Security peripherals<@VM>Clamp down on hackers with one of these 15 devices
When passwords aren't enough, smart cards and biometric devices help lock down networks
By Mark A. Kellner
Special to GCN
Computer attacks, from denial-of-service assaults on big commercial sites to the 'ILOVEYOU' virus and its more virulent strains, are causing information technology managers to worry about other threats. A top concern is the ability of users to access individual PCs, networks or even an enterprise installation.
Add to that list the confusion and chaos that can be created by mischievous or malicious users working on a network, and it's enough to convince you that a career in taxidermy might not be so bad, after all.
And in addition to all the ways hackers can break into a network, there also is the potential loss or theft of portable PCs and the information they hold. In recent months, the State Department has reported two notebook PC thefts, including the loss of a system said to contain classified information.
At a recent press briefing, State spokesman James P. Rubin said of the loss, 'The computer was a computer that belonged to the Bureau of Intelligence and Research, and I don't want to speculate as to what happened to it and who was responsible other than to say that it's a very serious matter.'
The seriousness was underscored when another department portable was reported missing. A few weeks earlier, two portable computers belonging to the British Government's MI5 branch had been lost as well.
There's little doubt that IT crime and security breaches are on the rise. A survey conducted by the Computer Security Institute of San Francisco'in which the FBI's Computer Intrusion Squad participated'showed that 273 large businesses and government agencies reported $265.6 million in damages. In addition:
'Ninety percent of respondents'primarily in large corporations and government agencies'detected computer security breaches within the past 12 months.
'Seventy percent reported serious computer security breaches besides common computer viruses, notebook PC theft or employee abuse of the Internet. They included the theft of proprietary information, financial fraud, system penetration by outsiders, denial-of-service attacks, and sabotage of data or networks.
'Seventy-four percent acknowledged financial losses resulting from computer breaches.
'Forty-two percent measured their financial losses and the total, $265.6 million, was a dramatic increase from the $120.2 million average annual total the group reported for the past three years.
The survey results were enough to galvanize FBI special agent Bruce J. Gebhardt, who is in charge of the agency's Northern California office. 'If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen,' he said.Can't do without
'The results of the survey provide us with valuable data. This information not only has been shared with Congress to underscore the need for additional investigative resources on a national level but also identifies emerging crime trends and helps me decide how best to proactively and aggressively assign resources, before those trends become crises,' Gebhardt said.
The heightened concerns about computer security come at just the time when new forms of enterprise computing are coming into play.'Thin-client computers and boxes running Linux, Microsoft Windows CE devices and wireless devices, as well as data-enabled cell phones, all have the potential for greater convenience and greater skullduggery.Worth the look
Web sites also tempt those seeking to wreak havoc on an agency's systems. Some federal sites, after all, are among the most popular in cyberspace; the IRS' site ranked No. 1 for hits in the days leading up to the tax filing deadline this year. As a result, one market watcher said, the potential for disruption is growing.
'Dealing with security in a reactionary manner is no longer adequate,' said Abner Germanow, research manager for the Internet Security research program at International Data Corp. of Framingham, Mass. 'Security is now a core business requirement.'
So what's an IT manager to do? Passwords, the traditional bulwark of computer security, can be compromised in many ways: Stories of users writing down passwords in places where they can be found are legion.
Convicted serial hacker Kevin David Mitnick, who plumbed the systems depths of firms ranging from Pacific Bell Telephone of San Francisco to Novell Inc. in a global crime spree, said he often relied on social engineering; he got access codes and other information simply by being persuasive on the telephone.
Hardware and software protection schemes, smart cards and biometric devices can enhance security. Smart cards and tokens add another stage of security beyond passwords. Fingerprint and retina scanners, along with facial and speech recognition devices, tie access directly to the user's unique physical characteristics and, while not completely impregnable, give a high level of access security.
Among biometric methods, fingerprint scanning is still generally the most reliable and often the least expensive. Some fingerprint identification systems are designed for use with desktop PCs and cost less than $100. At the other end of the scale is NEC's TouchPass (see story, Page 53), which is a network system.
