Other Links

All these portal sites are of high quality. In this list we give pointers to some less well-known sites that we think have interesting information for instructors or students. We have organized the links by chapter just for readability. When something new catches our attention we will update this site, so please check back frequently for new links. And if you have a relatively unknown link that you would like to share, please pass it along.

Chapter 1: Is There a Security Problem in Computing?

The Veterans' Administration data loss described in this chapter is not the final example, although in terms of number of data items exposed, it still ranks high. The University of California at Los Angeles—UCLA, Boeing and Providence Health had incidents that resulted in the release of large numbers of records of personal information, such as names and identification numbers (U.S. Social Security numbers, patient ID numbers). The Privacy Rights Clearing House, a privacy organization that tracks data breaches, reported that the Boeing loss brought the total number of records of personal data items exposed to 100 million. Of these the UCLA incident was noteworthy because it was the result of a hacker's attack (over a considerable period of time), not loss (or theft) of a physical device. (Dec 06)

Peter Neumann, a principal scientist at the SRI International Computer Science Laboratory edits the column Inside Risks for the Communications of the ACM. His column is archived at http://www.csl.sri.com/users/neumann/insiderisks.html. (Dec 06)

Chapter 2: Elementary Cryptography

SSH is a leading developer of Internet-based data security technologies and solutions, especially cryptography products. Its website provides an introduction to cryptography, algorithms, protocols and standards, references, and additional online resources. The website also provides a series of white papers on cryptography, such as securing remote connections and enabling virtual private networks (VPNs). See Cryptography A-Z and white papers from SSH. (Dec 06)

RSA security products are widely respected. Their web site content library has numerous white papers on security technologies. Their research group, RSA Laboratories publishes and posts technical reports on cryptography, including a highly-readable frequently asked questions (FAQ) list on cryptography. (Dec 06)

Although dated, Matt Curtin's paper on snake oil and cryptography is worth reading. It presents cryptographic concepts and capabilities clearly and accurately. (Dec 06)

Tools for students of cryptography are plentiful on the web. The following sites have useful links on cryptography: (All Dec 06)

• http://www.cs.auckland.ac.nz/~pgut001/links.html (algorithms)
• http://www.central.edu/homepages/LintonT/classes/spring01/cryptography/cryptography.htm (code of various algorithms and statistical analysis tools).

Encryption programs:

• http://www.thedavincigame.com/Code_breaking.html
• http://www.reed.edu/~mcphailb/applets/crypto/
• http://www.simonsingh.net/The_Black_Chamber/generalsubstitutionWithMenu.html
• http://www.central.edu/homepages/LintonT/classes/spring01/cryptography/java/Cryptogram.html

Letter frequency counters:

• http://www.larry.israel.name/webdev/letterfrequency_plain.html
• http://www.mtholyoke.edu/courses/quenell/s2003/ma139/js/count.html
• http://www.central.edu/homepages/LintonT/classes/spring01/cryptography/java/textanalyzer.html

Simulators for historical ciphers:

• http://frode.web.cern.ch/frode/crypto/simula/index.html

Chapter 3: Program Security

Professor Thomas Huckle, of the Institute for Informatics, provides general links on software bugs (not necessarily security flaws) and links to specific examples (e.g., Ariane 5 explosion; euro conversion rounding errors). (Dec 06)

In its Vista operating system Microsoft has begun to use code rearrangement to foil malicious code writers. (See http://www.eweek.com/article2/0,1895,2071746,00.asp.) Virus and other malicious code writers exploit a vulnerability of knowing exactly where in memory key programs or parts of the operating system are located. The widely-used buffer overflow attack depends on executable code that will be executed soon being located right after the buffer. By scrambling the order of pieces of the program, the defender (Microsoft, in this case) removes that predictability, which means the attack works only a fraction of the time. Still, there are only finitely many permutations of code, and an attack that works on only 1% of 100 million machines still affects a large number of users. But this step by Microsoft, likely to be followed by other commercial code developers, is a good approach.

Virus vendors post lists of current viruses. See, for example (all Dec 06):

• http://grisoft.com/doc/TopThreats/lng/us/tpl/tpl01
• http://www.symantec.com/enterprise/security_response/threatexplorer/index.jsp
• http://mcafee.com/us/threat_center/default.asp

Chapter 4: Protection in General-Purpose Operating Systems

The Biometric Consortium http://www.biometrics.org/ is a focal point for research, development, test, evaluation, and application of biometric-based personal identification/verification technology. The site provides information about government, industry, and academia biometric-related events, articles and publications. (Dec 06)

Prof Anil Jain of Michigan State University maintains a good web site at http://biometrics.cse.msu.edu/ on research on biometric technology with applicability to authentication. (Dec 06) The Projects page links to descriptions of research projects, and the Links page links to vendors of biometric products.

