully selected subsets of the strings. These a posteriori tests are then presented as if they were a priori and cause great confusion and arguments, such as: “Look, even though the overall proportion of correct guesses was (say) 50.003 percent in this run of <some very large number> guesses, there was a run of <much smaller number> guesses that were correct <any value greater than 50 percent> of the time! The probability of such a result by chance is <very small number>. That proves that there was a real effect of <whatever the treatment was>.” Unfortunately, a long series of numbers can produce any desired nonrandom-looking string; there are even tests known as runs tests that can help a researcher evaluate the nonrandomness of such occurrences.

In practical terms, statisticians have established a convention for limiting the dam- aging effects of a posteriori testing: Use the 0.001 level of probability as the equivalent of the minimum probability of the null hypothesis. This custom makes it far less likely that an a posteriori comparison will trick the user into accepting what is in fact a random variation that caught someone’s eye.

The best solution to the bias implicit in a posteriori testing is to use a completely new sample for the comparison. In the apple example, one could ask the store manager for new, unobserved, and randomly selected batches of both types of applies. The comparison statistics would then be credible and could be expected to follow the parametric distribution underlying calculations of probability of the null hypothesis. The populations from which these apples were selected still would have to be carefully

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

BASIC RESEARCH METHODOLOGY 10 · 9

determined. Would the populations be apples at this particular store? For this particular chain? For this particular region of the country or of the world?

10.2.2 Research Methods Applicable to Computer Crime

10.2.2.1 Interviews. Interviewing individuals can be illuminating. In general, interviews provide a wealth of data that are unavailable through any other method. For example, one can learn details of computer crime cases or motivations and tech- niques used by computer criminals. Interviews can be structured (using precise lists of questions) or unstructured (allowing the interviewer to respond to new information by asking additional questions at will).

Interviewers can take notes or record the interviews for later word-for-word tran- scription. In unstructured interviewers, skilled interviewers can probe responses to elucidate nuances of meaning that might be lost using cruder techniques such as sur- veys. Techniques such as thematic analysis can reveal patterns of responses that can then be examined using exploratory data analysis.2 Thematic analysis is a technique for organizing nonquantitative information without imposing a preexisting framework on the data; exploratory data analysis uses statistical techniques to identify possibly interesting relationships that can be tested with independently acquired data. Such ex- ploratory techniques can correctly include a posteriori testing as described in Section 10.2.1.9, but the results are used to propose further studies that can use a priori tests for the best use of resources.

10.2.2.2 Focus Groups. Focus groups are like group interviews. Generally, the facilitator uses a list of predetermined questions and encourages the participants to respond freely and to interact with each other. Often, the proceedings are filmed from behind a one-way mirror for later detailed analysis. Such analysis can include nonverbal communications, such as facial expressions and other body language as the participants speak or listen to others speak about specific topics.

10.2.2.3 Surveys. Surveys consist of asking people to answer a fixed series of questions with lists of allowable answers. They can be carried out face to face or by distributing and retrieving questionnaires by telephone, mail, fax, and email. Some questionnaires have been posted on the Web.

The critical issue when considering the reliability of surveys is self-selection bias—the obvious problem that survey results include only the responses of people who agreed to participate. Before basing critical decisions on survey data, it is useful to find out what the response rate was; although there are no absolutes, in general, we tend to trust survey results more when the response rate is high. Unfortunately, response rates for telephone surveys are often less than 10 percent; response rates for mail and email surveys can be less than 1 percent. It is very difficult to make any case for ran- dom sampling under such circumstances, and all results from such low-response-rate surveys should be viewed as indicating the range of problems or experiences of the respondents rather than as indicators of population statistics.

Regarding Web-based surveys, there are two types from a statistical point of view: those that use strong identification and authentication and those that do not. Those that do not are vulnerable to fraud, such as repeated voting by the same individuals. Those that provide individual universal resource locators (URLs) to limit voting to one per

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 10 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

person nonetheless suffer from the same problems of self-selection bias as any other survey.

10.2.2.4 Instrument Validation. Interviews and other social sciences re- search methodologies can suffer from a systematic tendency for respondents to shape their answers to please the interviewer or to express opinions that may be closer to the norm in whatever group they see themselves. Thus, if it is well known that every orga- nization ought to have a business continuity plan, some respondents may misrepresent the state of their business continuity planning to look better than they really are.

In addition, survey instruments may distort responses by phrasing questions in a biased way; for example, the question “Does your business have a completed business continuity plan?” may have a more accurate response rate than the question “Does your business comply with industry standards for having a completed business continuity plan?” The latter question is not neutral and is likely to increase the proportion of “yes” answers.

The sequence of answers may bias responses; exposure to the first possible answers can inadvertently establish a baseline for the respondent. For example, a question about the magnitude of virus infections might ask:

In the last 12 months, has your organization experienced total losses from virus infections of

(a) $1 million or greater;

(b) less than $1 million but greater than or equal to $100,000;

(c) less than $100,000;

(d) none at all?

To test for bias, the designer can create versions of the instrument in which the same information is obtained using the opposite sequence of answers:

In the last 12 months, has your organization experienced total losses from virus infections of

(a) none at all;

(b) less than $100,000;

(c) less than $1 million but greater than or equal to $100,000;

(d) $1 million or greater?

The sequence of questions can bias responses; having provided a particular response to a question, the respondent will tend to make answers to subsequent questions about the same topic conform to the first answer in the series. To test for this kind of bias, the designer can create versions of the instrument with questions in different sequences.

Another instrument validation technique inserts questions with no valid answers or with meaningless jargon to see if respondents are thinking critically about each question or merely providing any answer that pops into their heads. For example, one might insert the nonsensical question, “Does your company use steady-state quantum interference methodologies for intrusion detection?” into a questionnaire about security and invalidate the results of respondents who answer yes to this and other diagnostic questions.

Finally, independent verification of answers provides strong evidence of whether respondents are answering truthfully. However, such intrusive investigations are rare.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SUMMARY 10 · 11

10.2.2.5 Meta-analysis. Sometimes it is useful to evaluate a hypothesis based on several studies. We can combine probabilities P of the same null hypothesis from k trials using the formula

X2 = −2Σ ln P where X2 is distributed as 𝜒2[2k] if the null hypothesis is true in all the trials. For example, suppose a forensic specialist is evaluating the possibility that log files

have been tampered with in a specific period.

� She runs a test of the frequency distribution of individual digits in the data for the suspect period to evaluate the likelihood that the distribution is consistent with the null hypothesis of randomness. The P for the two-tailed chi-square test is 0.072ns.

� She looks at the average number of disk I/Os per second in the records for the suspect period and compares the data with the same statistic in the control period using ANOVA; the P for the two-tailed test is 0.096ns.

In this case, X2 = −2 Σ ln P X2 = −2∗(ln 0.072 + ln 0.096) = −2∗(−2.63109 −2.34341) = 9.948992 with 4 degrees of freedom. The P for the null hypothesis is 0.0413∗. In other words, the chances of observing the results of both tests by chance alone if the suspect data were consistent with the raw data from comparison data is statistically significant. There is reason to reject the null hypothesis: Someone may very well have tampered with the log files for the suspect period.

This technique is subject to constraints. Most meta-analyses require the probabilities of the null hypothesis to be computed for a single tail in the same direction; it doesn’t make sense to combine probabilities from conflicting hypotheses using two-tailed probabilities. However, as in the example above, if the null hypotheses are consistent, even two-tailed probabilities may be usefully combined.

Another problem is more systemic. There is considerable reason to be concerned that investigators and publishers sometimes suppress experimental results that do not conform to their expectations or desires. Such suppression biases the published results to appear to support the desired result.

Identifying such suppression is difficult. One approach is to examine the distributions of the published data and look for indications of data exclusion. For example, if the frequency distribution for raw data in a published report shows an abrupt disappearance of data in one direction (e.g., if the frequency distribution looks like a normal curve except that the left side suddenly drops to zero at a certain point) then the publication may be using a truncated data set. Meta-analysis based on data of dubious validity will itself be dubious. Garbage in, garbage out.

10.3 SUMMARY. In summary, all studies about computer crime should be stud- ied carefully before we place reliance on their results. Some basic take-home questions about such research:

� What is the population we are sampling? � Keeping in mind the self-selection bias, how representative of the wider population are the respondents who agreed to participate in the study or survey?

� How large is the sample? � Are the authors testing for the assumptions of randomness, normality, and equality of variance before reporting statistical measures?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

10 · 12 UNDERSTANDING STUDIES AND SURVEYS OF COMPUTER CRIME

� What are the confidence intervals for the statistics being reported? � Are comparisons confounding variables? � Are correlations being misinterpreted as causal relations? � Were the test instruments validated?

10.4 FURTHER READING

Textbooks If you are interested in learning more about survey design and statistical methods, you can study any elementary textbook on the social sciences statistics. Here are some sample titles:

Babbie, E. R., F. S. Halley, and J. Zaino. Adventures in Social Research: Data Analysis Using SPSS 11.0/11.5 for Windows, 5th ed. Pine Forge Press, 2003.

Bachman, R., and R. K. Schutt. The Practice of Research in Criminology and Criminal Justice, 3rd ed. Sage Publications, 2007.

Carlberg, C. Statistical Analysis: Microsoft Excel 2010. Que, 2011. Chambliss, D. F., and R. K. Schutt. Making Sense of the Social World: Methods of

Investigation, 2nd ed. Pine Forge Press, 2006. Cox, D. R., and C. A. Donnelly. Principles of Applied Statistics. Cambridge University

Press (ISBN 978-1107644458), 2011. 212 pp. Kabay, M. E. Statistics in Business, Finance, Management, and Information Technol-

ogy: A Layered Introduction with Excel. Free textbook (PDF), 2013. 205 pp. www.mekabay.com/courses/academic/norwich/qm213/statistics text.pdf

Sirkin, R. M. Statistics for the Social Sciences, 3rd ed. Sage Publications, 2005. Warner, R. M. Applied Statistics: From Bivariate through Multivariate Techniques,

2nd ed. SAGE Publications (ISBN 978-1412991346), 2012. 1208 pp.

Websites Education Insider (2011) “Explore Statistics in the Blogosphere: Top 10

Statistics Blogs.” http://education-portal.com/articles/Explore Statistics in the Blogosphere Top 10 Statistics Blogs.html

StatPac, “Survey & Questionnaire Design,” www.statpac.com/surveys

10.5 NOTES 1. GAO (1996) “Computer Attacks at Department of Defense Pose Increasing Risks.”

General Accounting Office Report to Congressional Requesters GAO/AIMD-98-84 (May 1996), p. 19

2. M. E. Kabay, “CATA: Computer-Aided Thematic Analysis,” 2006. Available at www.mekabay.com with narrated lectures at www.mekabay.com

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11CHAPTER

FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

William A. Zucker and Scott J. Nathan

11.1 INTRODUCTION 11 · 2

11.2 THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION OF TECHNOLOGY IS THE CONTRACT 11 · 3 11.2.1 Prevention Begins at

Home—Employee and Fiduciary Duties 11·4

11.2.2 Employment Contract, Manual, and Handbook 11·4

11.2.3 Technology Rights and Access in Contracts with Vendors and Users 11·4

11.3 PROPRIETARY RIGHTS AND TRADE SECRETS 11 · 5 11.3.1 Remedies for Trade

Secret Misappropriation 11·6

11.3.2 Vigilance Is a Best Practice 11·8

11.4 COPYRIGHT LAW AND SOFTWARE 11 · 8 11.4.1 Works for Hire and

Copyright Ownership 11·9

11.4.2 Copyright Rights Adhere from the Creation of the Work 11·9

11.4.3 First Sale Limitation 11·9

11.4.4 Fair Use Exception 11·10

11.4.5 Formulas Cannot Be Copyrighted 11·10

11.4.6 Copyright Does Not Protect the “Look and Feel” for Software Products 11·10

11.4.7 Reverse Engineering as a Copyright Exception 11·11

11.4.8 Interfaces 11·11 11.4.9 Transformative

Uses 11·12 11.4.10 Derivative Works 11·12 11.4.11 Semiconductor

Chip Protection Act of 1984 11·13

11.4.12 Direct, Contributory, or Vicarious Infringement 11·13

11.4.13 Civil and Criminal Remedies 11·13

11.5 DIGITAL MILLENNIUM COPYRIGHT ACT 11 · 14

11.6 CIRCUMVENTING TECHNOLOGY MEASURES 11 · 15 11.6.1 Exceptions to the

Prohibitions on Technology Circumvention 11·16

11.7 PATENT PROTECTION 11 · 18 11.7.1 Patent Protection

Requires Disclosure 11·18

11 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 2 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

11.7.2 Patent Protection in Other Jurisdictions 11·19

11.7.3 Patent Infringement 11·19

11.8 PIRACY AND OTHER INTRUSIONS 11 · 20 11.8.1 Marketplace 11·20 11.8.2 Database

Protection 11·20 11.8.3 Applications of

Transformative and Fair Use 11·21

11.8.4 Internet Hosting and File Distribution 11·21

11.8.5 Web Crawlers and Fair Use 11·23

11.8.6 HyperLinking 11·23 11.8.7 File Sharing 11·23

11.9 OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS 11 · 24 11.9.1 Trespass 11·24 11.9.2 Terms of Use 11·25 11.9.3 Computer Fraud

and Abuse Act 11·26 11.9.4 Electronic

Communications and Privacy 11·29

11.9.5 Stored Communications Act 11·31

11.10 OPEN SOURCE 11 · 33 11.10.1 Open Source

Licenses 11·33 11.10.2 GPL 11·33

11.10.3 Other Open Source Licenses 11·34

11.10.4 Business Policies with Respect to Open Source Licenses 11·34

11.11 APPLICATION INTERNATIONALLY 11 · 34 11.11.1 Agreement on Trade-

Related Aspects of Intellectual Property Rights 11·35

11.11.2 TRIPS and Trade Secrets 11·36

11.11.3 TRIPS and Copyright 11·37

11.11.4 TRIPS and Patents 11·37

11.11.5 TRIPS and Anticompetitive Restrictions 11·38

11.11.6 Remedies and Enforcement Mechanisms 11·38

11.12 RECENT DEVELOPMENTS IN INTELLECTUAL PROPERTY LAW 11 · 39 11.12.1 AIA 11·39 11.12.2 The PROTECT

IP Act (PIPA) 11·39 11.12.3 The Stop Online

Piracy Act (SOPA) 11·41 11.12.4 Patent Trolls 11·43

11.13 CONCLUDING REMARKS 11 · 44

11.14 FURTHER READING 11 · 44

11.15 NOTES 11 · 44

11.1 INTRODUCTION. This chapter is not for lawyers or law students. Rather, it is written for computer professionals who might find it useful to understand how their concerns at work fit into a legal framework, and how that framework shapes strategies that they might employ in their work. It is not intended to be definitive but to help readers spot issues when they arise and to impart an understanding that is the first part of a fully integrated computer security program.

Cyberlaw is a compendium of traditional law that has been updated and applied to new technologies. When gaps have developed or traditional law is inadequate, particular statutes have been enacted. It is a little like the old story of the three blind men and the elephant: One of the blind men touching the elephant’s leg believes he is touching a tree; the other touching its ear believes it is a wing, and the third, touching the tail, thinks it is a snake. Issues of cyberspace, electronic data, networks, global transmissions, and positioning have neither simple unitary solutions nor a simple body of law to consult.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION 11 · 3

In thinking about the application of law to computer security, it is helpful to think about the problems as issues in which the computer is

� The target of the activity � The tool used for the activity � Incidental to the activity itself

For example, “hacking” into a computer can be analogized to the tort1 of trespass (i.e., entering the property of another without permission), and “cracking” can be viewed as conversion of someone else’s property. Similarly, using the computer to make illegal copies is a violation of copyright law in its most basis sense. Although trademark law has very little to do with computers, using trade names as part of keywords for search engines, or domain names to misdirect Internet traffic to a competitive Web site can be a violation of a trademark. While touching on some of the more traditional tort remedies, this chapter focuses on the property rights being invaded by such activities and the remedies that exist in the context of a business operation.

Recognizing that the body of law which touches on these problems is as global as the Internet itself, this chapter is intended to help readers actually see the elephant in the room. In selecting what legal issues to highlight, we have tried to consider the routine needs of the computer professional. We have focused largely on the law of the United States, recognizing that these problems and subject matters often transcend national boundaries. There is a very simple reason for this. Most often, the impact of the computer security attack, denial of service, decryption, or theft of computer materials will have occurred here, or have a direct impact here, no matter where it originates. Imagine for a second a gunman—standing in Canada—who takes aim at someone in the United States, pulls the trigger, and hits his target. Since there is purposeful conduct aimed at this country, in the ordinary instance the U.S. judiciary will not only assert jurisdiction over the gunman but also apply its laws. There may be other problems, such as actually catching the gunman, but the example underlines the importance of the law of the United States for entities located here. For orientation purposes, we have also included a section at the end of this chapter that discusses some international issues.

One other introductory note: We use the phrase “security program” in this chapter with some frequency. Understanding that this phrase can mean one thing to a lawyer or risk manager and another thing to a computer security professional, we intend it as a shorthand reference to the generic and systemic effort to secure information stored on computers and not solely to the applications that may be employed as part of that effort.

11.2 THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION OF TECHNOLOGY IS THE CONTRACT. The computer security professional’s job is to understand, anticipate, and then worry about risk: risks that are beyond control and risks that can be controlled. The most fundamental tool for controlling risk, whether predictable or unforeseeable, is the contract. Unlike other forms of risk control, a contract need not be static; it can be adaptable. We can limit use; we can limit distribution; we can impose conditions and confidentiality; we can specify rights as well as provide for certain remedies through contract. Contracts actually can take many forms: the traditional signed agreement; an email exchange; Web site or product terms of use; employment agreements; workplace manuals and policies; and so-called shrink- wrap or click-wrap agreements. We sell or license products. Where we can contract, we can also define and limit risk.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 4 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

11.2.1 Prevention Begins at Home—Employee and Fiduciary Duties. There is an old hoary concept in the law that employees owe to their employers the fiduciary duty of utmost loyalty. The scope and extent of that fiduciary duty is a matter of common law that varies in each state. Generally, employees’ fiduciary duty prohibits them from using any property that belongs to the employer in competition with the employer or for personal gain. Employees, however, are entitled to retain and use for whatever purpose their own skill and knowledge, which arguably could include contacts that they develop over the course of their employment unless those contacts are trade secrets. What comes or does not come within the ambit of fiduciary duty has spawned endless arguments and lawsuits. There is a simple remedy to this problem: the contract that covers technology issues and ownership as well as it covers pay and other benefits.

11.2.2 Employment Contract, Manual, and Handbook. Whatever pol- icy the security professional develops should be implemented through the organiza- tion’s employment contract, manual, and handbook. Many contractual provisions can be applied, such as: nondisclosure agreements; definition of proprietary policy; restrictive covenants; concessions of ownership regarding discoveries, know-how, improvements, inventions, and the like during the term of employment; email policies; terms of use regarding computer systems; and statements of authorized and unauthorized activity. The point is that employment contracts and handbooks should be the starting point for computer security.

11.2.3 Technology Rights and Access in Contracts with Vendors and Users. Security protection necessarily includes vigilance about all contracts and licenses with vendors and users. This may not be sexy, but it is blocking and tackling. Vendors can be subject to many of the same limitations and nondisclosure agreements as employees. Rights of access to intranets and data should be controlled and privileges specified. Careful consideration should be given to what rights a user will have, the rules surrounding user access, and enforcement of those rules. Is this a sale or a license? There are many virtues to controlling technology through licenses (as opposed to sales), including imposing limits on rights of use, and specifying remedies for breaches of the license, or for unauthorized activity that involves the licensed product.

“Shrink-wrap” or “click-wrap” licenses have become common parlance. They are now accepted tools for licensing and controlling software distribution so long as: (a) they are business to business and thus between parties of roughly equal bargaining position; (b) their terms for other users or consumers are not unconscionable; and (c) they do not violate public policy. Concerns over whether contractual terms are unconscionable or the contracts are ones of adhesion arise because the licenses are not products of negotiation but of fiat, which users accept when they open the shrink- wrapped package or through an online click. These concerns have been addressed through requirements that users have been provided with adequate notice of the terms, an opportunity to reject, and conduct that sufficiently manifests consent. For shrink- wrap agreements, the opening of the product, its installation, and retention have been deemed sufficient acts to show consent to the terms of the license, noting that if the consumer does not wish to consent, the product could be returned.2 Thus, it is not necessary for the prospective user to be aware of all of the terms of a license before purchase if the remedy includes return after purchase. The license can impose restrictions on use, limit the number of machines on which the product can be installed, copying, and even available remedies.3

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PROPRIETARY RIGHTS AND TRADE SECRETS 11 · 5

The issues of notice, actual or constructive, an opportunity to accept or reject, and manifestation of consent have led to general acceptance of online agreements such as the presentation of licensing terms followed by an active need to check, accept, or reject by clicking on the appropriate box.4 The same analysis applies to terms of use especially for intranet or network use.5 In Register.com v. Verio, Inc.,6 downloading data from a WHOIS database, having knowledge of the terms of use, was acceptance of those terms even if there was no click-through. These examples show that terms of use, properly positioned, can be binding on the user.

An active security program begins with a review of the contracts, licenses, and terms of use in all relationships with your organization. Just because a contractual arrangement has not existed does not mean that you cannot create one through proper notice of the terms of the contract and conduct that shows assent to those terms. Such contracts are the security professional’s first line of defense. They give you the ability to limit risk with an organization’s employees, contractors, vendors, and affiliates. With that in mind, this chapter addresses issues that arise largely outside of the terms of contractual protections and also suggests additional potential self-help remedies.

11.3 PROPRIETARY RIGHTS AND TRADE SECRETS. For many years, unless an idea was patentable, the primary protection for internal business data, confidential or proprietary information, and computer code was through the common law doctrine of trade secrets.7 Generally, a trade secret might be considered any internal, nonpub- lished manufacturing know-how, drawings, formulas, or sales information used in a trade or business that has commercial applicability and that provides a business with some strategic advantage.8 Such information, so long as it was (a) not published or disseminated to others who were not obligated to maintain its confidentiality,9 and (b) maintained in confidence with the protecting organization, could be protected as a trade secret.

The law of trade secret thus recognized a business’s ownership or proprietary interest in such information, data, or processes. There are, however, important practical limita- tions on the application of trade secret protection. First and foremost, for any product sold in the market, the law does not protect against a competitor seeing the product and then using it to figure out how to manufacture like or similar items. Competitors are therefore free to reverse engineer a product so long as the reverse engineering is done wholly independently.

The second caveat is that an organization has to prove not only that the information qualifies for trade secret protection, but also that it protected the secrecy of the infor- mation as required by the law of the applicable jurisdiction. This means that ownership will be a matter not of record but of case-by-case proof, making enforcement of trade secret protection time consuming and expensive. Generally, the required proof consists of a showing that there was an active security program in place that was sufficient to protect the information as confidential. Various programs may be deemed adequate, depending on the circumstances, but usually such programs have five principles in common:

1. An inventory of trade secret information that is periodically updated 2. A security program to protect the technology at issue, often on a need-to-know

basis with clear marking of information as “confidential, access restricted”

3. A written description of the security program that is provided to all employees

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 6 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

4. An enforcement officer or oversight procedure 5. An enforcement program, including litigation, if necessary, to enjoin unautho-

rized access or distribution

In the field of computing, these principles often mean that source code or other readable formats should be secured in a locked file and marked CONFIDENTIAL. All representations of the code as stored on magnetic or other media should be marked CONFIDENTIAL and secured. Computerized information should be password pro- tected with restrictions on circulation of the password and periodic password changes. A notice of confidentiality should be displayed as soon as access to the program is obtained, with appropriate warnings on limitation of use. Levels of access should be controlled so that privileges to copy, read, and write are appropriately restricted. Surveillance of entries and logon should be routinely conducted to verify that there has been no unauthorized entry. Finally, periodic audits should be conducted to test and substantiate the security procedures.

For many years, each state developed its own brand of trade secret protection through evolving judicial decisions that establish something in this country called the common law, as distinguished from legislative enactments of a statute addressing the same issue. In 1985, the Uniform Trade Secrets Act (UTSA) was promulgated by the National Conference of Commissioners on Uniform State Laws, with one of its purposes to make uniform the rights and remedies available to a holder of a trade secret. This model law, however, needed to be adopted by each state before it became the law of the state. As of this writing, it has been adopted to some degree in 46 states with the exception of Massachusetts, New Jersey, New York, and Texas.

The UTSA defines a trade secret as information, including a formula, pattern, com- pilation, program device, method, technique, or process, that: (a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (b) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. It also defines the unlawful taking of a trade secret, or misappropriation, as the wrongful use of a trade secret, including (a) knowingly acquiring the secret through improper means or (b) disclosing the secret without consent.

11.3.1 Remedies for Trade Secret Misappropriation. Misappropriation of a trade secret is the unauthorized use or disclosure of the trade secret. In simple parlance, it is a taking or theft. The taking can be by one who owes a fiduciary duty of confidentiality, such as an employee; it can be in breach of an agreement of confidentiality; or the taking can occur through improper access or means. The misappropriation can be treated under common law as the tort of conversion, trespass, unfair competition, or interference with contractual relations. As discussed, there are now specific statutory provisions under the UTSA for trade secret misappropriation. The UTSA grants the wronged party certain remedies that include enjoining the use of the misappropriated property, damages, and attorney’s fees. When the misappropriation is of a physical item, such as a disk drive, the owner may ask the court to order seizure and return of its property.10 In addition, where the misappropriation also violates other laws protecting intellectual property, such as where the taking infringes a copyright, the property owner may be entitled to additional relief.

Exactly what remedies are available will vary among the states. Interestingly, the very uniformity that the UTSA was intended to create has led to different treatment of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PROPRIETARY RIGHTS AND TRADE SECRETS 11 · 7

available claims and remedies. For example, before the UTSA, an employee’s theft of the employer’s confidential customer lists triggered a common law claim for breach of the implied fiduciary obligation owed by an employee to the employer as well as a claim for misappropriation of trade secrets. The UTSA provides that its remedies preempt other common law remedies; in other words, a claim under the UTSA trumps the claim for breach of fiduciary duty as well as the claim for misappropriation of trade secrets. There is a split in the courts as to whether the UTSA replaces only common law causes of action for misappropriation of trade secrets or extends to any tortious claims for relief that arise out of the misappropriation no matter how stated. The broader reach of the UTSA appears to be favored by the growing majority of courts that have considered this issue to date. The takeaway from this uncertainty is that computer security professionals should protect trade secrets, confidential information, and other valuable data through contractual terms with, among others, employees, vendors, and users to minimize the reliance on the UTSA.

In the event of a misappropriation, in addition to civil remedies, often separate state statutes treat the taking as a theft and a criminal act. Such statutes are generally state specific. Prior to 1996, the Trade Secrets Act (TSA) was the only federal statute prohibiting trade secret misappropriation. The TSA, however, was of limited utility because it did not apply to private sector employees and provided only limited criminal sanctions.11 To combat an increase in computer crimes, Congress enacted the Economic Espionage Act of 1996 (EEA), which provided greater protection for the proprietary and economic information of both corporate and governmental entities against foreign and domestic theft.12

The EEA criminalizes two principal categories of corporate espionage: economic espionage and theft of trade secrets.13 Section 1831 punishes those who steal trade secrets “to benefit a foreign government, foreign instrumentality, or foreign agent.” Section 1832 is the general criminal trade secret provision.14 The EEA criminalizes stealing, concealing, destruction, sketching, copying, transmitting, or receiving trade secrets without authorization, or with knowledge that the trade secrets have been misappropriated. It also criminalizes attempting to and conspiring to do any of these acts.15 The EEA penalizes parties responsible for a taking that is intended to benefit a foreign government with fines up to $250,000 and imprisonment up to 10 years.16

The EEA explicitly defines a trade secret to include information stored in electronic media and includes “programs or codes, whether tangible or intangible” so long as:

(a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.17

Although one might assume that this definition is relatively straightforward, not everything is as it appears. In a case of domestic trade secret theft, the Court of Appeals for the Seventh Circuit examined what the EEA means when it says that the data or material “derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.”18 Noting that others had assumed that the word “public” meant the general public, the court inLangeastutely observed that this was not, in fact, the case. Moreover, the standard for measuring the persons who might readily ascertain the economic value of (in this case) the design and composition of airplane brake assemblies is not the average person in the street, for this assumes (as the court mentions) that any person can understand and apply something as arcane as Avogadro’s number. Instead, the definition

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 8 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

of the term “the public” should take into account the segment of the population that would be interested in and understand the nature of that which has allegedly been misappropriated.

The international reach of the act is limited, extending outside of the United States only if: “(1) the offender is a natural person who is a citizen or permanent resident alien of the United States, or an organization organized under the laws of the United States or a State or political subdivision … or (2) an act in furtherance of the offense was committed in the United States.”19 Few defendants have been charged under the act since its passage in 1996, so the precise reach has yet to be tested. However, the language of the EEA applies its provisions to corporations with headquarters or operations subject to U.S. jurisdiction that could be prosecuted under the act. Finally, the remedies under the EEA can be invoked only by the United States. There is no private right of action under the act.

11.3.2 Vigilance Is a Best Practice. The key points of practice to remember are: Security and trade secret law are forever linked together. A trade secret cannot exist without such security. The maxim “Eternal vigilance is the price of liberty,” often attributed to Thomas Jefferson, should in the context of business information protection be restated as “Eternal vigilance is the price of trade secret protection.” It is not as catchy a phrase, but it is the price each business must pay if it relies in whole or in part on trade secret law for protection. In such situations, the greatest assurance of protection can be obtained through rigorous contractual terms and strenuous enforcement.

11.4 COPYRIGHT LAW AND SOFTWARE. Because of anxiety over the true extent of protection afforded software under patent and copyright law, software pro- grams initially were protected as trade secrets. Such protection became increasingly problematic in today’s society, where information technology and pressure for the free flow of information makes confidentiality controls more difficult to police. Copyright law now has evolved to include computer programs.

Since 1964, the United States Copyright Office has permitted registration of com- puter programs, although judicial decisions were divided on the applicability of the Copyright Act. In 1976, Congress passed the Copyright Act of 1976, which did little to resolve the ambiguity. Clarification finally was obtained in the Computer Software Copyright Act of 1980, which explicitly extended the protection of the copyright laws to software.20 Any type of work that can be fixed in any tangible medium can be pro- tected by copyright as literary works based on the authorship of the source and object code21 even if the work can only be machine reproduced.

Copyright protection, however, does not protect “ideas.”22 Rather, it protects the particular expression of the idea. As can be seen by the parallel proliferation of spread- sheet programs, the idea for the spreadsheet program cannot be protected, but the particular code that produces the spreadsheet can be. In order to qualify for copyright protection, the work must be (a) original, (b) fixed in a tangible medium, and (c) not just the embodiment of an idea. Once obtained, copyright protection grants to the copy- right owner the exclusive right to reproduce, to publish, to prepare derivative works, to distribute, to display, and to perform the copyrighted work. In 1990, Congress passed the Computer Software Rental Amendments Act,23 which added to the list of copy- right infringements the distribution of a computer program for commercial advantage. Materials copyrighted after 1978 are protected for the lesser of 75 years from the date of first publication or 100 years from the date of creation.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COPYRIGHT LAW AND SOFTWARE 11 · 9

11.4.1 Works for Hire and Copyright Ownership. The copyright for a work does not always belong to the person who creates it. The most frequent exceptions are works that fall under the concept of a “work for hire.” A work for hire is not owned by the creator but by the persons who hired the creator to create the work. Most often the concept applies to employees who have created a work within the scope of their employment. The key concept is the scope of employment. Even though a work is created outside of the office and normal working hours, it still will be a work for hire if it is within the scope of employment. However, a work that falls outside the scope of employment and that is created outside the office is likely not to be deemed a work for hire. Because of such issues, it is better practice when dealing with employees or independent contractors to provide specificity in an agreement as to what is a work and when the creation of a work will be governed by the doctrine of work for hire.

11.4.2 Copyright Rights Adhere from the Creation of the Work. Everyone who has looked at a copyrighted work is probably familiar with the symbol © affixed to any published copyrighted work, together with the name of the copyright holder and the year of creation or publication of the work. For many years, such no- tice was a fortiori necessary for copyright protection. Today, however, the copyright arises from the creation of a copyrighted work itself. It is still good practice to advise the world of potential infringement by inserting the formalities of a copyright on the work itself. In addition, one should register the work in the United States Copyright Office, which is currently developing a process for online registration. Registration of the copyright also permits one to claim statutory damages ranging from $500 to $20,000 for each violation, which often is useful to prevent additional infringements when no actual damages can be demonstrated. Moreover, in some jurisdictions, it may be necessary to register the copyright with the copyright office before one can actually sue to protect the copyright.

The change in copyright protection has interesting applications when applied to electronic works. The creation of the work in some permanent form is sufficient to trigger copyright protection. Thus, the creation of an electronic copy is sufficient permanency. What that means is that any electronic data are already conceivably subject to copyright protection at the time that they are viewed or received. Thus, in using any such information or “work,” care must be taken that one does not infringe on a potential copyright without a license.

11.4.3 First Sale Limitation. The holder of the copyright has the right to sell or license the work. If the work is sold, the holder essentially loses all rights to control the resale of the work. This is known as the first sale doctrine. Once the item is placed in commerce, subsequent transfers cannot be restricted. The doctrine applies only to the copy that has actually been sold. It does not create a license to copy the item itself.

To avoid what sometimes can be a problem if the program winds up in the hands of a competitor, companies often prefer to license the item instead of selling it outright. If the work is licensed, only those rights that are contained in the license are transferred. All other rights of ownership remain with the licensor. Thus, a breach of the license gives the licensor of the copyrighted work the right to reclaim the work or prevent its further use or publication. However, if the license has all the basic indicia of a sale, it will be treated as one, notwithstanding the label.

One interesting intersection of these two principles is the requirement when upgrad- ing software that the old version be present. As a condition of making the upgrade

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 10 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

available at a reduced rate, the seller normally requires that the older version be au- thenticated before the newer version can be installed. Such requirements are legal, as the owner of the earlier version could choose to sell it, but then would have to pay a higher price for the newer version and work to restrain subsequent sales of software from a user who expects to upgrade in the future.

11.4.4 Fair Use Exception. All copyright protection is subject to the doctrine of fair use.24 Fair use permits the use of a work without authorization for a limited purpose. But what use constitutes fair use? The Copyright Act of 1976 suggested four, nonexclusive factors, for a court to consider:

1. What is the purpose and character of the use? 2. What is the nature of the copyrighted work? 3. How much of the copyrighted work is used? 4. What is the effect on the potential market for the work?

Despite its codification in the Copyright Act of 1976, fair use remains a nebulous doctrine—an equitable rule of reason, with each case to be decided on its own facts.25

It is often misquoted and misapplied. The essential concept behind the doctrine of fair use is to permit public discussion, review, and debate of a copyrighted work without violating the copyright. Thus, the Copyright Act of 1976 gives as examples of fair use, situations of “criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research.”

Fair use is not an antidote for failing to license a work. It should be invoked with care—understanding that the more material that is used and the more commercial the purpose, the less likely a court will find it applicable. Indeed, sometimes the only way to harmonize cases on whether a use is a fair use is to decide whether the court ultimately viewed the user as a “good” or “bad” guy.

11.4.5 Formulas Cannot Be Copyrighted. There are limitations on what expressions can be protected by copyright law. A frequent source of argument is whether, since one cannot protect the idea, the expression is directly driven by its content (i.e., the expression is simply a function of the idea). For that reason, formulas cannot be copyrighted.26 This means that when formulas are part of a computer program, other modes of defense need to be considered, such as trade secret or possibly patent protection. If one were to disclose the formula through copyright publication, one would lose the ability to protect that information.

11.4.6 Copyright Does Not Protect the “Look and Feel” for Software Products. Copyright protection ordinarily extends to the physical manifestation of the computer program in the source code and object code. The operation of that code, as it translates to what the human mind perceives, has been described as the “look and feel” of the program. In attempting to quantify the concept of “look and feel,” courts have considered whether the organization, structure, and sequence of the program can be protected. In the United States, Whelan Associates, Inc. v. Jaslow Dental Lab., Inc.,27 gave the greatest extension to protecting look and feel. In that case, none of the code had been copied and the program operated on a different platform. Nonetheless, copyright infringement was found because the organization, structure, and sequence of the program had been copied. The court recognized that the structure and logic of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COPYRIGHT LAW AND SOFTWARE 11 · 11

the program are the most difficult to create and that the idea could be protected as it was embodied in the program structure since, given the variety that was possible, the structure was not necessarily just an extension of the idea. Since Whelan, courts in the United States have retreated from such broad protection. In 1992, Computer Associates, Inc. v. Altai, Inc.28 developed the so-called abstraction-filtration test. The results of that test define as unprotectable: (a) program structures that are dictated by operating efficiency or functional demands of the program and therefore deemed part of the idea and (b) all tools and subroutines that may be deemed included in the public domain. Only what remains is to be compared for possible copyright infringement.

While protection of look and feel may vary among the different federal circuits, in general, the courts are swinging away from broader protection. However, this may not necessarily be true internationally; English law appears to grant the broader protections afforded by the Whelan decision.

11.4.7 Reverse Engineering as a Copyright Exception. Within the field of computer software, cases have considered whether “dissection” in order to reverse engineer the program is a violation of the copyright. To those involved in protecting software programs, as well as those involved with competing products, the answer appears to be that reverse engineering does not constitute an infringement, even though the disassembly of the program falls squarely within the category of acts prohibited by the Copyright Act because of the doctrine of fair use. The Ninth Circuit in Sega Enterprises Ltd. v. Accolade, Inc.29 found as a matter of law that:

… where disassembly is the only way to gain access to the ideas and functional elements embodied in a copyrighted computer program and where there is a legitimate reason for seeking such access, disassembly is a fair use of the copyrighted work.30

The Ninth Circuit is not the only circuit that has upheld reverse engineering against a copyright claim. The Federal Circuit reached a similar conclusion regarding reverse engineering of object code to discern the “ideas” behind the program in Atari Games Corp. v. Nintendo of America, Inc.31 The fair use rationale of Sega was also adopted by the Eleventh Circuit inBatemanv.Mnemonics,Inc.32 on the grounds that it advanced the sciences. In addition, in Assessment Techs. of WI, LLC, v. WIREData, Inc., the Seventh Circuit relied on Sega and determined that WIREData, Inc. could extract uncopyrighted data from a copyrighted computer program, noting that the purpose of the extraction was to get the raw data, not compete with Assessment Technologies by selling copies of the program itself.33 In Evolution,Inc.v.SunTrustBank, the Tenth Circuit relied on both Sega and WIREData when it allowed the defendant to copy part of plaintiff’s source code to extract uncopyrighted data from plaintiff’s copyrighted computer program.34

Thus, unless careful thought is given to the application of copyright protection, merely copyrighting the software will not necessarily protect against imitation.

11.4.8 Interfaces. There is an open issue as to whether copyright protects the format for interfacing between application and data. Competitors, particularly in the area of gaming, look to reverse engineer the interface format to make new modules compatible with existing hardware. Such reverse engineering has been held not to violate the copyright laws, so long as the new product does not display copyrighted images or other copyrightable expressions.35 Thus, the nonprotectable interface may be protected if such copyrighted images or expressions are embedded in the display.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 12 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

11.4.9 Transformative Uses. One of the factors that the doctrine of fair use considers is the “amount and substantiality of the portion used in relation to the copyrighted work as a whole.”36 In practical terms, this means that courts look at how much was taken and for what purpose. One could take a little but still take the essence of the program. One could also take a little that did not attempt to duplicate but rather used the copyrighted material as a springboard for a new creation. Out of this qualitative and quantitative investigation comes the notion of transformative use, which became the coin of analysis in the Supreme Court’s 1994 decision in Campbell v. Acuff-Rose Music, Inc.37 Campbell addressed the concept in terms of a claim of copyright infringement involving a rap parody of a popular song. There, taking its clues from the opening language of Section 107 codifying fair use, the Supreme Court asked whether the “new” work “adds something new, with a further purpose or different character, altering the first with new expression, meaning or message; it asks, in other words, whether and to what extent the new work is transformative.”38 The Court then laid down the test to be applied.

