Noam H. Arzt: Book Review


              FIVE BOOKS ON COMPUTER SECURITY

          Reviewed by Daniel Updegrove and Noam Arzt.
                   CAUSE/EFFECT, Fall 1991

Denning, Peter J. (ed.), Computers Under Attack: Intruders, Worms, and
  Viruses. NY: ACM Press, 1990, 567 pp., $23.75 (paper).

Garfinkel, Simson and Gene Spafford, Practical UNIX Security.
  Sebastopol, CA: O'Reilly & Associates, Inc., 1991, 481 pp. $29.95 (paper).

Hafner, Katie and John Markoff, Cyberpunk: Outlaws and Hackers on the
  Computer Frontier. NY: Simon and Schuster, 1991, 368 pp. , $22.95.

Hoffman, Lance. J. (ed.), Rogue Programs: Viruses, Worms, and Trojan
  Horses. NY: Van Nostrand Reinhold, 1990, 384 pp., $32.95 (paper).

National Research Council, Computers at Risk: Safe Computing in the
  Information Age. Washington: National Academy Press, 1991, 302 pp.,
  $19.95 (paper).


Clifford Stoll's 1989 better-than-fiction tale, The Cuckoo's Egg, was
read by a remarkably wide range of people in and out of academe:
non-technical administrators, information technology managers, computer
users, and others whose curiosity was aroused by media accounts of the
author's quirky charm -- or of the previous year's sensational Internet
Worm incident. Readers of Cuckoo's Egg  (reviewed in C/E, Summer 1990)
learned how pervasive computer networks are, how many insecure computers
were (still are?) connected to the Internet, how crafty and persistent
some network crackers are, how much cleverness and patience are required
to trap and identify such criminals, and, ultimately, how much our
networked systems and data depend for their integrity on mutual trust.

Predictably, authors and publishers have responded to the heightened
concern about computer security and computer crime with numerous new
titles. Of the five books reviewed here, one is a journalistic
investigation of three hackers (including Robert Morris, author of the
Internet Worm), two are compendia of articles from mostly technical
journals, one is a how-to guide for systems administrators, and one is
the report of a National Research Council committee. All are valuable
contributions to our understanding of the sources of computer insecurity
and our search for appropriate remedies.

Easily the most accessible to the non-technical reader is Cyberpunk:
Outlaws and Hackers on the Computer Frontier, by Katie Hafner, a
technical journalist and John Markoff, the New York Times reporter who
broke the Morris story. Using information from police and court records
plus interviews with principals or associates, the authors chronicle
three cases from "a computer underground that is the real-life version
of cyberpunk, science fiction that blends high technology with outlaw
culture."

The first case describes a Los Angeles-area gang that migrates from
"phone phreaking" (penetrating telephone company codes, computer
systems, procedures, and buildings) to cracking computer networks and
DEC minicomputers at the University of Southern California and
elsewhere. This criminal group mixed technical wizardry with "social
engineering," an alarming ability to dupe unsuspecting office workers
into revealing secret information. The lesson one gang member tells is,
"If you don't have the people trained properly, I'm going to get in if I
want to get in."

The other two cases are more familiar--the network cracking discovered
by Stoll that was found to originate in Germany with backing by the
Soviets, and the Robert Morris story--but from novel perspectives: we
see the German perpetrators' side of the Cuckoo's Egg and the personal
side of Robert Morris. Two forms of high-tech criminal behavior are
portrayed, one deliberate and one, possibly, inadvertent, but with some
similar trappings: computers delivered by vendors with poor default
security, scientists and others "too busy" to carry out appropriate
systems security procedures on computers they connected to networks,
numerous computers compromised thousands of miles from the source of the
intrusion, untold hours spent by systems managers investigating the
break-ins and devising counter-measures, and -- in all three cases --
convictions in court.

Some of these same cases surface in Peter Denning's Computers Under
Attack: Intruders, Worms, and Viruses  and Lance Hoffman's Rogue
Programs: Viruses, Worms, and Trojan horses. Denning, former
Editor-in-Chief of Communications of the ACM assembled ten articles from
the special "Internet Worm" issue of CACM (June 1989), 11 other CACM
articles from 1983 to 1990, 11 other reprints, and eight original
contributions to fashion a broad set of analyses and commentaries.
Although a handful of articles focus on PC viruses, the compendium's
focus is on networks and their security risks. Regular readers of CACM
will find much of this material familiar, yet the compilation and
commentary are first rate.

Hoffman, professor of computer science at The George Washington
University, reprints three of the same CACM articles on the Internet
worm, but focuses more on PC viruses in Rogue Programs. Hoffman draws
from a wider range of sources, from Macworld to Rutgers Law
Journal, and even includes three articles on "Emerging Theories of
Computer Viruses." Those concerned with viruses on desktop computers
will find this volume worth owning.

Surprisingly, Practical UNIX Security can be recommended not only to
UNIX systems administrators and users but also to administrators and
users of other computer systems. Although the authors, Simson Garfinkel,
a computer consultant and science writer, and Gene Spafford, a computer
scientist at Purdue University, disclaim any intention to write either a
UNIX tutorial or an introduction to computer security, they have
succeeded largely in doing both. Fully half the book is not about UNIX,
per se, but about a range of key issues such as passwords, backups,
modems, the Internet, Sun's NFS, MIT's Kerberos, discovering a break-in,
and U.S. law. The UNIX sections, too,  are so clearly written that both
UNIX and the underlying principles are clearly conveyed. Moreover, given
trends in campus computing, no computer professional should be ignorant
of UNIX and its security implications in a networked environment.

The broadest volume, but probably the one that will reach the narrowest
audience, is Computers at Risk: Safe Computing in the Information Age
from the Systems Security Study Committee of the Computer Science and
Telecommunications Board, Commission on Physical Sciences, Mathematics,
and Applications of the National Research Council. The committee, formed
in 1988, was charged with developing a national research, engineering,
and policy agenda to help the U.S. achieve a more trustworthy computing
technology base by the end of the century. Its report should be read by
everyone concerned with systems security policy and planning.

The Committee's thesis is that "as computer systems become more
prevalent, sophisticated, embedded in physical processes, and
interconnected, society becomes more vulnerable to poor system design,
accidents that disable systems, and attacks on computer systems." In
response to these threats, the report recommends a broad, national
effort to improve systems design and use, focusing on:

* Promulgation of a comprehensive set of Generally Accepted System
  Security Principles,
* Recommendations for system vendors and users to improve security,
* Establishment of a system-incident repository and public awareness
  programs,
* Clarification of export controls for secure systems and
  implementations of the Data Encryption Standard (DES),
* Funding for a comprehensive research program, and
* Establishment of a new, Information Security Foundation, to nurture
  development, commercialization, and proper use of trust technology.

One's first reaction to reading these books together is paranoia: more
and more VMS and, especially, UNIX computers are being attached to the
Internet by technically naive users and systems administrators; and an
increasing proportion of these computers is used to store and process
sensitive administrative information (to say nothing of critical
research and instructional files); while the power of computers,
networks, and algorithms accessible to crackers is increasing
alarmingly; and most institutional policies and procedures lag years
behind.

Beyond paranoia, do these volumes provide guidance for institutional
policymakers and information technology managers? Yes. They not only
alert us to risks and recommend specific countermeasures, but also
illuminate the inevitable tradeoffs that must be weighed, especially in
an academic environment. Among the tradeoffs:

* Security vs. ease of use and ease of systems administration.
* Ease of access vs. auditability and "security by obscurity."
* Auditability vs. privacy.
* Mainframe "overhead" vs. the real costs of distributed computing.


At the University of Pennsylvania, as at other colleges and
universities, these tradeoffs must be made in an era of declining
revenue growth and rapid technological change. Policies, procedures, and
authority have to be put in place that translate what we have learned
from tightly-secured mainframe environments into our increasingly
workstation-based network infrastructure. A password authentication
scheme to protect Penn's inbound modem pool -- and to protect the
Internet -- is being implemented despite protests about the added burden
to users. Action is being contemplated against those who operate
workstations on the campus network in apparent ignorance of security
guidelines and bug fixes. Both network abusers and those who have
privilege to audit abuse are coming under increasing scrutiny. A
University-wide data and systems risk analysis is underway, with the
assistance of an expert consultant. The ID card system is being
redesigned to increase information security.

Penn is not unique in the amount of resources being directed to
understand and solve information security problems. We are already
making good use of these books, and we can recommend them highly.

-- Daniel Updegrove is Associate Vice Provost for Data Data
Communications and Computing Services at the University of Pennsylvania.

-- Noam Arzt is Director of Special Projects, with responsibility for
information security policy, at the University of Pennsylvania.

Back to home page
3/25/96