TMC Communications publishes The BiometriTech Newsletter which covers the latest news and articles on biometric issues, implementation obstacles and solutions, and successful installations of biometric components and the results they have yielded. The site at http://www.biometritech.com/ provides information on finger identification, voice identification/authentication, facial recognition, and smart card technologies. (Dec 06)

Wayne Summers of Columbus State University (Georgia) has an unfortunately somewhat dated web page on general operating system security issues at http://csc.colstate.edu/summers/e-library/OS.html. The general information assurance page at http://csc.colstate.edu/summers/e-library/security.html is loaded with links on security and information assurance. (Dec 06)

Chapter 5: Designing Trusted Operating Systems

The United States, Canada and several European countries joined together to develop a set of common criteria for evaluation of IT security that are broadly useful within the international community. The common criteria is available at the Common Criteria portal as well as guidance for developers and purchasers. (Dec 06)

The National Information Assurance Partnership (NIAP), sponsored jointly by the National Institute of Standards and Technology and the National Security Agency, represents the United States within the Common Criteria project. The NIAP sites at http://www.nsa.gov/ia/industry/niap.cfm and http://niap.bahialab.com/ provide information on how the common criteria are implemented in the United States. (Dec 06)

Chapter 6: Database Security

Researcher Kun Liu from the University of Maryland Baltimore County maintains a web site on privacy in data mining. His bibliography is an excellent collection of pointers, organized by issue and approach. (Dec 06)

Chapter 7: Security in Networks

Network security web sites are too numerous to list.

Chapter 8: Administering Security

The Federal Agency Security Practices (FASP) website is based off the success of the Federal CIO Council’s Federal Best Security Practices pilot effort to identify, evaluate, and disseminate best practices for computer security. The FASP site contains agency policies, procedures and practices; CIO pilot best security practices; and a Frequently-Asked-Questions section. (Dec 06)

Chapter 9: Economics of Cybersecurity

Ross Anderson has an excellent web page of links to the issues and current research in economics and security. (Dec 06)

Alessandro Acquisti, at Carnegie Mellon University, has a web site that focuses primarily on the economics of privacy but also addresses other aspects of the economics of cyber security. (Dec 06)
 
L. Jean Camp, at Indiana University, maintains a web site on the economics of security. It has pointers to a list of journals in information security that welcome article about economics, plus pointers to conferences and workshops that address the economics of security. (Dec 06)

Chapter 10: Privacy

Interest in electronic voting in the United States seems to increase predictably in late summer of even-numbered years just prior to national elections in November. Post mortem results appear soon after the election, and the issue typically goes back under cover for another year and a half. Fortunately, researchers such as Avi Rubin work on the issue between election cycles. (Dec 06)

The National Academies of Science published a report on electronic voting. In addition, the National Academies have had a long-term research project on privacy in the United States. The status of the project is posted here. (Dec 06)

The Electronic Privacy Information Center is a public interest research center established to focus public attention on emerging civil liberties and to protect privacy. The site provides links to articles and reports on computer security, cryptography policy, free speech, the Freedom of Information Act, and privacy. (Dec 06)

Computer Professionals for Social Responsibility (CPSR) is an organization that provides the public and policymakers with realistic assessments of the power, promise, and problems of information technology. The site provides links to articles and publications to direct public attention to critical choices concerning the applications of information technology and how those choices affect society. (Dec 06)

Chapter 11: Legal and Ethical Issues in Computer Security

David E. Sorkin maintains a web site that is a comprehensive compilation of laws from around the world related to spam. (Dec 06)

Computer Professional for Social Responsibility (CPSR) is an international organization that promotes responsible use of computing technology. They sponsor the  Their web site links to the major resources in the area. They nurtured the Computers, Freedom and Privacy conference and the Electronic Privacy Information Center (EPIC). (Dec 06)

Chapter 12: Cryptography Explained

See sites in Chapter 2: Elementary Cryptography.

For advanced papers on cryptography and cryptology, the International Association for Cryptologic Research (IACR) maintains the definitive electronic archive of research papers. The site is primarily to help researchers by maintaining an electronic bulletin board of new results, many of them announcements prior to review and publication of a paper. The archive imposes essentially no outside review, so results are subject to correction or withdrawal if the author or someone else finds a flaw in the logic. (Dec 06)

Additional Information

If you are a student interested in learning more about computer security programs located at colleges and universities in the United States, please see the following link. The National Security Agency has designated 36 universities as Centers of Academic Excellence in Information Assurance Education. The designations were granted following a rigorous review of university applications against published criteria based on training standards established by the National Security Telecommunications and Information Systems Security Committee. The list and links to these university centers can be found at http://www.nsa.gov/ia/academia/caeiae.cfm. (Dec 06)

New Sidebars

Below you will find new sidebars that relate events since the 4th edition was published. These sidebars will be updated from time to time as new events warrant a write-up.

Sidebar: Status of Securing U.S. Government Computers

The U.S. House of Representatives Committee on Government Reform requested a report from the Government Accountability Office (GAO) on security of government computers. Data breaches from organizations such as the Veterans' Administration show some sensitive data poorly protected. This lack of protection reflects a larger issue of inadequate testing of the security of government systems.

From the report summary the GAO found agencies' security programs lacking in several key areas. In its study of 24 major agencies, GAO found that many did not address key elements for effective testing, such as determining how thoroughly to test certain elements according to risk, testing security controls common to multiple systems, defining duties of those performing the tests and performing them enough. The original GAO report is here. (Dec 06)

Sidebar: Weak Passwords Are With Us Still

Guru-columnist Bruce Schneier reports on yet another set of password data. Approximately 100,000 MySpace users were tricked by a scam to reveal their user names and passwords. The revealed passwords match other analyses of user-chosen passwords: Roughly 65% of users chose a password of eight or fewer characters, 17% of six or fewer. Only 8% had at least one non-alphanumeric character (that is, something other than a letter or digit). And the most popular passwords were password1, abc123, myspace1, and password.

Schneier's blog summarizes the article nicely. Three posted threads of comments are worth note: First, the relatively weak passwords may be partly because people recognize the low sensitivity of a MySpace profile and so are less particular in their choice of a password. Second, some people reported that when creating their MySpace account, they allowed a maximum of eight characters for a password—which is better than a bank (!) I heard of recently that allowed customers only six alphanumeric characters. Finally, several people observed that with the ever-growing number of sites requiring registering with a password, we simply cannot remember dozens of well-chosen passwords. Some sites have simplified (?) selecting a unique user name by requiring you to use your email address (which has its own obvious vulnerabilities). But retaining numerous distinct and complex passwords seems to require a hardware of software aid (with more obvious vulnerabilities), a written list (with still more obvious vulnerabilities), a memorized algorithm (with yet more obvious vulnerabilities) or better memory for weird strings than at least I have.

For a way to avoid registering at some popular sites, see BugMeNot.

Results from the Morris password study of the late 1970s (see the bibliography in Security in Computing) seem to be revalidated every time someone collects enough data. The password seems to have been stretched well beyond well beyond its limited utility. (Dec 06)

Sidebar: Cyberterrorism: Fact or Fiction

The Washington Monthly published an article in 2002 essentially saying that cyberterrorism is an interesting concept that has not been shown to be real. The article debunks several supposed attack reports. As the article says, absence of attacks is sometimes used to demonstrate how effective we are at blocking attacks. Just like the amulet I wear to ward off attacks by elephants: it must be working.

In the five years since the article there seem to have been no cyberterrorism attacks. There have been crimes committed with or against computers. There have been terrorist plots where the terrorists used computers and electronic gadgets (such as cell phones) to aid in the attack. And there have been computing systems that have failed for no discernable reason. But there seem to have been no reported incidents of terrorists attacking major computer systems or networks. (Dec 06)

Sidebar: Malware and the Operating System

According to an article in eWeek (Dec 06) malware writers are getting craftier. New strains of malicious code inspect their target machine to determine what operating system support and debugging or protection tools are running.

The virtual operating system of this chapter has been useful to malicious code researchers and vendors of protection products. Researchers set up a computer with what is apparently a vulnerable machine they hope will become infected, much like a honeypot. The vulnerable machine actually runs in a virtual machine so the researchers can monitor the activity of the malicious code without being evident and without allowing the infected machine to affect other resources. Smart malware writers now test for the presence of a virtual machine environment and other debugging or monitoring tools; they stop their malicious code if they detect any.