Although such transformative use is not absolutely necessary for a finding of fair use, … the goal of copyright, to promote science and the arts, is generally furthered by the creation of transformative works. Such works thus lie at the heart of the fair use doctrine’s guarantee of breathing space within the confines of copyright, … and the more transformative the new work, the less will be the significance of other factors, like commercialism, that may weigh against a finding of fair use.39

Thus, a transformative use may play off of a prior copyright and still not be deemed an infringement so long as the resulting new work is just that—new.

11.4.10 Derivative Works. Under Section 106(2) of the Copyright Act of 1976, the copyright owner has the exclusive right “to prepare derivative works based upon the copyrighted work.” The act defines a “derivative work” as:

… a work based upon one or more pre-existing works, such as a translation, musical arrange- ment, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgement, condensation, or any other form in which a work may be recast, transformed, or adapted. A work consisting of editorial revisions, annotations, elaborations, or other modifica- tions which, as a whole, represent an original work of authorship, is a “derivative work.”

A “derivative work” is thus defined as an original work that is independently copy- rightable. To infringe the exclusive right to prepare a derivative work granted by the Copyright Act to the copyright owner, the infringer need not actually have copied the original work or even have fixed in a tangible medium of expression the allegedly infringing work.40 The right, therefore, to create the derivative work can be a useful tool in counterbalancing attempts to pirate computer programs and the issue of fair use.

The Copyright Act creates an exemption for a lawful owner of a purchased license for a computer program to adapt the copyrighted program if the actual adaptation “is created as an essential step in the utilization of the computer program in conjunction with a machine and it is used in no other manner.”41 The adaptation cannot be transferred to a third party. The right to adapt is, in essence, the right to modify or, in the language of the act, to create a derivative work. Such changes can be made even without the consent of the software owner so long as such modifications are used only internally and are necessary to the continuing use of the software.42

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COPYRIGHT LAW AND SOFTWARE 11 · 13

11.4.11 Semiconductor Chip Protection Act of 1984. The Semiconduc- tor Chip Protection Act of 1984 (SCPA) protects as part of the Copyright Act “mask works fixed in a semiconductor product.”43 The SCPA protects not the product itself but the copying of the circuit design or blueprint. Because of reverse engineering, the protections afforded by SCPA are limited in practice.

11.4.12 Direct, Contributory, or Vicarious Infringement. Copyright in- fringement generally requires a showing of substantial similarity between allegedly of- fending use and the protected expression contained in a work. Infringement can occur through the simple act of printing (without permission), by posting on the Web or other form of unauthorized distribution, by creating a derivative work, or by another act that interferes with the copyright holder’s rights.

A copyright can be infringed directly, contributorially, or vicariously. Direct in- fringement is the term ascribed to the actor who violates the copyright. Contributory infringement involves knowingly providing the means for the violation to occur. Li- ability for contributory infringement may be predicated on actively encouraging (or inducing) infringement through specific acts, or on distributing a product that dis- tributees use to infringe copyrights, if the product is not capable of “substantial” or “commercially significant” noninfringing uses.44 But secondary liability for copyright infringement does not exist in the absence of direct infringement by a third party. Vicarious infringement occurs when one is responsible for or controls the actions of another who violates the infringement. The usual situation is that of an employer’s responsibility for the acts of an employee.

Not all situations admit themselves of simple answers, as when a person commits direct infringement by actually photocopying a work. New technologies constantly pose issues as to whether infringement has occurred and whether the infringement violates the public interest. In general, when faced with an issue of potential copyright infringement, the questions to ask are:

� Can the product or service be used to infringe a copyright, or is the product capable of substantial noninfringing uses?

� If so, did the owner of the product or service encourage the user to use it for infringement?

� Alternatively, did the owner of the product or service have knowledge of the specific infringing use and have the ability to prevent it?

Today, we take Internet service providers (ISPs) for granted. But application of these questions initially led courts to conclude that ISPs were liable for contributory infringement. For example, a Web site that encouraged and facilitated the uploading of copyrighted materials was found to be a direct infringer of the copyright of the owner even though the provider did not actually do the uploading.45 Similarly, an ISP that was notified of a copyright violation that was posted on its server and failed to correct it could be found to have contributory liability for the infringement.46 In its wisdom, however, Congress, in the Digital Millennium Copyright Act (DMCA), created a safe harbor for ISPs so that, as a matter of public policy, an ISP does not have to monitor each and every transmission for potential copyright infringement.

11.4.13 Civil and Criminal Remedies. The Copyright Act contains several sections that specifically address the penalties and remedies for infringement. They

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 14 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

include injunctive relief (i.e., a court order terminating the infringing conduct),47 im- pounding and disposing of infringing articles,48 damages,49 litigation costs and attor- neys’ fees,50 and criminal penalties.51 Although this chapter cannot address all of the permutations of remedies and penalties available, a few are worth mentioning.

Generically, a copyright owner must choose between its actual losses (i.e., what it actually lost and any profits realized by the infringer) and statutory damages.52 Actual damages imply economic losses actually suffered as a result of the infringement. The kinds of actual damages that have been awarded include development costs of the software,53 the economic consequences of lost customers,54 lost future sales,55 the value of the infringer’s licensing fees where the licensor is precluded from market sales,56 lost market value of the material infringed,57 and lost royalty payments.58 An award of actual damagesisnot automatic; the license holder hasthe burdenof provingthat the infringing activity and the economic loss are causally connected, at which point the infringing party must show that the license holder would have incurred the loss anyway.59

A copyright owner may elect to receive statutory damages rather than actual damages and the infringer’s profits.60 Making the election is mandatory, and it must be done before final judgment is entered. Once the election is made, it is final. The statutory damages generally range from $500 to $20,000 “for all infringements involved in the action, with respect to any one work, for which any two or more infringers are liable jointly and severally. … For purposes of this section, all the parts of a compilation or derivative work constitute one work.”61 This amount may be increased to $100,000 if the court finds that the infringement was willful and reduced to $200 if the court finds that the infringer “was not aware and had no reason to believe” that the act was an infringement.62

Statutory damages theoretically63 are intended to approximate the actual damages suffered, and were crafted as an alternative compensation scheme for copyright owners, when actual damages are difficult to calculate. In determining whether to elect actual or statutory damages, a copyright owner ought to perform a careful analysis to determine how many separate infringements occurred that justify, under the statute, separate awards. Although posting different copyrighted computer software programs on a bulletin board for downloading constitutes multiple infringements,64 making multiple copies of the same cartoon character in different poses constitutes a single infringement because only one work was copied.65

As mentioned, this is one of the statutory schemes that discourage frivolous liti- gation by imposing the cost of litigating on the losing party. The statute permits the substantially prevailing party to recover its reasonable attorneys’ fees and costs from the losing party. Who is the substantially prevailing party and what constitutes reasonable attorneys’ fees are separate and distinct issues that will be decided by the courts.

Copyright violations also can be criminally prosecuted, and generally require demonstration of mens rea, or intent. One or more infringements having a total re- tail value of more than $1,000 within a 180-day period or “for purposes of commercial advantage or private financial gain” can be punished by one to five years of imprison- ment and fines. Even without demonstration of a motive of financial gain, 10 or more infringements having a value in excess of $2,500 can result in up to three years in jail and fines. Repeated violations carry stiffer penalties. Finally, one who knowingly aids or abets a copyright infringement is also subject to criminal prosecution.

11.5 DIGITAL MILLENNIUM COPYRIGHT ACT. In 1998, Congress passed the Digital Millennium Copyright Act (DMCA) to address concerns raised by the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CIRCUMVENTING TECHNOLOGY MEASURES 11 · 15

Internet and copyright issues in the context of our increasingly technological society. The DMCA creates a civil remedy for its violation as well as criminal penalties starting after October 2000. One of the purposes of the DMCA is to protect the integrity of copyright information. Removal of a copyright notice, or distribution knowing that such copyright has been removed, is now actionable.66

11.6 CIRCUMVENTING TECHNOLOGY MEASURES. Article 11 of the World Intellectual Property Organization Copyright Treaty required all signatory coun- tries to provide adequate legal protection and remedies against the circumvention of technical measures intended to secure copyrights. In response, Congress adopted Sec- tion 1201 of the DMCA, which generally prohibits the act of circumventing, and trafficking in the technology that enables circumvention of, protection measures de- signed to control access to copyrighted work.67 Both civil and criminal remedies also now exist under the DMCA if one circumvents “a technological measure that effec- tively controls access to a work protected” by the Copyright Act.68 It is a civil violation and a crime to “manufacture, import, offer to the public, provide or otherwise traffic in any technology, product, service, device, component, or part thereof” that “is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected” under the Copyright Act.69 A techno- logical measure effectively controls access to a work if the measure, “in the ordinary course of its operation, requires the application of information or a process or a treat- ment, with the authority of the copyright owner, to gain access to the work.”70 One circumvents such technology measure if one uses a means “to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure,” without the authority of the copyright owner.71

In RealNetworks, Inc. v. Streambox, Inc.,72 Streambox distributed software that en- abled users to bypass the authentication process employed by RealNetworks, which distributes audio and video content over the Internet. Thus, Streambox users could get the benefit of the RealNetworks streaming audio and video content without com- pensating the copyright owners. The United States District Court in Washington State found that the Streambox software was a technological measure that was designed to circumvent the access and copy control measures intended to protect the copyright owners.73

In a case involving digital video disc (DVD) encryption, a U.S. District Court in New York enjoined posting links to sites where visitors may download the decryption program as trafficking in circumvention technology and a violation of the DMCA.74 In Universal City Studios, Inc. v. Reimerdes, the court rejected an argument that the use of the decryption software constituted free expression protected by the First Amendment of the U.S. Constitution. On appeal, the appellant argued that the injunction violated the First Amendment because computer code was speech, was entitled to full protection, and was unable to survive the strict scrutiny given to protected speech.75 The appellate court found that the computer code used in the program was protected speech:

Communication does not lose constitutional protection as “speech” simply because it is ex- pressed in the language of computer code. Mathematical formulae and musical scores are written in “code,” i.e., symbolic notations not comprehensible to the uninitiated, and yet both are covered by the First Amendment. If someone chose to write a novel entirely in computer object code by using strings of 1’s and 0’s for each letter of each word, the resulting work would be no different for constitutional purposes than if it had been written in English. The “object code” version would be incomprehensible to readers outside the programming community (and tedious to read even for most within the community), but it would be no more incomprehensible

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 16 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

than a work written in Sanskrit for those unversed in that language. The undisputed evidence reveals that even pure object code can be, and often is, read and understood by experienced programmers. And source code (in any of its various levels of complexity) can be read by many more. See Universal I, 111 F. Supp. 2d at 326. Ultimately, however, the ease with which a work is comprehended is irrelevant to the constitutional inquiry. If computer code is distinguishable from conventional speech for First Amendment purposes, it is not because it is written in an obscure language.76

The court then analyzed the type of scrutiny that should be applied where the restriction is content neutral:

Having concluded that computer code conveying information is “speech” within the meaning of the First Amendment, we next consider, to a limited extent, the scope of the protection that code enjoys. As the District Court recognized, Universal I, 111 F. Supp. 2d at 327, the scope of protection for speech generally depends on whether the restriction is imposed because of the content of the speech. Content-based restrictions are permissible only if they serve compelling state interests and do so by the least restrictive means available. See Sable Communications of California, Inc. v. FCC, 492 U.S. 115, 126, 106 L. Ed. 2d 93, 109 S. Ct. 2829 (1989). A content-neutral restriction is permissible if it serves a substantial governmental interest, the interest is unrelated to the suppression of free expression, and the regulation is narrowly tailored, which “in this context requires … that the means chosen do not ‘burden substantially more speech than is necessary to further the government’s legitimate interests.”’ Turner Broadcasting System, Inc. v. FCC, 512 U.S. 622, 662, 129 L. Ed. 2d 497, 114 S. Ct. 2445 (1994) (quoting Ward v. Rock Against Racism, 491 U.S. 781, 799, 105 L. Ed. 2d 661, 109 S. Ct. 2746 (1989)).77

Finding that the government’s interest in preventing unauthorized access to en- crypted copyrighted material is unquestionably substantial, and that the regulation of decryption programs served that interest, the appellate court upheld the prohibitions against both posting of, and linking to, the decryption program.

Not all efforts to “circumvent” restrictions, however, come within the prohibitions of the DCMA. In I.M.S. Inquiry Mgmt. Sys. v. Berkshire Info. Sys.,78 the defendant had used a valid password provided to plaintiff’s own customers and user identification to view plaintiff’s e-Basket system exactly as the customer itself might have done. The court concluded that although this might be viewed as a technology measure, it was not circumvention of a digital wall within the meaning of the DCMA.

11.6.1 Exceptions to the Prohibitions on Technology Circumvention. The DMCA, however, explicitly carves out all defenses to copyright infringement, including the doctrine of fair use, as being unaffected by the passage of the DMCA. In some circumstances fair use can include reverse engineering.

11.6.1.1 Fair Use and Reverse Engineering. Thus, one can spy through reverse engineering still without running afoul of copyright protection or the DMCA.

However, in Bowers v. Baystate Technologies, Inc.,79 a split Federal Circuit Court of Appeals found that a shrink-wrap license prohibiting reverse engineering was en- forceable against the licensee who had reverse engineered Bowers’s CAD Designer’s Toolkit to develop a competing product. The Bowers court found that the contractual language trumped the “fair use” permitted under the Copyright Act. The Fifth Circuit has reached the opposite result in the earlier decision of Vault Corp. v. Quaid Software, Ltd.,80 specifically finding that the Copyright Act preempts state law that attempts to prohibit disassembly, and holding a mass distribution license agreement unenforceable.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CIRCUMVENTING TECHNOLOGY MEASURES 11 · 17

Thus, the extent to which Bowers may be followed is still unclear, but it appears to be questioned in subsequent decisions.81 Bowers suggests a course that businesses can attempt to follow to curtail reverse engineering, which is to limit that right by contract. If Bowers becomes widely accepted, the United States will be in conflict with the European Union on this issue. In its 1991 Software Directive, the European Union set forth a right to reverse engineer that is consonant with “fair use” under the Copyright Act. The Software Directive also provided that the right cannot be waived by contract. So, until Bowers is settled, if a shrink-wrap license prohibits reverse engineering, it would be best to consider engaging in such activity abroad.

11.6.1.2 Other Exceptions. The DMCA also creates an important exception that recognizes the right to reverse engineer if (a) the person has lawfully obtained the right to use a copy of a computer program, and (b) the sole purpose of circumventing the technology measure is to identify and analyze “those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs.”82 The DMCA creates a similar exemption for circum- vention for the purpose of “enabling the interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability.”83 The term “interoperability” is defined to encompass the “ability of computer programs to exchange information and of such programs mutually to use the information which has been exchanged.”84 The information acquired through these permitted acts of circumvention may also be provided to third parties so long as it is solely used for the same purposes.85

Circumvention is permissible under these exemptions, however, “only to the extent [that it] does not constitute copyright infringement.” Two cases, Chamberlain Group, Inc. v. Skylink Techs., Inc.,86 and Lexmark Int’l, Inc. v. Static Control Components, Inc.,87 are particularly instructive. In both cases, the courts permitted a competitor’s access and reverse engineering under this exemption. In contrast, in Storage Tech Corp.v.CustomHardwareEngineeringConsulting,Inc.(D. Mass. 2004), the defendant bypassed a protective access key to activate the diagnostics program by copying the code into the random access memory (RAM) of the defendant’s access device. The District Court found that this copying constituted infringement. The result was reversed in a 2 to 1 decision in the United States Federal Circuit88 based on a reading of sections 117(a) and (c) of the DMCA, which permits copying for maintenance purposes. This string of decisions has led to recommendations that access be controlled by a method that would cause copyright infringement and that access protect not just the copyrighted program but copyrighted data so as to exclude the rationale of the Federal Circuit. Suggestions have been made that certain parts of copyrighted executable code be encrypted and that a decryption key be required that will create a copy of the code and protected data as part of the process so as to create an argument of copyright infringement. These types of recommendations remain untested, and the simpler course may be control through terms inserted into the licensing agreement.

Exempt from the DMCA, as well, are “good faith” acts of circumvention where the purpose is encryption research. A permissible act of encryption research requires that (a) the person lawfully have obtained a copy, (b) the act is necessary to the research, (c) there was a good faith effort to obtain authorization before the circumvention, and (d) such act does not constitute an infringement under a different section of the Copyright Act or under the Computer Fraud and Abuse Act of 1986. With the caveat that it must be an act of good faith encryption research, the technological means for circumvention can be provided to others who are working collaboratively on such

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 18 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

research. The issue of good faith encryption research looks to what happened to the information derived from the research. If it was disseminated in a manner that was likely to assist infringement, as opposed to reasonably calculated to advance the development of encryption technology, then the act still falls outside of the exemption. Other factors that go into the determination of good faith are whether the person conducting the research is trained, experienced, or engaged in the field of encryption research and whether the researcher provides the copyright owner with a copy of the findings.

The DMCA also has a bias against the collection or dissemination of personally iden- tifying information. Thus, it is not a violation of the DMCA to circumvent a technology measure that essentially protects, collects, or disseminates personally identifying in- formation, provided that the circumvention has no other effect, and provided that the program itself does not contain a conspicuous notice warning against the collection of such information and a means to prevent or restrict such collection.89 In short, one can disable cookies if the program does not itself permit a user to do so.

Finally, insofar as relevant to this chapter, the DMCA also excludes from its scope “security testing.” The DMCA grants permission to engage in security testing that, but for that permission, would violate the terms of the DMCA. If the security testing, for some reason, violated some other provision of the Copyright Act or the Computer Fraud and Abuse Act of 1986, then it is still an act of infringement. The DMCA, in part, considers whether a violation occurred, and by whom the information was used. The factors to be considered include if the information was used to promote the security of the owner or operator of the computer network or system, if it was shared with the developer, and if it was used in a manner that would not facilitate infringement.90 For purposes of the DMCA, security testing means accessing either an individual computer or network for the purpose of “good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator.”91

11.6.1.3 Remedies. The criminal penalties for violation of the DMCA can be quite severe. If the violation is willful for commercial gain, the first offense bears a fine of up to $500,000 or 5 years’ imprisonment. Subsequent violations bear fines of up to $1 million dollars or 10 years imprisonment. Civil remedies include an order to restrain the violation, damages for lost profits, damages for recovery of the infringer’s profits, or statutory damages for each violation. Depending on the section of the DMCA at issue, each violation can generate fines of up to $2,500 or $25,000. Since each act of infringement can constitute a violation, the statutory fines can become quite substantial.

11.7 PATENT PROTECTION. Ideas, which are not protected by copyright, can be protected through a patent. In general, the patent laws protect the functionality of a product or process.

11.7.1 Patent Protection Requires Disclosure. A patent can be properly obtained if the invention is new, useful, nonobvious, and disclosed. The patent ex- changes a grant of an exclusive monopoly over the invention in return for disclosure. Disclosure is the trigger point for patentability. The disclosure supports the claims of patentability (i.e., it sets up the claim that the invention is both new and nonobvious) and also the scope of what can be protected. Thus, 35 U.S.C. section 112 provides:

The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PATENT PROTECTION 11 · 19

and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. [Emphasis added.]