Smart card readers also are becoming more common. Key Tronic Corp.'s Smart Card Integrated Keyboard, for example, incorporates a reader into the top of the keyboard.
No matter what security steps you take, it's important that they be implemented with common sense, said Patrice Rapalus, director of the Computer Security Institute.
'The most commonly used forms of access that hackers use currently don't have anything to do with bypassing passwords, simple social engineering or going through the trash,' Rapalus said. 'Until employers and end users become aware of this, you can have every technical fix there is, [but even] if there's a firewall in place and you've got biometric scanners, there's [still] a weak link.'
She added, 'It really has to be a marriage of technology and psychology. And technology is only one factor in the equation.'
But that technology factor can be more and more important as time goes by.
George Brostoff, president of Ensure Technologies Inc. of Ann Arbor, Mich., said that although passwords are good up to a point, relying on any single security feature can lead to trouble at a crucial point for any network: the unattended PC or workstation.Watch what you do
'You wouldn't leave a cash register open, you wouldn't leave your house unlocked, yet we step away from our computers all the time,' Brostoff said.
Ensure's XyLoc system, which operates as a wireless key over the 900-MHz band, can be programmed to lock out others after the authorized user steps away from a workstation, he said.
Brostoff said the idea for XyLoc came to his partner, Thomas Xydis, co-inventor of the keyless entry system for automobiles, after an incident at the inventor's former workplace.
One day, Xydis came in to find the salaries of the company's executives posted on a whiteboard for all the workers to see.
The files were password-protected on an accounting manager's computer, but when the accountant stepped away from the machine with the files available, a disgruntled office worker merely transferred the information to his computer and printed the results.A secure session
|Tips for buyers|
|Biometrics: Automated methods of recognizing a person based on a physiological or behavioral characteristic. Examples include fingerprints, speech, face, retina, iris, handwritten signature, hand geometry and wrist veins.|
Enrollment: Setup of a system where a sample of the biometric trait is taken, processed by a computer and stored for later comparison.
Identification: A biometric mode in which the system identifies a person from the entire enrolled population by searching a database for a match.
Verification: Another recognition mode, in which the system authenticates users' claimed identity by using their previously enrolled patterns.
Public-key infrastructure: Establishes the basis for managing the various public keys that are used to provide network security though encryption and digital signatures.
The XyLoc system knows when a user leaves a PC or workstation, 'which is very important when it comes to security,' Brostoff said. 'We want to make sure the person who uses the system is who they say they are'not just at login, but 20 minutes into the session.'
Although it is starting out in the 900-MHz band, Brostoff said, the company's devices will be compatible with the emerging 2.4-GHz Bluetooth standard being developed by Intel Corp. and other manufacturers.
When that standard is released, XyLoc will not only be compatible, but could also be used to load individual user profiles on a workstation, wireless phone or personal digital assistant.
Already, Brostoff said, the product has made inroads into the federal market. 'We've worked with people at many of the different military organizations, and made great progress with Veterans Affairs Department hospitals, to work with their portables as well as desktops,' he said.
Another supplier that has fared well in government circles is Litronic Inc. of Irvine, Calif., which makes products that work with the public-key infrastructure specification. The company touts its smart cards as a way to avoid the kind of password theft that resulted from the ILOVEYOU worm, an executive said.
'Using smart cards with PKI, passwords are not an issue, causing a worm's efforts to locate user information to simply come up empty,' said Bob Gray, vice president of product development at Litronic. 'PKI securely enables people to log on, access files and transact online without worrying about identities being stolen.'
Gray added, 'We've had some installations in most of the federal government agencies; some on a large scale, some on a pilot scale.'
NetSign can also protect an agency's Web site from being disrupted by a hacker by providing a bidirectional authentication, Gray said.
'Not only does the Web site authenticate who you are, but you authenticate this is the Web site you want to interact with. There's no masquerading,' he said.
Such smart-card authentication has caught on with other makers, most notably Sun Microsystems Inc., whose SunRay workstations offer a similar security scheme.
As with products such as NetSign and XyLoc, the SunRay product lets users have their desktop PC profile loaded at a workstation when their identity is authenticated.
But no matter how agencies and enterprises plan to make and keep their systems secure from attack and abuse, one thing is clear: Computer crime attempts will rise as the brick-and-mortar form of government service gives way to click-and-mortar and beyond.
The Computer Security Institute's Rapalus was blunt: 'As organizations go into electronic business, crime will follow the money.'Mark A. Kellner is a free-lance technology writer in Marina Del Rey, Calif. He can be reached via e-mail at [email protected].
|Vendor||Product||Main functions||Platform compatibility||Features||Price|
|Biometric Identification Inc.|
Sherman Oaks, Calif.
|MV 1100||Fingerprint scanning, identification||Win95, NT||Has standalone custom integration to PC keyboards and notebook PCs||$495|
|Veriprint 1000||Fingerprint image capture||Win95, NT||Provides standalone or networked verification of access, time and attendance||$150|
|Luna Cryptographic Acceleration Board||Speeds up encryption over VPNs||NT 4.0, Solaris, HP-UX 10.20, Free BSD 2.2.7||Supports PKCS 11, IKE, IPSec protocols; usually sold via software companies with VPN software||$2,995|
|Luna CA3||Root key management system||NT 4.0, Solaris 2.5, 2.6.1, HP-UX 10.20||FIPS 140-1 Level 3 validation guarantee; Open API for interoperability with compatible system||$18,995|
|Compaq Computer Corp.|
|Fingerprint Identification Technology||Fingerprint scanning, identification||Win95, NT||Works with desktop PCs, workstations, notebook PCs and servers; based on Identicator DFR 200||$94|
Redwood City, CA
|U.are.U Fingerprint Security System||Biometric security system||Win9x, NT, Win 2000||USB connector, including drivers for NT 4.0; centralized management software for configuration||$199|
|Ensure Technologies Inc.|
Ann Arbor, Mich.
|XyLoc Solo||Wireless key access control||Win9x, NT, Win 2000, Novell NetWare||Full-time access control monitors for presence or absence of user, secures when user leaves and unlocks when user returns||$179|
|Internet Security Systems|
|RealSecure||Network protection engine and agents||NT, Solaris||Monitors networks against various network attacks, including denial of service, as well as FTP exploits and unauthorized traffic||$8,995 per engine, $750 per system agent|
|Key Tronic Corp.|
|Secure Finger Scanner Keyboard||Fingerprint scanning, identification||Win95, NT||Keyboard has fingerprint scanner integrated||$149|
|Smart Card Integrated Keyboard||Smart card authentication||Win95, NT||Uses a smart card reader in the keyboard to verify users' identifications; supports a variety of smart card standards||$199|
|LCI Technology Group|
|Smartpen BiAS||Biometric authentication system||OS-independent||Uses writing speed, pressure, angles to verify user; applications include electronic documents||Product not yet released|
|NetSign||Smart card authentication for Web browser and e-mail||Internet Explorer, Outlook 98/2000, Outlook Express 4, Netscape Communicator||Digitally signed and encrypted e-mail using S/MIME Authenticated Web page access with SSL||$99 per unit with software, $89 per reader|
|NEC Technologies Inc.|
|TouchPass||Biometric fingerprint identification||NT||Scanner-independent technology supports any standard finger scanner||$1,000 for server, $200 per client|
|Pilot Network Services|
|Pilot Secure Internet Access||Secure Web access service||OS-independent||Fortified e-mail, secure Web, secure FTP/Telnet gateways||$5,000 to $6,000 per month, $12,000 to $13,000 setup fee|
|Ramp Networks Inc.|
Santa Clara, Calif.
|WebRamp 700s||Small office Internet Security solution||Win 3.1, 9x, NT, Mac 7.5.5 and higher||Ethernet WAN connection for DSL, cable modem, ISDN, frame relay; four LAN ports for local devices, 56-bit ARC4, 56-bit DES Internet key exchange||$479|