And researchers at the University of Michigan developed a tool called SubVirt described in a paper (Dec 06) presented at the 2006 IEEE Computer Society Symposium on Research on Security and Privacy. In this paper they describe a proof of concept implementation of malicious code that is a rootkit that installs itself under a target operating system and hosts the (victim) target as a virtual machine.

Sidebar: SPIT (Spam over Internet Telephony)

We knew it was bound to happen: The convergence of Spam and internet telephony (VoIP) has been as predictable as day following night.

According to an editorial/story in eWeek (Dec 06), some VoIP users have received unsolicited marketing calls in Japan. Author Larry Seltzer goes from the current attacks to potential. Directories of VoIP users are readily available online. Combine that with a little data mining and you can construct targeted attacks involving shopping patterns, hobbies, residence, medical conditions, schools, etc. Fraud, harassment, and denial of service are even more serious possibilities.

In the 2006 U.S. election cycle candidates used prerecorded messages to encourage people to vote for them (or perhaps annoy voters and make them want to vote for the opponent). It is easy and inexpensive to use computers to dial through a list of numbers of potential supporters and play the prerecorded message when someone answered the phone. (My answering machine had interesting conversations with a lot of prerecorded message machines.) Clearly the same approach could be used for any cause. In the U.S. unsolicited commercial marketing calls are controlled.

But all those controls disappear with VoIP because it is currently not subject to the same regulation as is regular telephony, either land-based or wireless. Author Seltzer recommends VoIP providers and law enforcement agencies crack down on SPIT before it becomes a real issue. Although VoIP providers have the authority to limit use, they may not have the interest in doing so because it costs them money and false positives would cause customer relations problems. Law enforcement agencies might take an interest but only if something illegal were going on. So far non-fraudulent use of VoIP is not illegal. And law enforcement becomes difficult if it involves two or more jurisdictions. The crux of the problem is that the technology is new enough that it is scarcely regulated if at all, either by providers or governments. Governments need to study the problem to identify what citizens want by way of allowed and prohibited behavior. Then governments or private bodies (such as VoIP providers) need to develop rules of behavior, regulations, and laws that meet those needs.

Sidebar: Spam and Phishing on the Rise

Message Labs, the commercial managed email and web security solutions vendor produces an annual report on security trends and predictions. According to the 2006 report an astounding 86.2% of all email is spam, and 1 in 272 email messages is a phishing attack. In an interesting form of triangle trade, Message Labs shows that spam, viruses, and spyware are related, with spyware used to derive the mailing lists for spam, and viruses used to compromise systems that are then used for delivery of spam. (Dec 06)

Many users do not see this volume of spam because mail handlers and ISPs prefilter email by refusing connections from a so-called blacklist of known spam senders.

Message Labs predicts that spam will continue to increase through 2007 from 86% to 92% of all email. More significant is targeted spam, which uses some data mining approaches to produce spam more specific to the recipient. There is already “geek spam,� loaded with terms from technology to increase the likelihood the recipient will think the spam is a legitimate message. Other targets include the legal and medical professions. Message Labs expects that the average number of targeted spam messages received per person per day will increase from the current 2 to 20 by the end of 2007.

Sidebar: Spam Doesn't Pay

$1 million U.S. is a lot of money to most of us.

That is the amount spammer Mike Pitylak agreed to pay in the May 2006 settlement of a lawsuit brought by the State of Texas and Microsoft. The plaintiffs had asked $500 million. To raise the $1 million Pitylak will have to sell his house valued at $500,000 and a 2005 BMW. Perhaps more significantly, Pitylak agreed to discontinue all his spam activities, according to a story in the Dallas Morning News.

Pitylak admitted to having sent as many as 25 million spam email messages per day at the height of his career in 2004. The group spamhaus.org that tracks spam activity says that Pitylak was one of the top four spammers in the world. His spam was the ordinary kind: mortgage refinancing, car loans, and debt counseling. Pitylak created over 200 front companies to take details from anyone who clicked a link in the spam email and then sell these leads to real companies. He received $3 to $7 for each referral.

The activity violated both the Federal CAN-SPAM act and a Texas anti-spam law. Uncovered in 2004 by an investigative journalist with The Chicago Tribune, this activity attracted the attention of the Texas Attorney General, as reported in an article in the Austin Chronicle. Pitylak had begun his career of spam as a teenager, and was a 24-year old recent university graduate at the time he agreed to the settlement of the lawsuit. (Dec 06)