A patent therefore must disclose the best mode for implementing the invention, a clear written description of the invention, sufficient detail so that a practitioner can understand and make use of the description, and distinct claims, in order for a patent to issue.92 Through adequate disclosure of the invention, the application gives notice of the technology involved in the patent so as to put the public on fair notice of what would constitute an infringement. From a public policy perspective, the disclosure enlarges the public knowledge. From the inventor’s perspective, the trade-off is disclosure for exclusivity. Depending on how the invention is to be used and the areas in which protection will be necessary, disclosure may not be the best means of protecting the invention. This is particularly true if the inventor is not convinced it will be deemed nonobvious from prior art, in which case it will be subject to challenge, or if, after disclosure, other companies may legally use the disclosed information for competitive advantage. The effects of disclosure should be carefully considered before applying for patent protection.

11.7.2 Patent Protection in Other Jurisdictions. Patent protection is ju- risdictional. What that means, in general, is that a patent has legal meaning in the country that granted it. The United States is a signatory to the Paris Convention for the Protection of Industrial Properties, which has roughly 160 signatories. The Paris Convention essentially grants a one-year grace period for filing national patent appli- cations in each selected signatory, to obtain the benefit of the original filing date in the United States. An alternative, open to members of the Paris Convention, is the Patent Cooperation Act. This permits the filing of an international patent that basically gives the patentee an 8- to 18-month window to test feasibility, and which simplifies the national application process.

11.7.3 Patent Infringement. Like the remedies for copyright infringement, the remedies for patent infringement include injunctive relief and damages that, by statute, are not less than a reasonable royalty for the infringing use.93 If the infringement is willful, the damages can be trebled. Attorneys’ fees can be awarded, but only in exceptional cases.

In the area of exported computer software, an issue of note has arisen under 35 U.S.C. section 271(f). Section 271(f) was added in 1984 to the patent law to prevent infringers from avoiding liability by finishing goods outside of the United States. An infringer will be liable if its intent is to manufacture or supply a component from the United States to be combined elsewhere, if it would be an infringement had it occurred within the United States. Exported software may be considered a “component” under section 271(f). In Microsoft Corp. v. AT&T Corp.,94 the issue was whether a master disk supplied by Microsoft abroad for duplication and installation abroad of its Windows program ran afoul of AT&T’s patent. In overruling the Federal Circuit, the Supreme Court concluded that it did not.

Section 271(f) prohibits the supply of components “from the United States … in such manner as to actively induce the combination of such components.” § 271(f) (1). Under this formulation, the very components supplied from the United States, and not copies thereof, trigger § 271(f)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 20 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

liability when combined abroad to form the patented invention at issue. Here, as we have noted, the copies of Windows actually installed on the foreign computers were not themselves supplied from the United States. Indeed, those copies did not exist until they were generated by third parties outside the United States. Copying software abroad, all might agree, is indeed easy and inexpensive. But the same could be said of other items: “Keys or machine parts might be copied from a master; chemical or biological substances might be created by reproduction; and paper products might be made by electronic copying and printing.”… The absence of anything addressing copying in the statutory text weighs against a judicial determination that replication abroad of a master dispatched from the United States “supplies” the foreign-made copies from the United States within the intendment of § 271(f).

Unless section 271(f) is amended, it may have profound implications for subverting the ability of a U.S. company to control patent infringement where software is a component of a patented invention.

11.8 PIRACY AND OTHER INTRUSIONS. For as long as ideas and innovation have been a source of commercial or social value, the terms on which these ideas and innovations have been available for use and exchange by others has been the subject of significant tension. Although inventors and creators of commercially viable products and processes want to maximize the return on their investment, marketplace pressure for cost efficiency (often motivated by human and corporate greed) fuels a constant drive to remove the inventors’ and creators’ royalties from the cost of production. Thus, the ancient notion of piracy, the unauthorized boarding of a ship to commit theft, and the unauthorized use of another’s invention or production95 remains alive and well. The piracy we speak of is not simply the unauthorized copying of millions of compact discs (CDs); increasingly it includes the unauthorized scraping of data from Web sites, abuse of authorized Internet use, theft of employee data, and similar activities.

11.8.1 Marketplace. The demand for unlicensed access to and use of software and entertainment media increases annually. In its 2007 survey regarding computer se- curity among corporate and governmental institutions, the Computer Security Institute and the U.S. Federal Bureau of Investigation found that 59 percent of all respondents discovered employees who abused Internet privileges for a variety of unauthorized purposes.96 A 2007 study by the Software & Industry Information Association re- ported worldwide revenue loss from the piracy (unlawful copying and distribution) of software exceeding $28.8 billion in 2007.97 In countries such as China, despite recent overtures to the contrary, piracy is not merely sanctioned, it constitutes an investment by government agencies.98

In recent years, in large part due to the saturation of Internet access, there has been a tremendous proliferation of technologies designed to access and distribute (without authorization) protected software applications and entertainment media. This has posed a tremendous challenge for license holders, legislators, and law enforcement authorities. The results have included attempts to punish both unauthorized access and use of protected material. In the process, there has been a transformation in the definition of what is protected and some confusion about the extent of that protection when the Internet is involved.

11.8.2 Database Protection. Databases, the organized compilation of infor- mation in an electronic format, are prominent elements of any discussion concerning copyright protection. Compilations of information, data, and works are protectable under the Copyright Act.99 To secure copyright protection for a compilation, a party

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PIRACY AND OTHER INTRUSIONS 11 · 21

must demonstrate that (1) it owned a valid copyright in the compilation; (2) the alleged infringer copied at least a portion of the compilation; and (3) the portion so copied was protected under the Copyright Act.100 In this context, the Copyright Act protects the “original” selection, coordination, or arrangement of the data contained in the compilation.101

To the extent that compilations contain purely factual information (e.g., existing prices of products and services), there is no protection because the facts themselves lack originality.102 It does not matter that the author “created” the facts of the prices being charged for the product or service.103 To sustain a claim of copyright protection for compilations of fact, the author must demonstrate creativity in the arrangement of the data. Standard or routine arrangements are likewise beyond the act’s umbrella.104

This is in contrast to the European Union’s Database Directive, which does not require creativity as an element for the protection of a database. Rather it protects investment in databases under copyright protection subject, however, to fair use qualifications.

The United States Supreme Court has held that the compilation into a database of original works by contributing authors to newspapers and magazines violates the copyrights of the individual authors when the database does not reproduce the authors’ articles as part of the original collective work to which the articles were contributed. In New York Times Co., Inc. v. Tasini,105 authors who contributed articles and other works to the New York Times, Time magazine, and Newsday sued when they learned that the articles that they sold to the publishers for use in the respective publications were being reproduced and made available online, through LEXIS/NEXIS, an online database, and on CD-ROM. In most instances, the reproductions were of the individual articles outside of the newspaper or magazine context, in a collection of works separately protected by the Copyright Act. The Supreme Court held that, because the publishers of the new collective works made no original or creative contribution to the individual authors’ original works, they could not reproduce and distribute those works outside of the format that each publisher created for the original collections of works, without permission from, or payments to, each author.106

11.8.3 Applications of Transformative and Fair Use. The concepts of transformative use and fair use (to the extent that they are separable) discussed earlier in this chapter have played a substantial role in recent decisions involving the authorized use of electronic media and the Internet. The starting point for this application of the doctrine is the U.S. Supreme Court’s decision in Sony Corporation v. Universal City Studios, Inc.,107 the famous battle over Betamax initiated by the movie industry. At issue was whether electronic recording machines could record television programs to permit individuals to “time-shift” television programs (i.e., to record programs for viewing at a time other than the time of airing). In its decision, the Sony Court found that time shifting was a productive use of the television programs for a purpose other than the original commercial broadcast, and was not an attempt either to duplicate the original purpose or to impact the commercial market for these programs. The Court emphasized the noncommercial element inherent in time shifting.108

11.8.4 Internet Hosting and File Distribution. The growth of the breadth and scope of the Internet has been accompanied by increasing questions about the extent to which the distribution of otherwise protected expressions change their form when converted into an electronic format. These questions arise for ISPs, which provide the pathway for distributing protected material, and for end users who post such materials

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 22 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

on their Web sites and bulletin boards. For ISPs, the DMCA provides some initial comfort.

Title II of the DMCA, designated the “Online Copyright Infringement Limitation Act,” establishes several infringement liability safe harbors for service providers. The “Information residing on systems or networks at direction of users”109 safe harbor is available to any provider of “online services or network access, or the operator of facilities thereof, . . .” including “digital online communications, between or among points specified by user, of material of the user’s choosing, without modification to the content of the material as sent or received”110 that “has adopted and reasonably imple- mented, and informs subscribers and account holders of the service provider’s system or network of, a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers” and “accommodates and does not interfere with standard technical measures.”111 To qualify for the safe harbor, the service provider must demonstrate that:

1. It has no actual or constructive knowledge that information on its system is infringing, it is not aware of circumstances from which infringement is apparent or, upon obtaining such knowledge or awareness, it acts expeditiously to remove those materials;

2. It receives no financial benefit directly attributable to the infringing activity, and 3. Upon receipt of a notice of infringing material on its system, responds expedi-

tiously to remove, or disable access to, the material.112

Assuming that the safe harbor does not apply (as, for instance, because the ISP failed to act on a notice of infringing activity), many service providers may nonetheless escape liability. In the first, and seminal, case on this topic, Religious Technology Center v. Netcom On-Line Communication Services, Inc.,113 an ISP hosted a bulletin board service on which Church of Scientology publications were posted by a former minister. The District Court held that the ISP must demonstrate that its use was of public benefit (facilitating dissemination of creative works including, but not limited to, the infringing work); that its financial gain was unrelated to the infringing activity (e.g., subscription fees from providing email systems rather than fees from the display or sale of the infringing work); that its use was unrelated to the use of the owner of the work; that the ISP copied only what was necessary to provide its service; and that its use of the material had no demonstrable effect on the potential market for the work.114 In CoStar Group, Inc. v. LoopNet, Inc., the Fourth Circuit relied on Netcom, its codification in the DMCA, and the fact that the DMCA does not limit the application of other infringement defenses, and held that “the automatic copying, storage, and transmission of copyrighted materials, when instigated by others, does not render an ISP strictly liable for copyright infringement under §§501 and 106 of the Copyright Act.”115

For Web site owners and users who post allegedly infringing material, the courts have had much less difficulty discarding the transformative fair use arguments. This has been particularly true in the purely commercial setting, as where the infringing party gains direct financial benefit from the infringing material,116 and where the posted material is an exact copy of the protected work without any transformation to something creative or original.117 In a case that goes to the heart of the open-access nature of the Internet, one court recently held that a copyright owner who posts its work on the Internet for

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PIRACY AND OTHER INTRUSIONS 11 · 23

free distribution as shareware may defeat a transformative fair use defense by also posting an express reservation of distribution rights.118

11.8.5 Web Crawlers and Fair Use. The Internet, premised on open ex- change of data and economic efficiency, has spawned a spate of data search and aggregation software tools that scan the Web looking for information requested by the user. The process used by these search engines119 includes identifying data on the Web that conforms to the search parameters and then downloading that data. Since the copying usually occurs without the express permission of the copyright owner, some have argued that such copying constitutes an infringement. Although there is very little precedent concerning the application of transformative fair use to automated data re- trieval systems, at least one court has upheld the use of the defense to an infringement claim.120

11.8.6 HyperLinking. In Perfect 10 v. Google, Inc.,121 affirmed in part and remanded in part, Perfect 10, Inc. v. Amazon.com, Inc.,122 Perfect 10 (P10) claimed that Google was infringing its ownership of copyrights in certain images and thumbnails hosted by third-party and P10’s Web sites when Google’s image search picked them up for display as framed full-size images and as thumbnails on computers and cell phones. The court concluded that hyperlinking did not constitute display for purposes of direct copyright infringement. On appeal, the case was remanded for further consideration as to whether the conduct fell within the general rule for contributory liability. To appreciate the context in which the courts are wrestling with these issues in the light of new technology, a review of the District Court’s analysis should be studied.

11.8.7 File Sharing. Transformative fair use will not protect the verbatim re- transmission of protected work in a different medium when there is a substantial and detrimental impact on the market for the protected work. In A&M Records, Inc. v. Nap- ster, Inc.,123 Napster enabled users to share music files over the Internet by downloading the file-sharing software to their hard drive, using the software to search for MP3 mu- sic files stored on other computers, and transferring copies of MP3 files from other computers. The court of appeals held that Napster users were merely retransmitting original works in a different medium and that this did not constitute a transformation of the original work. The court also found that sharing of music files over the Internet had, and would have, a significant and detrimental impact on the existing and potential market for CDs and digital downloads of the copyright owners’ works. Picking up on the Sony decision’s emphasis on the distinction between commercial and personal use, the Court of Appeals found that Napster’s Web site effectively made the works available for use by the general public and not simply for the personal use of individual users.124

Napster’s demise, however, did not end the controversy over file sharing. Trying to avoid Napster’s method of directly enabling file sharing, entities such as Grokster and StreamCast developed software creating peer-to-peer networks through which individual computers communicate to exchange files without the necessity of a cen- tral server.125 The Supreme Court recently revisited copyright infringement and file sharing specifically with respect to these peer-to-peer networks and applied the “in- ducement rule” to file-sharing services. Evidence demonstrated that 90 percent of the files available to download from Grokster and StreamCast were copyrighted works, and Grokster and StreamCast conceded that most users were downloading copyrighted ma- terial. There was also an abundance of evidence that through their respective software

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 24 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

applications and advertisements, both entities marketed themselves as the alternative to Napster, and their business models demonstrated “that their principal object[ive] was [the] use of their software to download copyrighted works.”126 The Court vacated the court of appeals’ affirmation of summary judgment for Grokster and StreamCast, and rejected the court of appeals’ broad interpretation of Sony Corp. v. Universal City Studios, but declined to further discuss the balance between protecting copy- righted works and promoting commerce in the context of how much noninfringing use each service was capable of providing, and did not at all discuss the issue of fair use. Instead, the Court noted that Sony did not preclude other forms of infringe- ment liability and, focusing on the intent of the defendants in their inducement of file sharing, held that “one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties.”127 Citing Sony, the Court further opined that mere knowledge of potential or actual infringement are not sufficient bases for liability, but that “the inducement rule … premises liability on purposeful, culpable expression and conduct, and thus does nothing to compromise legitimate commerce or discourage innovation having a lawful purpose.”128

Since the service and software in Grokster had other lawful purposes, the Supreme Court’s decision underscores the importance of proving an intent to infringe or cause infringement. Thus, when asking a court to look behind stratagems and disclaimers that hide unlawful purposes, the copyright holder should consider what other evidence exists or is likely to exist of product design, advertising, marketing, external and in- ternal communications, revenue plans, and other factors that would prove unlawful intent. In addition, for copyright holders, the problem remains that many providers of file-sharing software may not be subject to the jurisdiction of U.S. courts and that file-sharing software, such as “Darknet,” provides anonymity to users illegally downloading copyrighted materials. As will be discussed, many countries are signa- tories to TRIPS (see Section 11.11.1 of this chapter) and subscribe to international copyright protection. Following Grokster, the maker of KaZaa file-sharing software was enjoined in Australia from using its software to commit copyright infringe- ment. The remedy required alteration of the software so that it would not duplicate copyrighted works.

11.9 OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS. Sev- eral legal principles and laws support the right to prevent and prosecute unauthorized intrusions. These include the definition of trespass, terms of use, and several critically important and widely used laws explicitly addressing the issues.

11.9.1 Trespass. Trespass is a common law concept that we are all familiar with when applied to land. We have all seen and probably at some point in our youth violated the no-trespassing signs that are posted on an unfriendly neighbor’s property. Trespass is also a concept that can apply to computers and informational databases. Courts have been taking older concepts and reapplying them to new situations.

In eBay, Inc. v. Bidder’s Edge, Inc.,129 the Federal District Court granted eBay an injunction forbidding Bidder’s Edge from using a software robot to scrape information from eBay’s Web site. The court based the injunction on its finding that accessing the Web site in a manner that was beyond eBay’s posted notice (there were actual letters of objection) constituted a trespass. The court reasoned that the “electronic signals

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS 11 · 25

sent by Bidder’s Edge to retrieve information from eBay’s computer system [were] sufficiently tangible to support a trespass cause of action.” The court further viewed the ongoing violation of eBay’s fundamental right to exclude others from its computer system as creating sufficient irreparable harm to warrant an injunction. Thus, it was not necessary that eBay prove that the access actually interfered with the operation of the Web site. Rather, proof of the “intermeddling with or use of another’s personal property” was sufficient to establish the cause of action for trespass. What is significant here is that eBay did permit others to access its Web site under license, and the court viewed conduct that exceeded the licensed use, upon notice to the violator, to be a trespass.

However, the applicability of trespass to unauthorized computer activity is not settled. Where trespass involves an object, rather than land, there must not only be improper use but also some harm to the physical condition or value of the object, or the misuse must deprive the rightful owner of the use of the object for a substantial period of time. The two must be causally related. In Intel v. Hamidi,130 the California Supreme Court reversed a lower court’s banning a former employee from sending unsolicited emails on the grounds of trespass. The court thought that the reach of the doctrine had been extended too far, concluding that bad analogies (i.e., viewing servers as houses and electronic waves as intrusions) create bad law. The court declined to view computers as real property. Rather, finding that they were like other personal property, the court found that this communication was no different from a letter delivered by mail or a telephone call. In short, the court declined to find a trespass because there was an “unwelcome communication, electronic or otherwise” that had fictitiously caused an “injury to a communication system.” Here there was no injury to the computer system although Intel claimed injury to its business. Intel v. Hamidi simply warns against overbreadth of application of the concept of

trespass. If injury to the computer system can be demonstrated, then the concept of trespass does lie as a tool in the arsenal of remedies assuming that the trespasser can be identified.

11.9.2 Terms of Use. Terms of use can constitute a contract with respect to Web site usage. Thus, in any situation where electronic access is requested or permitted, the terms and conditions of use, together with an acknowledgment that such terms have been seen and consented to, can be enforced as restricting usage. In Register.com, Inc. v. Verio, Inc.,131 the Second Circuit upheld an order enjoining Web site access primarily on the issue of contract. There, as described by the Second Circuit, the defendant Verio, against whom the preliminary injunction was issued, was engaged in the business of selling a variety of Web site design, development, and operation services. In the sale of such services, Verio competed with Register’s Web site development business. To facilitate its pursuit of customers, Verio undertook to obtain daily updates of the WHOIS information relating to newly registered domain names. To achieve this, Verio devised an automated software program, or robot, which each day would submit multiple successive WHOIS queries through the port 43 accesses of various registrars. Upon acquiring the WHOIS information of new registrants, Verio would send them marketing solicitations by email, telemarketing, and direct mail. To the extent that Verio’s solicitations were sent by email, the practice was inconsistent with the terms of the restrictive legend Register attached to its responses to Verio’s queries.

Register at first complained to Verio about this use and then adopted a new restrictive legend on its Web site that undertook to bar mass solicitation “via direct mail, electronic

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 26 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

mail, or by telephone.” The court concluded that Verio’s conduct formed a contract, like buying an apple at a roadside fruit stand, which Verio breached:

We recognize that contract offers on the Internet often require the offeree to click on an “I agree” icon. And no doubt, in many circumstances, such a statement of agreement by the offeree is essential to the formation of a contract. But not in all circumstances. While new commerce on the Internet has exposed courts to many new situations, it has not fundamentally changed the principles of contract. It is standard contract doctrine that when a benefit is offered subject to stated conditions, and the offeree makes a decision to take the benefit with knowledge of the terms of the offer, the taking constitutes an acceptance of the terms, which accordingly become binding on the offeree. See, e.g., Restatement (Second) of Contracts § 69 (1)(a) (1981) (“Silence and inaction operate as an acceptance … where an offeree takes the benefit of offered services with reasonable opportunity to reject them and reason to know that they were offered with the expectation of compensation.”)

