washingtonpost.com
Home   |   Register               Web Search: by Google
channel navigation
  Weekly Schedule
  Video Archive

Discussion Areas
  Politics
  Nation
  World
  Metro
  Biz & Tech
  Sports
  Style
  Travel
  Health
  The Post Magazine
  Food & