August 2000 Meeting Report
by Howard L. Bonar
Secretary, Alaska Computer Society

The August 10, 2000 meeting of the Alaska Computer Society was held at the BP building at Benson Boulevard and New Seward Highway starting at 7:04 pm.

Questions and Answers

President Gene White started the evening off with the question and answer session.

Ed asked if it was normal when logged on to one of the voice chat rooms (at MSN.net) to have cross talk - that is hearing several people talking at the same time. The voice channel is totally separate until it arrives at the chat room server. There it may be mixed in with others. Think of the good old days of CB radio when many of the people now in the chat rooms were on the air good buddy.

Ray asked if anyone has information on a cellular phone service called "any where/any time". No luck, but the name sounds interesting.

Holly asked if anyone knows of a good program for filing pictures from a digital camera. Several offered recommendations for ThumbsPlus from Cerious Software. Check it out at their web site. It can be downloaded and tried for free from www.Cerious.com.

Greg has a problem with his sound system. He turns the volume way down during a session then shuts down. When turned back on the sound comes back on high. Check defaults and profiles for multiple users. Also check settings of MS Media Player.

One member upgraded to Win 98 and was having trouble locating and recovering his Netscape bookmarks. Look in C:\Program Files\Netscape\Users\yourname for the bookmark.htm file. It may be necessary to copy all or part of the users file to the new system.

After having an HP2 printer repaired and loading in new drivers it wouldn't work. Go to Start/Settings/Printers. Delete the HP icon then add a new printer. This should load the new drivers and restore the connection to the printer.

Main Meeting

President Gene White called the regular meeting to order at 7:20 pm. He introduced the board members present and called for any announcements.

What is the URL for ACS? www.ACS-PCUG.org. For the latest information on meetings and computer related events in the Anchorage area.

Report on the settlement of the lawsuit involving HP and Phillips. If you own or have owned an HP SureStore CD-Writer 4020 or 6020 Compact Disc recorder (CD-R), you may have a claim in a class action suit that is in process of resolution. Deadline for completion of a claim form is January 17, 2001. If you think you may have a claim, log on to www.HP.com for more information.

Dawn reported on the upcoming meetings. The September meeting will be on the Anchorage Library Databases on-line. Access is free for Alaska citizens whose ISP address identifies them as living in Alaska. Come and learn about these data bases and the types of information they contain and how to access them.

The Clipper SIG is the only SIG (Special Interest Group) still active. Howard reported that while sorting through the early issues of our news letter, he found the announcement of the formation of the Clipper SIG. It had its first formal meeting in October of 1989 and is still going strong. Focus has changed from just Clipper to include other technology issues. The pizza and beer also helps.

The Information & Business Technology EXPO will be October 11 and 12 at the Egan Center. ACS expects to have a booth there and will soon be asking for volunteers to staff it. We are also hoping to sponsor one of the seminars during the conference.

Everyone was a winner of a door prize. Dawn had received boxes of T-shirts from Microsoft in appreciation of our mutual support in various activities. Thank you Microsoft.

The Presentation

Bill Poletti, Chief of Network Security and Cryptographic Applications Architect for Master Card, was our featured speaker. Bill has been in the forefront in the development of on-line security. He is a co-author of the Secure Electronic Transaction (SET) electronic commerce security standard. He serves as an advisor to the president's commission on Critical Infrastructure Protection through the Information Security Infrastructure Working group of the American Bankers Association. He serves on several ANSI standard security working groups and subcommittees. He was the recipient of the Smithsonian 1999 Technology Advancement Award. Bill's parents live here in Anchorage and we were able to get him to come in early from a fishing trip to talk to us.

POINT OF SERVICE (POS) CREDIT CARD TRANSACTIONS

The credit card machine at the grocery store is connected to the central computer via a dedicated direct line. There is no way for the hackers to break into the circuits and so no encryption is required. Those transactions are perfectly safe. The most dangerous activity for consumers is when you hand your credit card to the waiter at the cafe and he walks off with it. You have no idea how many times your number has been copied for future use.

Credit card purchases over the telephone are generally very safe. What may not be safe is the vendor's data base which will contain thousands of credit card numbers and other customer information. Unless it is protected by a secure firewall and the data is encrypted, it can be accessed easily. Recent cases where thousands of numbers were stolen then published on the Internet demonstrate the very real threat to e-commerce.

ATM machines are on a private line and no encryption is necessary. There are no known cases of lose over these lines.

NETWORK SECURITY

If you have any kind of Digital Service Line (DSL) or cable connection to the Internet, you are extremely vulnerable to intrusion. Hackers will have plenty of time to probe the network and find you. If you don't have a firewall installed, they will know all about you in a very short time. If you are lucky they will just be curious and not do any damage. They could, if they wished, do serious harm to your system.

There is no significant difference in vulnerability between DSL and the cable modems. Both are essentially ethernet connections. DSL has a slight edge in that it is a secure line all the way to the ISP but from there it is wide open. The cable modem user can be seen by someone on the same cable loop using Windows Network Neighborhood and with the right kind of sniffer equipment. Sniffers are programs that monitor the data stream and are able to record then read all the traffic. By using filters they can isolate the traffic from a single site. If your messages are encrypted, you are still safe.

FIREWALLS

There are two kinds of firewalls. One is hardware based with a device placed between your modem and your internal network or computer. The second type is a software product that monitors your connection and alerts you to any abnormal activity coming in such as probes. Some systems also monitor your operating system and can correlate incoming activity with what may be happening internally.

One example of a hardware firewall is the Linksys broadband Cable/DSL Router. It can connect multiple PCs to a broadband Internet connection. It acts as a firewall to protect your internal network and can be configured as a DHCP server. It will be the only externally recognized device on your local area network (LAN). For more information, their web site is at www.Linksys.com.

ZoneAlarm is one example of a product which provides protection for Internet users. It combines the safety of a dynamic firewall with control over your applications' Internet use. With Stealth Mode enabled, ZoneAlarm's firewall renders your computer invisible to the Internet and potential intruders. If you can't be seen, you can't be attacked. ZoneAlarm can be found at www.ZoneLabs.com.

There are software tools used by hackers called Spyware that can be used to steal your data and send it elsewhere over the Internet without your knowledge. Trojan horses like Back Orifice and BackDoor-G are two examples. One software vendor was recently caught with a trojan horse feature built into his product. After a predetermined length of time, it would try to log on to the Internet to report how much use had been made of the product without registering it.

ENCRYPTION

The algorithms for developing an encryption system have proven to be very reliable. The federal government has not restricted the development in any way. What they do want to restrict is the number of bits in the code. The fewer the bits, the easier it is for them to break. Their reason, so they say, is to allow them to monitor the activities of the criminal elements. These people are making very efficient use of the communication facilities to further their own interests.

Code with 40 bits, that is 5 bytes key length, can be broken in the time it takes for a coffee break. A code containing 56 bits or 8 bytes is the standard that is permitted for export to foreign countries. This takes a little longer to break but still is doable.

Code keys 128 bits in length is the domestic standard for a very secure key. It would take a super computer quite a long time to break it. The cost would be far more than what could be gained in decoding someone's credit card number.

Apple super computers, a mother board with multiple processors plugged into daughter boards, can easily duplicate the power of a Cray 2A. With this kind of power available in the garage hack shop, it is possible to break some fairly complex codes.

HOW TO TELL IF YOUR CONNECTION IS SECURE

There is a lock icon displayed in both Netscape and Internet Explorer. If the lock is closed you are secure. If it is open you are vulnerable. Also, the URL of a secure server will start out with https//: rather than just http//:. A secure server directs your connection to specific port 80. An occasional problem - some secure servers may have a certificate that is not recognized by your browser.

THE WAY IT WORKS

There are two keys. A public key that you can send to anyone. With that key they can decode the message you send to them using the private key. If you are going to use encryption for your e-mail, you will have to send the public key to everyone you normally do business with. Keys are acquired from key issuing authorities. Netscape and Microsoft can help you get your own key.

RISK MANAGEMENT

Company information that must be protected from intrusion are: Payroll, Marketing plans, financial data, customer information, engineering data, inventory, and sales information. Personnel records must also be protected. What will be the cost if your information resources are disrupted or stolen?

The first line of defense is a secure back-up system. Back up your data files on a scheduled basis with disks stored in a secure remote site. Failure to back up the data may be far more costly than a simple intrusion. Backing up also makes it much easier to reconstruct if an intruder does get in and disrupts your system.

An analysis must be made of your system to determine where the weaknesses are and what must be done to protect your assets. If you are running a local area network connected to the Internet by any method you are extremely vulnerable. Your firewall protection should be engineered to match the level of security you need.

Physical location of the firewall is critical. Security can be compromised if it is readily accessible to anyone other than authorized staff. It must not be located where an accomplice of an outside hacker could disable or bypass it without your knowledge.

If you telecommute or have employees that telecommute (work from home via dial-up or cable connection) you are vulnerable. The connection at home and the access to your network must be well protected.

If you conduct a lot of your business via e-mail, then your company secrets are vulnerable. When your mail is encrypted, neither your ISP nor any one else without the key can read your mail. If you have concerns about the safety or privacy of your e-mail then encrypt it.

The encryption keys issued by the central authorities must be well guarded. One good way to keep them safe is to have them on smart cards. This eliminates the data entry errors plus they are easy to protect. If stored on your computer they must be encrypted for safety.

Ports are being constantly probed by hacker programs. For this reason your firewall protection should be able to alert you when such an attack is happening. It is sometimes possible to identify who is doing the probing. The really nasty professional hackers usually work through some innocent relay point. They can gain illegal access and their real IP address never appears. Even under a dial-up connection you are vulnerable. If they catch you on-line and you have services set as shared they may have you.

One danger that must be watched for is to set your security levels so high that you cannot communicate. Careful tweaking of your defense systems should give you the right level of usability and security.

IF YOU WANT MORE INFORMATION ABOUT SECURITY

Lots of security information on the Internet.

• www.Cert.org (a good place to start)
• www.PGP.com
• xForce.iss.net
• www.SunLabs.com/research
• www.SecurityResearch.com
• www.ISS.net
• www.Jetico.com/faq.htm
• www.Enfish.com
• www.Linksys.com

From: Bill Poletti
Sent: Tuesday, September 05, 2000 5:11 PM
To: Dawn Scott
Subject: Alaska Computer Society Meeting

Greetings Dawn,

I wanted to take this opportunity to express my long-overdue thanks and appreciation for being given a chance to address the Alaska Computer Society.

In my travels I often speak to groups or discuss some of the issues of the day with other professionals. It is a rare occasion that I have nearly as much fun as I had with the group up there. It was not like addressing a group, it was more like kicking around some interesting ideas, exploring the subjects of the day, and just having a great two-way sharing experience.

I found the group lively and very interactive. The questions and subsequent discussions were timely, stimulating and relevant; the collective group expertise good. Most interesting was the spirit of mutual support, often missing elsewhere.

If there are any follow-up questions, or if there's anything I can help with, please let me know. I travel a lot, and though it might seem like I'm not responding, I'll get back on any request (eventually ;-).

(BTW, the fishing was fabulous, too :-)

I hope that the opportunity will open again for a similar get-together.

My best wishes for the future and my deep-felt thanks to the entire group for a fun evening and for their warm hospitality.

Best regards (cheers and prost),

Bill Poletti