* * *

Returning to the apple stand, the visitor, who sees apples offered for 50 cents apiece and takes an apple, owes 50 cents, regardless whether he did or did not say, “I agree.” The choice offered in such circumstances is to take the apple on the known terms of the offer or not to take the apple. As we see it, the defendant in Ticketmaster and Verio in this case had a similar choice. Each was offered access to information subject to terms of which they were well aware. Their choice was either to accept the offer of contract, taking the information subject to the terms of the offer, or, if the terms were not acceptable, to decline to take the benefits.

Id., at 403; and was also a trespass because:

The district court found that Verio’s use [∗∗31] of search robots, consisting of software programs performing multiple automated successive queries, consumed a significant portion of the capacity of Register’s computer systems. While Verio’s robots alone would not incapacitate Register’s systems, the court found that if Verio were permitted to continue to access Register’s computers through such robots, it was “highly probable” that other Internet service providers would devise similar programs to access Register’s data, and that the system would be overtaxed and would crash. We cannot say these findings were unreasonable.

Id., at 405.

Similarly, although in a different setting, in ProCD v. Zeidenberg,132 where ProCD sold a CD with noncopyrightable data. Access to the data, however, was controlled by a license agreement; if there was no acceptance, there was also no access. The license agreement prohibited the use of the data for any commercial use. Zeidenberg took the data and posted it on a Web site, which he used commercially to sell advertising. Thus, the data were being used to attract visitors. The court found the license limitation on use enforceable.

The importance of this decision is that so long as the owner prominently specifies the limitations, the restrictions can become a contract that is accepted by accepting the benefits of access and can be one safeguard against misuse of the access.

11.9.3 Computer Fraud and Abuse Act133

11.9.3.1 Prohibited Behavior and Damages. In 1984, Congress passed the original version of the Computer Fraud and Abuse Act (CFAA).134 The gen- eral purpose was to protect “Federal interest computers” by criminalizing intentional and unauthorized access to those computers that resulted in damage to the comput- ers or the data stored on them. The statute was substantially amended in 1986135

and again in 1996136 and now contains both criminal and private civil enforcement provisions.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS 11 · 27

The statute proscribes these activities:

… knowingly accessing a computer without authority or in excess of authority, thereafter ob- taining U.S. government data to which access is restricted and delivering, or attempting to deliver, the data to someone not entitled to receive it137;

intentionally accessing a computer without authority or in excess of authority and thereby obtaining protected consumer financial data138;

intentional and unauthorized access of a U.S. government computer that affects the use of the computer by or for the U.S. government139;

accessing a computer used in interstate commerce knowingly and with the intent to defraud and, as a result of the access, fraudulently obtaining something valued in excess of $5,000140;

causing damage to computers used in interstate commerce by (i) knowingly transmitting a program, code, etc. that intentionally causes such damage, or (ii) intentionally accessing the computer without authority and causing such damage141;

knowingly, and with the intent to defraud, trafficking in computer passwords for computers used in interstate commerce or by the U.S. government142; and

transmitting threats to cause damage to a protected computer with the intent to extort money or anything of value.143

The linchpin among the relevant decisions concerning access to data under the CFAA is whether the access is “without authority” or “in excess of authority.” The factors considered by the courts include the steps taken by the owner of the information to protect against disclosure or use, the extent of the defendants’ knowledge regarding their authority to access or use the data, and the use(s) made of the data after gaining access. The legislative history indicates that the statute was intended to “punish those who illegally use computers for commercial advantage.”144

Broadly speaking, there are two sets of circumstances to consider. In the first in- stance, is the actual access authorized, either expressly or impliedly? In the Internet context, where there is a presumption of open access, the site or data owners must show that they took steps to protect the contents of their site and to limit access to the data at issue.145 Once those steps are taken, the protection constitutes a wall through which even automated search retrieval systems may not go without express permission.146 Without the wall, there must be some evidence of an intent to access for an impermissible purpose, as when Intuit inserted cookies into the hard drives of home computers.147

Second, has the authorized access been improperly exceeded? Generally speaking, those who use their permitted access for an unauthorized purpose to the detriment of the site or data owner have violated the CFAA. Examples include employees who obtain trade secret information and transmit it via the employer’s email system to a competitor for which the employee is about to begin work148; using an ISP subscription membership to gain access to and harvest email addresses of other subscribers in order to transmit unsolicited bulk emails149; and using access to an employer’s email system to alter and delete company files.150

The criminal penalties range from fines to imprisonment for up to 20 years for multiple offenses. As discussed in Section 11.9, the CFAA has become a prominent element of claims by the U.S. government and private parties seeking to protect data that are not always protected by other statutory schemes.

11.9.3.2 Its Application to Web Crawling and Bots. Web robots, or “bots,” have become widespread to scrape data from Web sites. All of that data generally are available to the public. That is, any individual can access the same information,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 28 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

but not with the speed or accuracy of a Webspider. But when does such “scraping” run afoul of the CFAA? To what extent does the law protect site operators or company data from penetration by an outside third party?

The key to the analysis under the CFAA is to ask whether the data are in fact publicly available. Are there technical barriers, such as passwords or codes, that have to be circumvented? Do the terms of use prohibit access or use other than by an individual consumer? These questions are critical to determining whether the access either exceeds authority or is without authority under the CFAA.

If the answer to either one of these questions (or similar questions) is yes, one needs to consider access carefully since such access and downloading of data is likely to violate the CFAA. In EF Cultural Travel v. Zefer Corporation, Zefer designed a Web bot to scrape travel trip and pricing information from the Web site of EF Cultural Travel (EF) for use by a competitive travel Web site. The bot, designed by Zefer, downloaded the information by calling URLs on which each separate trip and pricing information was stored, reading the source code for the key features, and storing the information on a spreadsheet. The bot did so in a fashion not to burden or interfere with EF’s Web site. Once gathered, the information was turned over to a competitor, who used the information to adjust price and trip information that it offered. Zefer’s scraping did not occur continuously, but only on two dedicated occasions. EF sued, claiming that a violation of the CFAA had occurred. The First Circuit Court of Appeals disagreed, refusing to read into what is or is not authorized some “reasonable expectations” standard, instead requiring that the Web site operator expressly state any limitations on access in its terms and conditions. On remand to the Federal District Court, the court, following the First Circuit, granted summary judgment for Zefer.

11.9.3.3 Simple Preventive Measures. Not surprisingly, there are several methods for preventing unauthorized access in the first instance and, if unsuccessful, in prevailing in any subsequent claim arising under the CFAA. Perhaps the most obvious measure, and one that the First Circuit Court of Appeals underscored, is to make sure that each visitor to a Web site is adequately notified that the owner of the site intends only limited use or access to the data on the site. The notice can take many forms.

For example, a detectable message easily identifiable on a home page warning visitors that the posted information is available only for viewing and not for use in any manner adverse to the host’s interests would be sufficient. Understandably, most Web hosts are reluctant to post such a blatant limitation—it is not necessarily “good for business.” For those interested in an equally effective but less direct message, an increasingly common practice is to compel site visitors to register before gaining access to links and other pages available through the home page. The more difficult the registration process, the greater the host’s apparent intent to restrict access to, and use of, the information that will be accessible after registration is completed.

Those hosts that require the payment of money, some kind of membership, or an access agreement before providing access establish what, for purposes of statutes like the CFAA that criminalize unauthorized access, will most often be seen as providing sufficient notice of the limits of authorized access. In the case of membership sites, the presumption is that each registrant is prequalified and therefore authorized to view and use the more restricted data, at least for purposes consistent with the terms of access. Enforceable click-wrap access agreements establish not only notice of access limitations; they also secure each visitor’s agreement to use the Web site and the data therein within the stated limitations.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS 11 · 29

Securing Web-based data against unauthorized use or users is, in some ways, an- tithetical to the information-sharing intent and purpose of the Web. In this regard, however, the question arising when we post information on the Web differs little from the question posed over the centuries regarding the extent to which each of us wants our competitors or adversaries to use our proprietary work against our interests. The greater the concern, the more likely that each host will have to limit the data posted on the Web, or else increase each visitor’s awareness of the rules of access.

11.9.4 Electronic Communications and Privacy. Electronic privacy is be- coming the issue in our society of databases and networking. Most of the U.S. “privacy” statutes are subject matter specific: the Telephone Consumer Protection Act of 1991 (do not call, for telemarketers); Health Insurance Portability Accountability Act of 1996 (privacy with respect to uses and disclosure of medical information); Children’s Online Privacy Protection Act of 1998 (regulating collection of information from children un- der the age of 13 by Web sites directed to children); Gramm-Leach-Bliley Act of 1999 (regulating sharing of customer data by financial institutions); Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (restricting spammers and requiring an ability to opt out); the Fair and Accurate Credit Transaction Act of 2003 (providing very limited assistance with respect to identity theft such as the obligation to provide a yearly credit report). These laws do not provide assurances of privacy in the same way that the European Union did in its 1996 Data Protection Directive.151 The EU Data Directive establishes protections against release of personal data, including emails, within the European Union, and restrictions on the transmission of such data outside the EU to countries or companies that do not have equivalent protections in place.152

In 2005, ChoicePoint, a large data broker, admitted that it had sold personal data on over 160,000 people to phony companies established by identity thieves. Since then, other companies have announced data break-ins and data leaks. As a result of such data security breaches, approximately half of the states have passed laws that require disclosure of unauthorized access to personal data.153

In the United States, the primary protection for privacy remains a lawsuit for tortious invasion of one’s privacy. Because those rights are defined state by state, a review is beyond the scope of this chapter. However, most states recognize some form of the tort of invasion of privacy, and the tort has been recognized in the Restatement (Second) of Torts § 652, which courts reference as an authoritative source of the law. In general, the Restatement makes actionable (a) intentional intrusion, that is highly offensive to a reasonable man, into the seclusion of another’s private affairs, (b) the public disclosure of private facts if such disclosure is highly offensive to a reasonable person, and is not a legitimate public concern, and (c) the appropriation for his own use or benefit of the name or likeness of another.

This chapter has already discussed the fiduciary obligation owed by employees to their employers with respect to confidential information. The development of the tort of privacy suggests that companies owe a similar obligation to their employees. Although slightly different in scope, but foreshadowing the growing body of law in this area, in Remsburg v. Docusearch, Inc.,154 the New Hampshire Supreme Court was faced with a database company that had supplied information to a client that included a woman’s personal information. The client used it to confront her and kill her. The New Hampshire Supreme Court held that the company had to act with “reasonable care in

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 30 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

disclosing a third person’s personal information to a client.” This decision is as yet an unanswered invitation to other courts.

On the federal level, the CFAA, of course, does address “unauthorized” access to computerized information. In addition, Congress has enacted some statutory regulations that specifically address electronic communications and privacy.

11.9.4.1 Wiretap Act and Electronic Communications Privacy Act. The Omnibus Crime Control and Safe Streets Act of 1968, generally referred to as the Federal Wiretap Act,155 established the general parameters for permitted interception of communications by law enforcement. As originally crafted, the Wiretap Act covered only “wire and oral communications.” In 1986, Congress enacted the Electronic Com- munications Privacy Act (ECPA),156 which amended the Wiretap Act and created the Stored Wire and Electronic Communications and Transactional Records Act (Stored Communications Act or SCA) to “update and clarify federal privacy protections and standards in light of changes in computers and telecommunication technologies.”157

The SCA makes it unlawful to knowingly access a prohibited electronic communica- tions service facility without authority, or in excess of authority, and for such public service provider to disclose information contained in such facilities. The ECPA allows a private plaintiff to bring a claim for knowing or intentional violation of the statute to recover actual damages or the statutory minimum of $1,000.

The 1986 amendment extended the Wiretap Act’s coverage to include “electronic communications,” which is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo-optical system.”158 “Intercept” is de- fined as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”159 Con- sequently, the Wiretap Act now makes it an offense to “intentionally intercept … any wire, oral, or electronic communication.”160 Thus, the definitions in the act now cover Internet transmissions such as emails or file transfers.

There is an important exception to this prohibition. Under the “consent of a party” exception, it is permissible to intercept communications where “one of the parties to the communication has given prior consent to such interception.”161 The requisite consent may be express or implied from the surrounding circumstances.162 Furthermore, an employer may obtain consent by informing the employee of the monitoring practices in an employment contract or in an employee handbook.163

Under the “provider exception,” a provider of electronic communication services “whose facilities are used in the transmission of a wire or electronic communication, [may] intercept, disclose or use that communication in the normal course of his employ- ment while engaged in any activity which is a necessary incident … to the protection of the rights or property of the provider of that service.”164 This exception may allow an employer to lawfully intercept communications to detect an employee’s unauthorized disclosure of trade secrets to third parties.165

11.9.4.2 Contemporaneous Transmission Requirement. The Wiretap Act only prohibits interceptions of electronic communications,166 a term that has been more narrowly defined by the courts than the definition in the act might suggest. The definition of interception provides that an individual “intercepts” a wire, oral, or elec- tronic communication “merely by acquiring its contents, regardless of when or under what circumstances the acquisition occurs.”167 In the context of this section, a serious question arises about the legality of intercepting electronic communications as they

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS 11 · 31

were being transmitted and once they were stored, either temporarily or permanently. Although Congress intended to liberalize one’s ability to monitor “wire communica- tions” while it sought to make the monitoring of “electronic communications” more difficult,168 courts have held that Congress intended to make acquisitions of electronic communications unlawful under the Wiretap Act “only if they occur contemporane- ously with their transmissions”169 and before they actually cross the finish line and become stored.170 This is, of course, an interesting fiction when applied to Internet transmissions, which consist of packages that are broken up and passed from router to router as well as from temporary storage to temporary storage. It is a far cry from the interception of a telephone call. It may simply be that in applying the language of the statute, the courts are faced with applying it to a technology that was not really in existence when the statute was amended in 1986.

In recent years, the courts have attempted to apply the contemporaneous transmis- sion requirement to various situations. For example, cookies used to recover personal data from visitors to a Web site constitute an interception of a contemporaneous elec- tronic communication and a violation of the Wiretap Act.171 Noting that electronic communications are generally in transit and in storage simultaneously, the court rea- soned that users communicated simultaneously with the pharmaceutical client’s Web server and with the software company’s Web server and, thus, the information was acquired contemporaneously with its transmission.172

Where electronic transmissions are found in RAM or on the hard drive, they are stored communications and can be retrieved because they are outside of the Wiretap Act.173 Similarly, an email that is recovered after it has been sent and received does not satisfy the contemporaneous transmission requirement and therefore has not been intercepted under the Wiretap Act.174 Perhaps in response to these and other decisions, in 2001 Congress amended the Wiretap Act to apply the contemporary transmission requirement to wire communications that could not be retrieved, thereby permitting the recovery of stored wire communications.175

11.9.4.3 Konop v. Hawaiian Airlines, Inc. The Konop decision appears to be the most oft-cited case on the issue of “interception” under the Wiretap Act. Konop, the plaintiff, was an airline pilot who created and maintained a Web site where he posted bulletins critical of his employer, Hawaiian Airlines, Inc., and the airline union. Konop controlled access to his Web site by requiring visitors to log in with a user name and password and by creating a list of authorized users.

An officer of Hawaiian Airlines asked one such authorized user for permission to use his name to access the Web site. The officer logged on several times, and another officer, using the same technique, also logged on to view the information posted on Konop’s bulletin. Konop eventually filed suit against Hawaiian Airlines, alleging that it violated the Wiretap Act when its officer gained unauthorized access to Konop’s Web site.

The court first reiterated that the act only prohibits interceptions of electronic communications.176 “Interception,” the court held, requires that the party acquire the information contemporaneous with its transmission, and not while it is in electronic storage. In this case, the court concluded that the employer did not violate the Wiretap Act because the officers accessed an electronic communication located on an idle Web site, which did not satisfy the contemporaneous transmission requirement.177

11.9.5 Stored Communications Act. Unlike the Wiretap Act, the Stored Communications Act (SCA),178 as its name suggests, establishes the limitations of access to stored communications (i.e., communications accessed after their

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 32 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

transmission).179 Specifically, the SCA makes it unlawful to “intentionally [access] without authorization a facility through which an electronic communication service is provided … and thereby [obtain], [alter], or [prevent], authorized access to a wire or electronic communication while it is in electronic storage.”180 The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service provider for purposes of backup protection of such communication.”181 The SCA exempts from liability conduct “authorized … by the person or entity providing a wire or electronic communications service”182 or “by a user of that service with respect to a communication of or intended for that user.”183

11.9.5.1 Electronic Storage: Backup Files. The essential element that sep- arates the SCA from the Wiretap Act is that the accessed communications reside in electronic storage. Therefore, the first question is what constitutes electronic storage. In Theofel v. Farey-Jones,184 the United States Court of Appeals for the Ninth Circuit attempted to answer this question.

In Theofel, overzealous lawyers for Farey-Jones secured, through a subpoena issued to an ISP, emails sent and received by their opponents in the lawsuit, a company called Integrated Capital Associates (ICA). The subpoena requested from the ISP virtually every email ever sent or received by ICA and its employees. In response, the ISP posted a smattering of the emails on a Web site accessible to Farey-Jones and its lawyers. When ICA learned of these activities, it sued Farey-Jones for, among other things, violation of the SCA.

According to the court in Theofel, Congress recognized that users of ISPs have a legitimate interest in protecting the confidentiality of communications in electronic storage at a communications facility. Moreover, this legitimate interest cannot be overcome by fraud or by someone who knowingly exploits a mistake that permits access to what is otherwise protected. The court found that the use of the subpoena to access ICA’s emails when it was reasonably plain, at least to counsel, that the subpoena was invalid, negated any apparent authority that Farey-Jones and its lawyers may have had to view ICA’s emails.

Farey-Jones claimed that the ICA emails were not in “electronic storage” and there- fore no violation of the SCA occurred. The court disagreed. As stated earlier, electronic storage exists when messages are stored on a temporary, intermediate basis as part of the process of transmitting the message to the recipient, and when messages are stored as part of a backup process. In this instance, the court found that the emails, which had apparently been delivered to their recipients, were stored by the ISP as part of its backup process for retrieval after initial receipt. Access to those emails was therefore protected by the SCA, which Farey-Jones and its lawyers violated.

11.9.5.2 Electronic Storage: Temporarily Stored Communications. Recent cases interpreting the meaning of “temporary, intermediate storage … incidental to” transmission of the communication have adhered to the letter of the law more than its spirit. In two cases involving the installation of cookies that were subse- quently accessed by software companies for commercial gain, the courts have held that cookies are permanently (or at least indefinitely) installed in the consumer’s hard drive and therefore cannot be considered “temporary, intermediate storage.”185

The Doubleclick decision also emphasized that the “temporary, intermediate storage”

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OPEN SOURCE 11 · 33

element of the SCA means what it says, that is, the prohibited conduct involves only the unauthorized access to communications while they are being temporarily stored by an intermediate and does not include access to stored messages after they have been received.186 In the context of an employer’s right to examine an employee’s emails, the employee will have no claim that an employer has violated the SCA when the employer opens emails sent or received by the employee once the email has been either received or discarded.187

11.10 OPEN SOURCE. With the continued proliferation of the Internet and computer software, the licensing, distribution, and use of open source code has gained publicity and added importance in the practice of intellectual property and computer security. “Open source” describes the distribution of computer code that is available (i.e., open) to all others and therefore allows computer programmers to read, apply, and modify the code, and also redistribute any changes.188 The open source movement be- gan with Richard Stallman’s development of Gnu’s Not UNIX (GNU), a freeware form of UNIX that was meant to be free software (free as in the freedom to use, modify, and distribute the software).189 GNU’s development created the first open source license, the General Public License (GPL). Linux, an open source–based operating system and an alternative to Microsoft Windows, experienced tremendous growth through its use of the GPL.190 The prevalence of open source issues is evidenced by the 1998 formation of the Open Source Initiative (OSI), which not only promotes open source development and encourages its use by business191 but also offers links to and information about most of the available open source licenses.

11.10.1 Open Source Licenses. The author of an open source code holds a copyright that operates as other copyrights do, but the code is released under a certain license on a nonproprietary basis. There are various types of open source licenses. The first open source license was the GPL, as described. It offers the broadest application of free software. In contrast, other licenses do not seek to perpetuate the free nature of a particular program. According to the Open Source Initiative, there are nearly 60 open source licenses now available for authors of source code,192 all of which assert certain requirements of the software user.

11.10.2 GPL. Licensing under the GPL is premised on Stallman’s idea of “copy- left,” which basically uses copyright as a tool to ensure the continued free distribution of source code.193 In other words, the GPL affords application, modification, and distri- bution rights to the copyrighted source code only if the user agrees that the distribution terms remain the same. This creates an endless chain of GPLs attached to future dis- tributions of either the original or derived versions, regardless of their form.194 This endless chain often is referred to as the GPL’s “viral effect,” as GPL-protected code multiplies from any modifications of original GPL-protected code.195 The GPL applies not just to an originally protected software program but also to what it broadly defines as the “Program”:

[A]ny such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language.196

Moreover, although the GPL also states that independent and separate sections of a derivative work are not subject to the GPL’s terms when they are distributed as separate

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 34 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

works, the GPL does apply when the user distributes those same independent and separate “sections as part of a whole which is based on the Program. … ”197 The broad application given to the program under the GPL further enhances the viral effect of the license.

Other provisions of the GPL require users who distribute verbatim copies of the source code to publish copyright notices, disclaim warranties, and provide copies of the GPL. In addition, the modifier/user must attach to any modifications a notice that the software was changed, must distribute or license the software free of charge to third parties, and must provide appropriate copyright notices, warranty disclaimers, and GPL terms and conditions. In sum, the GPL’s sweeping terms not only seek to achieve the free software goals of the FSF but also to impact whether authors chose the GPL, and whether businesses utilize software subject to the GPL.

11.10.3 Other Open Source Licenses. The Berkeley Software Distribution (BSD) License and the Massachusetts Institute of Technology (MIT) License are very similar in that they both require copyright notices, disclaimers of warranties, and liability limitations. The BSD further prohibits contributors or similar organizations fromendorsingthe programandalsorequiresa copyof the BSD’stermstobe distributed with the software.

11.10.4 Business Policies with Respect to Open Source Licenses. The issue of whether distribution of a proprietary work that incorporates a small portion of GPL-protected code subjects that proprietary work to the terms of the GPL has never been litigated.198 This is one risk of using open source software. Another risk is that failure to comply with the GPL’s terms could lead to litigation.199 For instance, MySQL sought to enjoin Progress Software Corporation from distributing MySQL’s Gemini program without a GPL-compliant agreement.200 Because there was a factual dispute as to whether Gemini was a derivative work or an independent work under the GPL, and because Progress stipulated that it disclosed Gemini’s source code and would withdraw the end user license for commercial users, the court did not grant the injunction as to the GPL.201

Given the expanding use of open source, businesses need to develop comprehensive policies addressing their use of open source to avoid liability and publicly releasing their own proprietary technology.202 Concerns generally involve license requirements regarding the distribution of the software and its modifications,203 since those activities usually require the company to release the source code for any distributed modifica- tion, and modifications often terminate vendors’ support agreements.204 In addition, distributing unmodified open source as part of a proprietary program may require the company to release its own proprietary open source code.205 It is more likely, however, that the company would be enjoined from distributing the open source or would have to pay damages.206 These considerations should be addressed not only through company policy but also by choosing the best source code to use in programming, given the company’s internal and external needs and the specific licensing requirements of that source code.

11.11 APPLICATION INTERNATIONALLY. Because the laws of the United States are the laws of just one nation among many, the enforcement of U.S. law and the protection of intellectual property rights in large part depend on international treaties. To the extent that the infringing acts or acts of piracy may be deemed to occur in the United States, or the infringers can be found in the United States, then the United States

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

APPLICATION INTERNATIONALLY 11 · 35

has sufficient jurisdiction over these acts to enforce its laws. In other words, such actors can be sued directly in the courts of the United States for violation of the laws of the United States.

Apart from direct enforcement, international protection is usually a vehicle of bi- lateral agreements between the United States and individual countries or a function of international protocols or treaties to which the United States is a signatory. Thus, for example, the Paris Convention for the Protection of Industrial Property207 establishes a system for recognizing priority of invention, but only among member countries. In addition, there is the Patent Cooperation Treaty (PCT), a multilateral treaty with more than 50 signatories. The PCT permits the filing of an international application that simplifies the filing process when a patent is sought in more than one nation. For copyright protection, there is also a series of international treaties and agreements that include the Berne Convention,208 the Universal Copyright Convention, and the World Trade Organization (WTO) Agreement.209 Canada, Mexico, and the United States also signed the North American Free Trade Agreement (NAFTA) in December 1992. NAFTA addresses intellectual property and requires that member states afford the same protections to intellectual property as members of the General Agreement on Tariffs and Trade (GATT). At a minimum, members of GATT must adopt four international conventions, including the Paris Convention and the Berne Convention.

These agreements, conventions, and treaties in large part do not attempt to reconcile the differences in the national laws of intellectual property. The particular national rules and nuances are simply too complicated, and there are too many differences of opinion to expect that these differences could be internally reconciled. Rather, in large measure, these international accords attempt to codify comity between the member nations so that each will recognize the legitimacy of the intellectual property rights in the other.

11.11.1 Agreement on Trade-Related Aspects of Intellectual Property Rights. On December 8, 1994, the Agreement on Trade-Related Aspects of Intel- lectual Property Rights (TRIPS) was signed into law in this country. The signing of TRIPS required changes to be made in United States statutes and regulations to bring them into conformity with international norms. TRIPS, however, was a product of the United States and other industrial countries pressing for stronger, more uniform standards for international treaties concerning intellectual property. The basic structure of TRIPS is to set the minimum standard of protection for intellectual property with each member nation free to adopt more stringent standards. Under the rubric used in the United States, TRIPS applies to copyrights, patents, trademarks, service marks, mask works (integrated circuit designs), and trade secrets. It also covers geographi- cal indications210 and industrial designs.211 Not addressed by TRIPS, although part of the international jargon for intellectual property, are breeder’s rights212 and utility models.213 Thus, TRIPS establishes no standards as applied to these concepts, leaving each nation to set the parameters of protection unimpeded by TRIPS.

It is not by accident that TRIPS was negotiated within the context of GATT, which had set the international standards for trade tariffs and had provided remedies of trade retaliation if such standards were not adhered to. The structure of GATT provided the means under which developing countries agreed to reduce their trade tariffs in exchange for the right to export innovative products under an exclusive monopoly conveyed by intellectual property rights. The second benefit to the GATT format was to provide a means for trade retaliation if, under the dispute resolution provisions of TRIPS, the WTO determines that there is noncompliance. In reality, it is obvious that TRIPS

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 36 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

benefits those industrial nations that are more likely to be at the forefront of innovation and more concerned with the protection of their citizens’ intellectual property.214 The major concession wrung by the developing countries under TRIPS was obtaining a period of 4 to 11 years to implement TRIPS and to bring their national laws into conformity.

TRIPS generally reflects the U.S. view that focuses on the economic underpinnings for intellectual property rights as serving the greater societal interests. There is thus a shift from “societal” interests to “enterprise” interests. In particular, TRIPS adopts high minimum standards for patents, which will require significant legislative changes in developing countries. The copyright section, however, affords less protection than may be afforded by European nations, but it is in line with treatment in the United States. In short, TRIPS responds to the concern of enterprises in the United States that too loose a system of international protection has enabled imitation of U.S. innovations through copying and outright piracy.

11.11.2 TRIPS and Trade Secrets. Under its category for “Protection of Undisclosed Information,” TRIPS provides protection for the type of information rou- tinely referred to as trade secrets in the United States. Member nations are required to implement laws that safeguard lawfully possessed information from being disclosed to, acquired by, or used by others without consent and contrary to “honest commercial practices” if such information is (a) a secret in that it is not in the public domain, (b) has commercial value because it is a secret, and (c) has been subject to reasonable steps to maintain its secrecy.

Because discussions that led to TRIPS are not institutionally preserved, unlike the United States Congressional Record, there is no negotiating history to be consulted to flesh out the meaning of the spare paragraphs instituting trade secret protection. There do, however, appear to be differences from the total panoply of protections afforded in the United States. The concept of public domain articulated by TRIPS is information that is “not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that nor- mally deal with the kind of information in question.” This articulation appears to be addressing technological formulations of information, as opposed to general commer- cial information, such as financial information, that is generally considered proprietary and confidential in the United States. The focus on a technology formulation for pro- tected information is bolstered by the TRIPS requirement that the information have commercial value. Thus, other types of information that are not part of a traded ar- ticle may be deemed to have no commercial value and therefore to fall outside of the scope of protection. Depending on the particular jurisdiction in the United States, there is a distinction between confidential information and trade secrets based on the requirement that a trade secret must have commercial value. This, in turn, has been held to mean that information that is not exploited commercially is unprotectable under the law of trade secret. For example, the results of failed experiments that never resulted in a commercial product lack commercial value, even though such experiments are certainly helpful in the next round of exploration, in that they are signposts of what not to do.

The lesson to be drawn is that one should not assume symmetry of protections just because of the TRIPS provision. Instead, as part of the reasonable steps to maintain secrecy, enterprises need to consider carefully thought out and structured contractual provisions as well as a system of data caching that leaves truly confidential data in the United States, even if access is permitted outside. Improper takings of such data are,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

APPLICATION INTERNATIONALLY 11 · 37

arguably, acts that occur in the United States, and such acts are subject to enforcement and punishment under the laws of the United States.

11.11.3 TRIPS and Copyright. TRIPS embraces the U.S. general model for copyright protection in its opening statement that “[c]opyright protection shall extend to expressions and not to ideas, procedures, methods of operation or mathematical concepts as such.” All member nations agree that, as to the protection of copyrights, the Berne Convention will apply. Under the Berne Convention, the duration of a copyright is the life of the author plus 50 years. If the life of a natural person is not involved, then it is ordinarily 50 years from publication. In addition, computer programs, whether in source or object code, are to be protected as literary works under the Berne Convention. TRIPS also recognizes that compilations of data can be protected as creative works. Article 10, ¶ 2 explicitly provides:

Compilations of data or other material, whether in machine readable or other form, which by reason of the selection or arrangement of their contents constitute intellectual creations shall be protected as such. Such protection, which shall not extend to the data or material itself, shall be without prejudice to any copyright subsisting in the data or material itself. (Emphasis added.)

TRIPS, therefore, does establish some minimum standard in the growing debate over what protections will be afforded a database. In the United States, the clear demarcation point for unprotected information is compilations that represent no more than “sweat- of-the-brow” efforts. Such compilations cannot be copyrighted.215 The classic example of a sweat-of-the-brow effort is the copying and alphabetical organizing of names, addresses, and telephone numbers that are in telephone books. In the United States, the key for copyright protection is the creator’s original contribution of selection and arrangement. Thus, arguably, the TRIPS provision mimics the law of the United States.

The European Union (EU) has taken a more protective path. In its 1996 European DataBase Directive, the EU granted databasessuigenerisprotection as their own unique form of intellectual property. Under the EU Directive, a database is “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means.” A database may be protected either because it represents a work of “intellectual creation” or because it was compiled through “substantial investment.” The EU Directive protects such databases from unauthorized extraction or use for a period of 15 years, with the ability to extend the period for an additional 15 years if there was a “substantial new investment” in the database. Such protection extends to databases of EU members and to databases of nationals of other countries that offer protections similar to the EU.

The United States, despite a number of legislative proposals, has not adopted a concomitant rule. The result, at least for multinationals, is that entities that rely on databases should consider “locating” such databases within an EU member to take advantage of the EU’s database protections.

11.11.4 TRIPS and Patents. TRIPS requires that all members recognize the right to patent products or processes in all fields of technology. A patentable invention must be new, inventive, and have an industrial application. The patent application must fully and clearly disclose the invention so that a person skilled in the art could carry out the invention. The best mode for carrying out the invention as of the filing date must also be disclosed. Patent rights are to be enforced without discrimination as to

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 38 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

place of invention or whether the product is imported or produced locally. The patent of a product conveys the exclusive right to prevent, without consent of the inventor, the making, using, offering for sale, selling, or importing of the product. The patent of a process conveys the exclusive right to prevent all of the above for products that result from the process as well as the use of the process itself. The holder of a patent also has the rights to assign, transfer, or license the patent. The minimum period for a protecting a patent is 20 years from filing.

TRIPS gives each member state the right to carve out from patentability certain subject matters that have as their purpose the protection of human, animal, or plant life, or to avoid serious prejudice to the environment. In addition, TRIPS permits a member state to allow other use without authorization from the patent holder. The section defining when such use is permissible is the most detailed section among the patent provisions of TRIPS. In general, it permits such use only (a) after an effort to obtain a license from the patent holder on reasonable commercial terms and conditions, (b) with adequate remuneration to the patent holder, (c) if such use is limited predominantly to the domestic market of the member nation, and (d) if there is a review of the decision to permit, as well as the compensation, by a “higher authority in that Member.”

One of the circumstances envisioned by TRIPS is the grant of a second patent that cannot be exploited without infringing an earlier (first) patent. In such cases, a member nation may grant authority if the invention embodied in the second patent represents an “important technical advance of considerable economic significance” with respect to the first patent’s invention and a cross-license on reasonable terms is granted to the holder of the first patent to use the second patent. For process patents, TRIPS creates a limited burden on the alleged infringer to prove that the identical product was produced using a different process. In particular, a member state can create a presumption that the process patent was violated in circumstances where the product is new, or where the patent holder is unable to demonstrate what process was actually used.

11.11.5 TRIPS and Anticompetitive Restrictions. TRIPS acknowledges that some licensing practices or other conditions with respect to intellectual property rights may restrain competition, adversely affect trade, and impede the transfer and dissemination of technology. Accordingly, TRIPS permits member nations to specify practices that constitute an abuse of intellectual property rights and to adopt measures to control or limit such practices, so long as the regulation is consistent with other provisions of TRIPS. In the event that a national of a member nation violates another member’s laws and regulations regarding anticompetitive activity, TRIPS provides for the right of the involved nations to exchange information confidentially regarding the nationals and their activities.

11.11.6 Remedies and Enforcement Mechanisms. Each member nation is expected to provide an enforcement mechanism under its national laws to permit effective action against any act of infringement. Such procedures are to include reme- dies to prevent acts of infringement as well as to deter future acts. TRIPS imposes the obligation that all such procedures be “fair and equitable” and not be “unnecessarily complicated or costly” or involve “unwarranted delays.”216 In general, these remedies mean access to civil judicial procedures with evidentiary standards that shift the bur- den of going forward to the claimed infringer, once the rights holder has presented reasonably available evidence to support its claim. Damages may be awarded sufficient to compensate the rights holder for the infringement if the “infringer knew or had reasonable grounds to know that he was engaging in infringing activity.” This means

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECENT DEVELOPMENTS IN INTELLECTUAL PROPERTY LAW 11 · 39

that vigilance and notice are essential to have meaningful protection for intellectual property rights, since notice is the best means for setting up a damage claim. TRIPS permits its members to allow the recovery of lost profits or predetermined (statutory) damages even when the infringer did not know that it was engaged in infringing be- havior. Although injunctive relief is to be provided for, remedies may be limited in circumstances involving patent holders, as discussed, where adequate compensation is paid, and the alleged infringer has otherwise complied with the provisions of its national law permitting such use upon payment of reasonable compensation. In or- der to deter further infringement, infringing materials may be ordered destroyed or noncommercially disposed of.

In addition to civil remedies, TRIPS requires criminal penalties in cases of “willful trademark counterfeiting or copyright piracy on a commercial scale.”217

11.12 RECENT DEVELOPMENTS IN INTELLECTUAL PROPERTY LAW218

11.12.1 AIA. Peter E. Heuser of Schwabe, Williamson, & Wyatt summarized the Leahy-Smith America Invents Act (AIA) of 2011219 as follows: “The AIA is the most important legislative patent reform in over 50 years. The AIA will change how patents are granted, how patent litigation will proceed and what kinds of inventions are eligible for patents, among other things.”220 The author summarized the main features of the AIA in detailed discussions of the following areas:

� First-to-file will now establish priority of invention � Prior commercial user defense is established � New post-grant proceedings for patent validity challenges � The Patent and Trademark Office (PTO) will no longer grant patents on tax strategy � Special transitional review for certain patents related to financial products and services

� Most PTO fees will increase by 15 percent � Limited prioritized examination will be available � New rules will affect litigation by nonpracticing entities � False patent marking claims are curbed � Other provisions will make it more difficult to attack patent validity

Complete information about the legislation is available through the Library of Congress THOMAS database.221

11.12.2 The PROTECT IP Act (PIPA). The PROTECT IP Act (Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act)222 or PIPA, was introduced in the U.S. Senate in May 2011 but failed to make it to the floor of the Senate.223 After extensive public opposition, including a worldwide temporary blackout of thousands of Web sites in protest of PIPA and the Stop Online Piracy Act (SOPA, below),224 the bill was suspended in January 2012 pending further analysis.225

PIPA’s main points include the following (quoting several sections from the THOMAS database):

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 40 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

� Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 or the PROTECT IP Act of 2011—(Sec. 3) Authorizes the Attorney General (AG) to commence: (1) an in personam action against a registrant of a nondomestic domain name (NDN) used by an Internet site dedicated to infringing activities (ISDIA) or an owner or operator of an ISDIA accessed through an NDN; or (2) if such individuals are unable to be found by the AG or have no address within a U.S. judicial district, an in rem action (against a domain name itself, in lieu of such individuals) against the NDN used by an ISDIA.

� Defines ISDIA as a site that: (1) has no significant use other than engaging in or facilitating copyright infringement, circumventing technology controlling access to copyrighted works, or selling or promoting counterfeit goods or services; or (2) is designed, operated, or marketed and used to engage in such activities.

� Defines NDN as a domain name for which the registry that issued the domain name and operates the relevant top level domain, and the registrar for the domain name, are located outside the United States.

� Allows the court, upon application by the AG after an NDN-related in personam or in rem action is commenced under this section, to issue a temporary restraining order or an injunction against the NDN, registrant, owner, or operator to cease and desist further ISDIA activity if the NDN is used within the United States to access an ISDIA directing business to U.S. residents and harming U.S. intellectual property right holders.

� Directs the AG to identify and provide advance notice to operators of nonauthor- itative domain name system servers (NDNSSs), financial transaction providers (FTPs), Internet advertising services (IASs), and providers of information loca- tion tools (ILTs), including search engines, online directories, and other indexes with hypertext links or referrals to online locations, whose action may be required to prevent such NDN-related ISDIA activity.

� Sets forth the preventative measures required to be taken by NDNSSs, FTPs, IASs, and ILTs upon being served with a court order in such an NDN-related action commenced by the AG.

� (Sec. 4) Authorizes the AG or an intellectual property right owner harmed by an ISDIA to commence: (1) an in personam action against a registrant of an ISDIA’s domain name or an owner or operator of an ISDIA accessed through a domain name; or (2) if such individuals are unable to be found or have no address within a U.S. judicial district, an in rem action against a domain name used by an ISDIA.

� Allows the court, upon application by the relevant plaintiff after an in personam or in rem action concerning a domain name is commenced under this section, to issue a temporary restraining order or injunction against a domain name, registrant, owner, or operator to cease and desist further ISDIA activity if the domain name is: (1) registered or assigned by a domain name registrar or registry located or doing business in the United States, or (2) used within the United States to access an ISDIA directing business to U.S. residents and harming U.S. intellectual property right holders.

� Directs the relevant plaintiff to identify and provide advance notice to FTPs and IASs whose action may be required to prevent such ISDIA activity.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECENT DEVELOPMENTS IN INTELLECTUAL PROPERTY LAW 11 · 41

� Requires, upon being served with a court order after such an in personam or in rem action concerning a domain name is commenced by the AG or a private right owner under this section: (1) FTPs to take reasonable specified preventative measures, and (2) IASs to take technically feasible and reasonable measures.

� Sets forth provisions regarding the entities that may be required to take certain preventative measures in actions concerning both domain names and NDNs: (1) granting immunity to such entities for actions complying with a court order, (2) authorizing the relevant plaintiff to bring an action for injunction relief against a served entity that knowingly and willfully fails to comply with a court order, and (3) permitting such entities to intervene in commenced actions and request modifications, suspensions, or terminations of related court orders.

� (Sec. 5) Provides immunity from liability for: (1) FTPs or IASs that, in good faith, voluntarily take certain preventative actions against ISDIAs, and (2) domain name registries and registrars, FTPs, ILTs, or IASs that, in good faith, withhold services from infringing sites that endanger public health by distributing prescrip- tion medication that is counterfeit, adulterated, misbranded, or without a valid prescription. …

11.12.3 The Stop Online Piracy Act (SOPA). The Stop Online Piracy Act (SOPA), H.R. 3261,226 is summarized in the THOMAS database as follows:

� … Authorizes the Attorney General (AG) to seek a court order against a U.S.- directed foreign Internet site committing or facilitating online piracy to require the owner, operator, or domain name registrant, or the site or domain name itself if such persons are unable to be found, to cease and desist further activities constituting specified intellectual property offenses under the federal criminal code including criminal copyright infringement, unauthorized fixation and trafficking of sound recordings or videos of live musical performances, the recording of exhibited motion pictures, or trafficking in counterfeit labels, goods, or services.

� Sets forth an additional two-step process that allows an intellectual property right holder harmed by a U.S.-directed site dedicated to infringement, or a site promoted or used for infringement under certain circumstances, to first provide a written notification identifying the site to related payment network providers and Internet advertising services requiring such entities to forward the notification and suspend their services to such an identified site unless the site’s owner, operator, or domain name registrant, upon receiving the forwarded notification, provides a counter notification explaining that it is not dedicated to engaging in specified violations. Authorizes the right holder to then commence an action for limited injunctive relief against the owner, operator, or domain name registrant, or against the site or domain name itself if such persons are unable to be found, if: (1) such a counter notification is provided (and, if it is a foreign site, includes consent to U.S. jurisdiction to adjudicate whether the site is dedicated to such violations), or (2) a payment network provider or Internet advertising service fails to suspend its services in the absence of such a counter notification.

� Requires online service providers, Internet search engines, payment network providers, and Internet advertising services, upon receiving a copy of a court order relating to an AG action, to carry out certain preventative measures includ- ing withholding services from an infringing site or preventing users located in

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 42 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

the United States from accessing the infringing site. Requires payment network providers and Internet advertising services, upon receiving a copy of such an order relating to a right holder’s action, to carry out similar preventative measures.

� Provides immunity from liability for service providers, payment network providers, Internet advertising services, advertisers, Internet search engines, do- main name registries, or domain name registrars that take actions required by this Act or otherwise voluntarily block access to or end financial affiliation with such sites.

� Permits such entities to stop or refuse services to certain sites that endanger public health by distributing prescription medication that is adulterated, misbranded, or without a valid prescription.

� Expands the offense of criminal copyright infringement to include public perfor- mances of: (1) copyrighted work by digital transmission, and (2) work intended for commercial dissemination by making it available on a computer network. Expands the criminal offenses of trafficking in inherently dangerous goods or services to include: (1) counterfeit drugs; and (2) goods or services falsely iden- tified as meeting military standards or intended for use in a national security, law enforcement, or critical infrastructure application.

� Increases the penalties for: (1) specified trade secret offenses intended to benefit a foreign government, instrumentality, or agent; and (2) various other intellectual property offenses as amended by this Act.

� Directs the U.S. Sentencing Commission to review, and if appropriate, amend related Federal Sentencing Guidelines.

� Requires the Secretary of State and Secretary of Commerce to appoint at least one intellectual property attaché to be assigned to the U.S. embassy or diplomatic mission in a country in each geographic region covered by a Department of State regional bureau.

Critics of the legislation include the American Civil Liberties Association, some ed- ucators, some law professors, and the United States Student Association.227 Arguments included the following:

� The bill would lead to removal of much noninfringing content from the Web, resulting in infringement of free speech.

� Eliminating the focus articulated in PIPA about concentrating on sites dedicated to infringing activity would waste government resources on an enormous range of sites.

� ISPs, search engine providers, payment network providers, and advertising ser- vices would all have to obey the Attorney General’s orders to block all access to sites with infringing content, thus blocking access to all the sites’ noninfringing content as well.

� Educational uses could be severely constrained if a single infringing document led to the shutdown of an entire site.

� Sites with a single link to infringing content could be classified as “facilitating” infringement and thus be shut down.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECENT DEVELOPMENTS IN INTELLECTUAL PROPERTY LAW 11 · 43

� The bill would violate standards of due process by allowing administrative shut- down without providing an opportunity for the owners of the accused sites a chance to defend themselves.

� SOPA’s potential barriers to access could severely affect the worldwide movement to pressure dictatorial regimes such as that of the People’s Republic of China in their consistent suppression of free access to information.

� Librarians, educators, and students could be subject to administrative shutdown even for what could be justified as fair use of copyright materials.

The proposed bill was dropped at the same time as PIPA (above).

11.12.4 Patent Trolls. Groups aggressively targeting users of little-known patents, often purchased from inventors who have never exercised their rights be- fore, are known as nonpracticing entities or patent trolls. Some of these companies devote their entire business to suing or threatening to sue on the basis of their acquired patents.228

In one notorious case, a company bought

… the Canadian patent known as “Automatic Information, Goods, and Services Dispens- ing System (Canada ’216)” whose complete text is available at http://patents1.ic.gc.ca/ de- tails?patent number=1236216&language=EN CA [and] specifically addresses “a system for automatically dispensing information, goods and services to a customer on a self-service basis including a central data processing centre in which information on services offered by various institutions in a particular industry is stored. One or more self-service information and sales terminals are remotely linked to the central data processing centre and are programmed to gather information from prospective customers on goods and services desired, to transmit to customers information on the desired goods or services from the central data processing centre, to take orders for goods or services from customers and transmit them for processing to the central data processing centre, to accept payment, and to deliver goods or services in the form of documents to the customer when orders are completed. The central data processing centre is also remotely linked to terminals of the various institutions serviced by the system, so that each institution can be kept up-dated on completed sales of services offered by that institution.” [Note that Canadian spelling is used above.] Think about this patent. Does it not remind you unavoidably of what you did the last time you ordered a book or bought something online? Or performed any other commercial transaction on the Web?229

A study published by the Boston University School of Law230 found that patent trolls “… cost U.S. software and hardware companies US$29 billion in 2011. …”231

In the House of Representatives, Peter DeFazio (D-OR) introduced HR.6245, Saving High-Tech Innovators from Egregious Legal Disputes Act of 2012, in August 2012.232

It would “[Amend] federal patent law to allow a court, upon finding that a party does not have a reasonable likelihood of succeeding in an action disputing the validity or alleging infringement of a computer hardware or software patent, to award the recovery of full litigation costs to the prevailing party, including reasonable attorney’s fees. …” At the time of writing (May 2013), the bill was still in the hands of the Subcommittee on Intellectual Property, Competition and the Internet of the House Committee on the Judiciary.

In May 2013, Senator Charles Schumer (D-NY) introduced S.866, the Patent Quality Improvement Act, an amendment to the AIA to extend its provisions for challenging patents on business methods.233

The Library of Congress THOMAS database describes the substance of the proposal as follows:

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 44 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

� Amends the Leahy-Smith America Invents Act to remove the eight-year sunset provision with respect to the transitional post-grant review program available to review the validity of covered business method patents, thereby making the program permanent.

� Expands the term “covered business method patent” to include a patent that claims a method or corresponding apparatus for performing data processing or other operations used in the practice, administration, or management of any en- terprise, product, or service, except technological inventions. (Current law limits the program to financial products or services.)234

11.13 CONCLUDING REMARKS. Data security ultimately involves the pro- tection of proprietary or personal data and intellectual property. The competition to acquire and retain intellectual property legally is invariably met by unethical and illegal efforts to deprive legitimate owners of their rights. It is necessary, therefore, to be fully aware of the mechanisms and procedures required to protect these rights as part of any computer security program.

This chapter has attempted to delineate the most important aspects of the problem. However, many facets of the legal questions remain unanswered or have been answered generally rather than in the context of a particular problem. Prudent guardians of intellectual property should monitor relevant judicial determinations continuously and be certain to integrate them into a planned approach to protect these most valuable assets.

11.14 FURTHER READING Bently, L., and B. Sherman. Intellectual Property Law, 3rd ed. Oxford, UK: Oxford

University Press, 2008. Bloomberg. “Intellectual Property News” Web site. http://topics.bloomberg.

com/intellectual-property Bouchoux, D. E. Intellectual Property: The Law of Trademarks, Copyrights, Patents,

and Trade Secrets, 4th ed. Cengage Learning, 2012. Guardian Newspaper. Intellectual property archive of more than 500 recent articles.

www.guardian.co.uk/law/intellectual-property McJohn, S. Intellectual Property: Examples and Explanations, 4th ed. New York, NY:

Aspen Publishers, 2012. Nard, C. A., D. W. Barnes, and M. J. Madison. The Law of Intellectual Property, 3rd

ed. New York, NY: Aspen Publishers, 2011. Poltorak, A. I., and P. J. Lerner. Essentials of Intellectual Property, 2nd ed. Hoboken,

NJ: John Wiley & Sons, 2011. Stim, R. Patent, Copyright & Trademark: An Intellectual Property Desk Reference,

12th ed. Berkeley, CA: Nolo Press, 2012.

11.15 NOTES 1. For the uninitiated, a tort is a civil wrong (i.e., an act or failure to act that

violates common law rules of civil society, and is distinguished from criminal wrongdoing).

2. See ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996) (product could be returned if shrink-wrap terms were unacceptable).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 45

3. See Information Handling Services, Inc. v. LRP Publications, Inc., 2000 U.S. Dist. LEXIS 14531 (E.D. Pa., Sept. 20, 2000) (limit on unauthorized copies); Hughes v. America Online, Inc., 204 F. Supp. 2d 178 (D. Ma. 2002) (enforcing forum selection clause).

4. See LLAN Systems, Inc. v. Netscout Service Level Corp., 183 F. Supp. 328 (D. Mass. 2002) (click-wrap software agreement enforceable under Uniform Com- mercial Code as acceptance of an offer).

5. See Motise v. America Online, Inc., 346 F. Supp. 2d 563 (S.D. N.Y. 2004) (user who logged on through another’s account is bound by the terms of use even though not read).

6. 356 F.3d 393 (2d Cir. 2004). 7. See Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 473, 94 S. Ct. 1879, 40 L.

Ed. 2d 315 (1974). 8. It is easy to confuse the notion of common law trade secret law with protection of

confidential information. There is a distinction, however. At its core, trade secret law requires commercial application and utility, which is not true of confidential information that is generally protected as a matter of contract. For example, a failed experiment has no commercial utility and is not generally considered a trade secret, although it easily could be deemed confidential information.

9. The need to protect the information from general dissemination is what, in part, has given rise to the practice of Non Disclosure Agreements.

10. UTSA, 14 U.L.A. § 2(a). 11. See Trade Secrets Act, 18 U.S.C. § 1905; see also J. Michael Chamblee, J. D.,

Validity, Construction, and Application of Title I of Economic Espionage Act of 1996, 177 A.L.R. Fed. 609, ∗2 (2003) (hereinafter “Chamblee at ”). Other federal statutes, such as the National Stolen Property Act, 18 U.S.C. § 2314, were likewise of marginal utility in combating the rising problem of economic espionage. See Chamblee at ∗2.

12. Craig L. Uhrich, Article: The Economic Espionage Act—Reverse Engineering and the Intellectual Property Public Policy, 7 Mich. Telecomm. Tech. L. Rev. 147148-49 (2000/2001) (hereinafter “Uhrich at ”). Uhrich observes that the FBI investigated over 200% more economic espionage cases in 1996 than it had in 1994. See Uhrich at 151.

13. 18 U.S.C. §§ 1831, 1832. 14. Id. 15. 18 U.S.C. §§ 1831, 1832. 16. 18 U.S.C. §§ 1832 and 3571. 17. 18 U.S.C. § 1839 (3). 18. United States v. Lange, 312 F.3d 263 (7th Cir. 2002) (emphasis added). 19. 18 U.S.C. § 1839. 20. The 1980 Computer Software Copyright Act carved out for owners of computer

programs a right to adapt, and for that purpose to copy, the program so that it functions on the actual computer in which it is installed. See discussion under the subheading “Derivative Works.”

21. See, e.g., Computer Management Assistance Co. v. Robert F. DeCastro, Inc. 220 F.3d 396 (5th Cir. 2000) and Engineering Dynamics, Inc. v. Structural Software, Inc., 26 F.3d 1335 (5th Cir. 1994).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 46 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

22. Ideas, if protectable at all, are protected by patent. 23. The Copyright Act, 17 U.S.C. § 109(b). 24. The Copyright Act itself in sections 108 through 121 provides detailed limitations

on the copyright owner’s exclusive rights. These limitations are simply a matter of statutory construction. In addition, courts developed the doctrine of fair use in an effort to balance the rights of copyright owner and the public interest. That doctrine is now codified as part of the copyright statute in 17 U.S.C. § 107.

25. See the House Report No. 94-1476, 94th Cong., 2d Sess. 62 (1976) on the 1976 Act.

26. The Copyright Act, 17 U.S.C. §102(b). 27. 797 F.2d 1222 (3rd Cir. 1986). 28. 982 F.2d 693 (2d Cir. 1992). 29. 977 F.2d 1510 (9th Cir. 1992), amended, Sega Enterprises Ltd. v. Accolade, Inc.,

1993 U.S. App. Lexis 78. 30. 977 F.2d at 1527–1528. 31. 975 F.2d 832 (Fed. Cir. 1992), petition for rehearing denied, 1992 U.S. App.

Lexis 30957 (1992). 32. 79 F.3d 1532 (11th Cir. 1996). 33. 350 F.3d 640, 645 (7th Cir. 2003). 34. Evolution, Inc. v. Suntrust Bank, 342 F. Supp. 2d 943, 956 (D. Kan. 2004). 35. Compare MicroStarv.Formgen,Inc., 154 F.3d 1107 (9th Cir. 1998) (infringement

found because copyrighted images displayed) with Lewis Galoob Toys, Inc. v. NintendoofAmerica, Inc., 964 F.2d 965 (9th Cir. 1992) (no infringement although product compatible with Nintendo product).

36. 17 U.S.C. § 107. 37. 510 U.S. 569 (1994). 38. Id. at 577. 39. Id. at 580. 40. See the House Report No. 94-1476, 94th Cong., 2d Sess. 62 (1976) on the 1976

Copyright Act. 41. 17 U.S.C. § 117. 42. Aymes v. Bonelli, 47 F.3d 23 (2d Cir. 1995). 43. 17 U.S.C. § 901(a). 44. MGM Studios Inc. v. Grokster, Ltd., 545 U.S. 913, 930 (2005). 45. Playboy Enterprises v. Frena, 839 F. Supp. 1552 (M.D. Fla. 1993); see also Sega

Enterprises v. MAPHIA, 857 F. Supp. 679 (N.D. Cal. 1994), and 948 F. Supp. 923 (N.D. Cal. 1996) (providing site for and encouraging uploading of copyrighted games was copyright infringement).

46. Religious Technology Center v. Netcom On-line Communication Services, Inc., 90 F. Supp. 1361 (N.D. Cal. 1995).

47. 17 U.S.C. § 502. 48. 17 U.S.C. § 503. 49. 17 U.S.C. § 504. 50. 17 U.S.C. § 505. 51. 17 U.S.C. § 506.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 47

52. 17 U.S.C. § 504(a). 53. See Harris Market Research v. Marshall Marketing and Communications, Inc.,

948 F.2d 1518 (10th Cir. 1991). 54. See Regents of the University of Minnesota v. Applied Innovations, Inc., 685 F.

Supp. 698, aff’d, 876 F.2d 626 (8th Cir. 1987) 698. 55. Id. 56. See Cream Records, Inc. v. Jos. Schlitz Brewing Co., 754 F.2d 826 (9th Cir. 1985). 57. See Eales v. Environmental Lifestyles, Inc., 958 F.2d 876 (9th Cir. 1992), cert.

den. 113 S. Ct. 605. 58. See Softel, Inc. v. Dragon Medical and Scientific Communications Ltd., 891 F.

Supp. 935 (S.D. N.Y. 1995). Interestingly, in this case, the court also held that any increase in the infringer’s profit may be considered when calculating the profit that must be disgorged to the license holder.

59. See Harper & Row Publishers, Inc. v. Nation Enterprises, 471 U.S. 539, 105 S. Ct. 2218 (1985); Data General Corp. v. Grumman Systems Support Corp., 36 F.3d 1147 (1st Cir. 1994).

60. 17 U.S.C. § 504(c)(1). 61. Id. 62. 17 U.S.C. § 504(c)(2). 63. The theoretical nature of the relationship between actual and statutory damages

is illustrated dramatically when the copyright owner demonstrates that the in- fringement was willful. See Peer International Corp. v. Luna Records, Inc., 887 F. Supp. 560 (S.D. N.Y. 1995), where the music publisher’s president willfully in- fringed licensed and unlicensed works and was assessed $10,000 for the licensed works, $15,000 for the unlicensed works, and $25,000 that the president used in derivative format without permission even though actual damages were $4,107. Presumably, this resulted from the court’s attempt to find a way to punish the infringer since the statute makes no provision for punitive damages.

64. See Central Point Software, Inc. v. Nugent, 903 F. Supp. 1057 (E.D. Tex. 1995). 65. See Walt Disney Co. v. Powell, 897 F.2d 565 (D.C.Cir. 1990). 66. 17 U.S.C. § 1202(b). 67. Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D. N.Y. 2000). 68. 17 U.S.C. § 1201(a). 69. 17 U.S.C. § 1201(a)(2). 70. 17 U.S.C. § 1201(a)(3). 71. Id. 72. 2000 U.S. Dist. LEXIS 1889 (W.D. Wash. January 18, 2000). 73. Id . at 19–21. 74. Universal City Studios, Inc. v. Reimerdes, supra note 67. 75. Universal City Studios v. Corley, 273 F.3d 429 (2nd Cir. 2002). 76. Id. at 446–447. 77. Id. at 450–451. 78. 307 F. Supp. 2d 521 (S.D. N.Y. 2004), 79. 320 F.3d 1317 (Fed. Cir. 2003), writ of certiorari denied, 539 U.S. 928 (2003). 80. 847 F.2d 255 (5th Cir. 1988).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 48 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

81. See, e.g., Davidson & Assocs. v. Jung, 422 F.3d 630, 639 (8th Cir. 2005). 82. 17 U.S.C. § 1201(f)(1). 83. 17 U.S.C. § 1201(f)(2). 84. 17 U.S.C. § 1201(f)(4). 85. 17 U.S.C. § 1201(f)(3). 86. 381 F.3d 1178 (Fed. Cir. 2004), cert. denied, 544 U.S. 923 (2005). 87. 387 F.3d 522 (6th Cir. 2004). 88. Storage Tech. Corp. v. Custom Hardware Eng’g & Consulting, Inc., 421 F.3d

1307 (Fed. Cir. 2005). 89. 17 U.S.C. § 1201(i)(1). 90. 17 U.S.C. § 1201(j)(3). 91. 17 U.S.C. § 1201(j)(1). 92. 35 USC § 113 requires the submission of a drawing “where necessary for the

understanding of the subject matter to be patented.” 93. 35 U.S.C. §§ 283 and 284. 94. 127 S. Ct. 1746, 1757 (2007). 95. Webster’s Seventh New Collegiate Dictionary (1967 ed.), p. 644. 96. 2007 CSI/FBI Computer Crime and Security Survey (hereafter the CSI/FBI Sur-

vey), pp. 12–13. Although the percentage of organizations reporting Internet abuse is down substantially since this chapter was first published, it nonethe- less remains a source of substantial concern. In the same study, 26 percent of respondents reported phishing where the respondent was fraudulently identified as the sender; 25 percent reported misuse of instant messaging and unautho- rized access to information; and 17 percent reported theft of customer and/or employee data.

97. SIIA Anti-Piracy 2007 Year in Review (www.siia.org/piracy/yir 2007.pdf). Ac- cording to the SIIA, the source of the financial loss described in the text is the research firm IDC.

98. See Lamb and Rosen, Global Piracy and Financial Valuation of Intellectual Property, pp. 11.1–11.3.

99. ”The subject matter of copyright … includes compilations.” 17 U.S.C. § 103. 100. Feist Publications, Inc. v. Rural Telephone Service Co., Inc. 499 U.S. §§ 340, 361

(1991). 101. Id. at 350–351. See 17 U.S.C. §§ 101–103. 102. Id. at 344, 348–349. See Ticketmaster Corp. v. Tickets.com, Inc., 2000 U.S. Dist.

LEXIS 12987 (C.D. Cal. Aug. 10, 2000), aff’d, 2001 U.S. App. LEXIS 1454 (9th Cir. Jan. 22, 2001).

103. Feist Pub., Inc. v. Rural Tel., supra note 105, at 352–354, where the court rejected the so-called sweat-of-the-brow doctrine.

104. Matthew Bender & Co., Inc. v. West Publishing Co., 158 F.3d 674, 682 (2d Cir. 1998) (“[t]he creative spark is missing where: (i) industry conventions or other external factors so dictate the selection that any person composing a compilation of the type at issue would necessarily select the same categories of information, or (ii) the author made obvious, garden-variety, or routine selections.”). See also Silverstein v. Penguin Putnam, Inc. 368 F.3d 77, 83 (2d Cir. 2004).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 49

105. 121 S. Ct. 2381; 150 L. Ed. 2d 500; 2001 U.S. LEXIS 4667; 69 U.S.L.W. 4567 (2001). Note: The party appealing to the Supreme Court is named first.

106. The court found interesting the publishers’ decision not to assert a claim of transformative fair use. Id. at 2390. See Section 12.1.2.3.3 (transformative use section), supra.

107. 464 U.S. 417 (1984). 108. Transformative fair use was recently applied to the use of Rio devices, which

permit individual users to download purchased MP3 music files to a hard drive and then play them either on the PC or a CD. These devices were analogized to the Betamax time shifting discussed in Sony and were upheld primarily on that basis. See Recording Industry Association of America v. Diamond Multimedia Systems, Inc., 180 F.3d 1072 (9th Cir. 1999).

109. 17 U.S.C. § 512(c). 110. 17 U.S.C. § 512(k). 111. 17 U.S.C. § 512(i). 112. 17 U.S.C. § 512(c)(1). See ALS Scan, Inc. v. RemarQ Communities, Inc., 239

F.3d 619 (4th Cir. 2001), where the court of appeals determined what notice was sufficient to remove the safe harbor protection. See also In re Aimster Copyright Litig., 252 F. Supp. 2d 634 (N.D. Ill. 2002), aff’d 334 F.3d 643 (7th Cir. 2003), for general discussion of this safe harbor provision, where Aimster had actual knowledge of the infringement by its users and therefore could not avoid liability under the safe harbor.

113. 907 F. Supp. 1361 (N.D. Cal. 1995). The Netcom decision predated the DMCA and provided part of the rationale and reasoning used by Congress in drafting and passing Title II of the DMCA. See House Rep. 105-551(I), at 11.

114. The church raised a question of fact about the impact of the ISP’s activity on the church’s potential market by asserting that the posting of the church’s materials on the bulletin board discouraged active participation by existing and potential congregants. Therefore, the court could not find for the ISP as a matter of law.

115. 373 F.3d 544, 555 (4th Cir. 2004). The court went on to state, however, that an ISP “can become liable indirectly upon a showing of additional involvement sufficient to establish a contributory or vicarious violation of the Act. In that case, the ISP could still look to the DMCA for a safe harbor if it fulfilled the conditions therein.”

116. See, e.g., Playboy Enterprises, Inc. v. Frena, 839 F. Supp. 1552 (M.D. Fla. 1993). The Frena decision, insofar as it holds the bulletin board service provider liable for infringement, has been expressly overruled by Title II of the DMCA. See House Rep. 105-551(I), at 11.

117. Los Angeles Times v. Free Republic, 2000 U.S. Dist. LEXIS 5669 (C.D. Cal. April 5, 2000). In the Free Republic decision, the court recognized the public benefit of posting articles for commentary and criticism but found that the initial postings contained little or no commentary that might transform the article into a new original work. See also Video Pipeline, Inc., v. Buena Vista Home Entm’t, Inc., 342 F.3d 191, 199 (3d Cir. 2003), rejecting the fair use defense for an online distributor that made its own movie clip previews and used them as movie trailers by copying short segments of plaintiff’s movies in part because the online distributor benefited from the infringement.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 50 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

118. Storm Impact, Inc. v. Software of the Month Club, 13 F. Supp. 2d 782 (N.D. Ill. 1998).

119. There are various names for the components of the software programs that actually travel throughthe Weblookingfor data, includingbots, crawlers, spiders, scrapers, and automated data retrieval systems.

120. Kelly v. Arriba Soft Corp., 336 F.3d 811 (9th Cir. 2003). 121. 416 F. Supp. 2d 828, 838–846 (C.D. Calif. 2006). 122. 508 F.3d 1146 (9th Cir. 2007). 123. 239 F.3d 1004 (9th Cir. 2001), aff’d, 284 F.3d 1091 (9th Cir. April 3, 2002). 124. See also UMG Recordings, Inc. v. MP3.com, Inc., 92 F. Supp. 2d 349 (S.D. N.Y.

2000), where the district court held that storing recordings from purchased CDs on MP3.com’s servers for retransmission to other users was infringement and not transformative fair use.

125. Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 125 S. Ct. 125 (2005).

126. Id. at 926. 127. Id. at 936–937. 128. Id. at 937. 129. 100 F. Supp. 2d 1058 (N.D. CA 2000). 130. 30 Cal. 4th 1342; 71 P.3d 296; 1 Cal. Rptr. 3d 32 (2003). 131. 356 F.3d 393 (2d Cir. 2004). 132. 86 F.3d 1447 (7th Cir. 1996). 133. 18 U.S.C. § 1030. 134. Pub. L. 98-474, codified at 18 U.S.C. § 1030. 135. Pub. L. 99-474. 136. National Information Infrastructure Protection Act of 1996, Pub. L. 104–294. 137. 18 U.S.C. § 1030(a)(1). 138. 18 U.S.C. § 1030(a)(2). 139. 18 U.S.C. § 1030(a)(3). 140. 18 U.S.C. § 1030(a)(4). 141. 18 U.S.C. § 1030(a)(5). See Hotmail Corporation v. Van$ Money Pie, Inc., 1998

WL 388389, 47 U.S.P.Q.2d 1020 (N.D. Cal. 1998). 142. 18 U.S.C. § 1030(a)(6). 143. 18 U.S.C. § 1030(a)(7). 144. Senate Rep. 104-357, pp. 7–8. 145. Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D. N.Y. 2000). 146. Id. 147. In Re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (2001). But see U.S. v.

Czubinski, 106 F.3d 1069 (1st Cir. 1997), where the court of appeals found that an IRS employee who accessed private tax information in violation of IRS rules but did not disclose the accessed information could not be prosecuted under 18 U.S.C. §030(a)(4) because he lacked an intent to deprive the affected taxpayers of their right to privacy.

148. Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash 2000).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 51

149. America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998). 150. U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000). 151. Council Directive 95/46, 1995 O.J. (L.281) 31–50 (EC). 152. As a result the United States negotiated with the EU the Safe Harbor Arrangement,

administered by the Federal Trade Commission, under which a U.S. company can opt in to compliance with the EU Data Directive.

153. For an updated list, go to www.pirg.org/consumer/credit/statelaws.htm. 154. 149 N.H. 148, 816 A.2d 1001 (2003). 155. 18 U.S.C. §§ 2511(1)(a) and 2502(a). 156. Pub. L. No. 99-508, 100 Stat. 1848 (codified throughout scattered sections of 18

U.S.C.). 157. S. Rep. No. 99-541, at 1 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555. 158. 18 U.S.C. § 2510(12). 159. Id. § 2510(4). 160. 18 U.S.C. § 2511(1)(a) (emphasis added); Konop v. Hawaiian Airlines, Inc., 302

F.3d 868, 875 (9th Cir. 2002) (Konop) (noting the legislative history of the ECPA indicates that Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards).

161. 18 U.S.C.A. § 511(2)(d). One should note, however, that as a result of the Patriot Act, an order from a U.S. or state attorney general is sufficient to permit the government to install a device to record electronic transmissions for up to 60 days where related to an ongoing criminal investigation. The FBI has in its arsenal a program known as Carnivore that essentially tracks a target’s online activity. Recently, Freedom of Information inquiries by the Electronic Privacy Information Center (EPIC, www.epic.org) suggests that the FBI has discontinued use of Carnivore because ISPs, in light of the PATRIOT Act, may be providing information regarding a user’s internet traffic directly to the government.

162. Griggs-Ryan v. Smith, 904 F.2d 112, 117 (1st Cir. 1990) (holding consent may be implied where the individual is on notice of monitoring of all telephone calls).

163. Federal law allows states to enact their own wiretapping statutes provided that the state statutes are at least as strict as the federal counterpart. Lynn Bernabei, Ethical and Legal Issues of Workplace Monitoring of Employee Communications, 2003 WL 22002093, ∗2 (April 2003) (hereinafter “Bernabei at ”). Bernabei notes that most states have adopted statutes that mirror the federal statutes and that at least 10 states, including Massachusetts, require the consent of both parties before the employer can record a conversation. Id.

164. 18 U.S.C. § 2511(2)(a)(i) (Supp. 2003). 165. Briggsv.Am.AirFilterCo., 630 F.2d 414 (5th Cir. 1980) (holding employer could

monitor employee’s communication “when [the] employee’s supervisor [had] particular suspicions about confidential information being disclosed to a business competitor, [had] warned the employee not to disclose such information, [had] reason to believe that the employee is continuing to disclose the information, and [knew] that a particular phone call is with an agent of the competitor.”).

166. 18 U.S.C. § 2511(1)(a). 167. Konop, 302 F.3d at 876 (emphasis added). 168. Id.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 52 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

169. E.g., Wesley Coll. v. Pitts, 974 F. Supp. 375, 386 (D. Del. 1997) (holding that the act criminalizes only the interception of electronic communications contem- poraneously with their transmission, not once they have been stored); Payne v. Norwest Corp., 911 F. Supp. 1299, 1303 (D. Mont. 1995) (holding the appro- priation of voicemail or similar stored electronic message does not constitute an “interception” under the act); Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461–462 (5th Cir. 1994) (holding that the government’s acquisition of email messages stored on an electronic bulletin board system, but not yet retrieved by the intended recipients, was not an “interception” under the Wiretap Act).

170. See United States v. Councilman, 418 F.3d 67, 69–70 (1st Cir. 2005) (en banc). 171. In re Pharmatrak, Inc., 329 F.3d 9, 21 (1st Cir. 2003). 172. Id. 173. United States v. Councilman, 245 F. Supp. 2d 319 (D. Mass. 2003) (Wiretap Act

count dismissed against email service provider who was charged with attempting to use electronic communications passing through his service for commercial gain).

174. Eagle Investment Systems, Corp. v. Tamm, 146 F. Supp. 2d 105, 112–113 (D. Mass. 2001).

175. USA PATRIOT Act § 209, 115 Stat. at 283; Konop, 302 F.3d at 876–878 (“The purpose of the recent amendment was to reduce the protection of voice mail messages to the lower level of protection provided other electronically stored communications.”)

176. 302 F.3d at 876. 177. Id. at 879. 178. 18 U.S.C. § 2701 et seq. 179. Bernabei at ∗2. 180. 18 U.S.C. §§ 2701(a)(1), 2707(a) (emphasis added). 181. Id. § 2510(17), incorporated by 18 U.S.C. § 2711(1). 182. 18 U.S.C. § 2701(c)(1). 183. 18 U.S.C. § 2701(c)(2). 184. Theofel v. Farey-Jones, 359 F.3d 1006 (9th Cir. 2004). 185. In re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001)

(Doubleclick); In re Toys R US, Inc. Privacy Litigation, 2001 U.S. Dist. LEXIS 16947 (N.D. Ca. 2001).

186. 154 F. Supp. 2d at 511–512. 187. Fraser v. Nationwide Mut. Ins. Co., 2003 U.S. App. LEXIS 24856, ∗19 (3rd Cir.

2003). 188. Jeanie Duncan Fallon, Open Source Licenses: Understanding the General Public

License, Technology Licensing Primer, p. 248 (2d ed. 2001). 189. Richard Stallman, The GNU Project, available at www.gnu.org/gnu/thegnupro

ject.html. Stallman also started the Free Software Foundation (FSF) in 1985. 190. John C. Yates and Paul H. Arne, Open Source Software Licenses: Perspectives of

the End User and the Software Developer, 25th Annual Institute on Computer & Internet Law, vol. 2, p. 104 (2005). It is estimated that thousands of programmers have contributed to Linux.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 53

191. It is considered less extreme than the FSF, which basically advocates for an end to proprietary rights as applied to software.

192. See www.opensource.org/licenses/ 193. This makes sense especially considering the FSF’s vision of free software and its

insistence on setting forth those views in the preamble of the GPL. 194. Section 2 of the GPL states: “You must cause any work that you distribute or

publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.”

195. Fallon, at 250. 196. GPL Version 2. 197. Id. at 2(c). 198. Lori E. Lesser, Open Source Software: Risks, Benefits, & Practical Realities in

the Corporate Environment, Open Source Software: Risks, Benefits, & Practical Realities in the Corporate Environment, p. 41 (2004).

199. See id. 200. Progress Software Corp. v. MySQL AB, 195 F. Supp. 328, 329 (D. Mass. 2002). 201. Id. The court also noted that MySQL did not demonstrate the likelihood of

irreparable harm during the pendency of the case. 202. See Stuart D. Levi and Andrew Woodard, “Open Source Software: How to Use

It and Control It in the Corporate Environment,” The Computer Lawyer, vol. 21 (Aug. 8, 2004). “[A] policy needs to balance the benefits and competitive advantages of open source with the risks of using source code developed by parties with whom the company may not have a formal relationship.”

203. See Yates andArne, supra n. 195, p. 107. 204. See Levi and Woodard, supra n. 207. 205. Also consider the fact that discovery in the course of litigation would also involve

releasing proprietary codes, as IBM was forced to do for some of its products involved in the SCO litigation. Although discovery is obviously a different pub- lication from that required under the GPL, it is an important issue to consider.

206. Id. 207. The Paris Convention was initially concluded in 1883 and updated in 1967. It

is administered by the World Intellectual Property Organization, an agency of the United Nations. The Paris Convention has provisions that apply to patents, trademarks, service marks, industrial designs (similar to design patents), and unfair competition. Approximately 174 nations are now signatories to the Paris Convention.

208. Until the adoption of TRIPS, the Berne Convention was the other major inter- national agreement. Like the Paris Convention, it is administered by the World Intellectual Property Organization. The Berne Convention, first adopted in 1886, has undergone a series of revisions. The Convention includes “every production in the literary, scientific and artistic domain whatever may be the mode or form of its expression.” Berne Convention, Art. 2, ¶ 1. Essentially, it assures that a work protected within a member state will also be protected outside of the member state without being subject to discriminating formalities. The number of signatories to the Berne Convention is presently 165 nations.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

11 · 54 FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

209. The WTO effectively began operating on July 1, 1995, as a result of the 1994 Uruguay Round Agreements. The WTO replaces GATT (General Agreement on Tariffs and Trade), which had been in operation since 1950. Congress ratified the Uruguay Round Agreements in December 1994. The WTO has approximately 132 member nations. In 1995, the WTO and the World Intellectual Property Organization (WIPO) signed a joint agreement that provides, among other things, for cooperation in providing legal technical assistance and technical cooperation related to the TRIPS Agreement for developing country members of either of the two organizations. The WIPO has approximately 171 members and is responsible for international cooperation in promoting intellectual property protection around the world. In particular, it looks after various international conventions, such as the Paris Convention and the Berne Convention.

210. Geographical indications are marks or other expressions that state the country, region, or place in which a product or service originates.

211. Industrial designs protect the aesthetic look of the product and are similar but not identical to the United States notion of trade dress. Products may be afforded protection based on novelty or originality of design, depending on national law.

212. Breeder’s rights confer protection on new and different plant varieties. 213. Utility models protect the manner in which a product works or functions and as

such are different from industrial design, which protects only the aesthetics of the product. Generally, utility models address mechanical functioning, which in the United States is not protectable unless patentable. Thus, the innovation in the United States must be significant to warrant protection.

214. Until 1989, the developing countries largely refused to negotiate standards. Threats by the United States of trade sanctions under the United States Trade Act played a significant role in altering the positions of economically weaker developing countries. In particular, China, India, Taiwan, and Thailand were all investigated.

215. Feist Publications v. Rural Telephone System, 499 U.S. 340 (1991). 216. TRIPS, Article 41. 217. TRIPS, Article 61. 218. This section was written by M. E. Kabay. 219. Leahy-Smith American Invents Act of 2011, H.R. 1249, www.govtrack

.us/congress/bills/112/hr1249 220. Peter E. Heuser, “Recent Developments in IP Law of Interest to Business

Attorneys,” Web site of Schwabe, Williamson & Wyatt, February 26, 2013, www.schwabe.com/showarticle.aspx?Show=12770

221. Library of Congress, 2011. 222. Library of Congress, 2012. 223. Preventing Real Online Threats to Economic Creativity and Theft of Intellectual

Property Act of 2011, S. 968, www.govtrack.us/congress/bills/112/s968/text 224. Jonathan Weisman, “After an Online Firestorm, Congress Shelves Antipiracy

Bills,” New York Times. January 20, 2012, www.nytimes.com/2012/01/21/ technology/senate-postpones-piracy-vote.html? r=0

225. Trevor Timm, “After Historic Protest, Members of Congress Abandon PIPA and SOPA in Droves,” Electronic Frontier Foundation | Deeplinks (blog), January

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 11 · 55

19, 2012. https://www.eff.org/deeplinks/2012/01/after-historic-protest-members- congress-abandon-pipa-and-sopa-droves

226. Library of Congress, 2011. 227. Electronic Frontier Foundation, Collection of documents about SOPA. Elec-

tronic Frontier Foundation Web site. December 12, 2011, https://www.eff. org/search/site/sopa

228. Mark Hachman, “Inside The Mind of A Patent Troll: If It’s Legal, It Must Be OK,” readwrite.com, May 13, 2013, http://readwrite.com/2013/05/03/inside-the- mind-of-a-patent-troll-if-its-legal-it-must-be-ok

229. M. E. Kabay, “PanIP has rights: PanIP has patents on e-commerce-related systems,” NetworkWorld, April 15, 2003, www.networkworld.com/ newslet- ters/sec/2003/0414sec1.html

230. James E. Bessen and Michael J. Meurer, “The Direct Costs from NPE Dis- putes: Abstract,” Social Science Research Network Web site, June 28, 2012, http://papers.ssrn.com/sol3/papers.cfm?abstract id=2091210##

231. Loek Essers, “‘Patent Trolls’ Cost Tech Companies $29 Billion Last Year, Study Says,” PCWorld, June 27, 2012, www.pcworld.com/article/258395/ patent trolls cost tech companies 29 billion last year study says.html

232. Library of Congress, 2012. 233. Grant Gross, “Senator introduces legislation targeting patent trolls,” PC-

World, May 01, 2013, www.pcworld.com/article/2037005/senator-introduces- legislation-targeting-patent-trolls.html

234. Library of Congress, 2013.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-09 12:02:42.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .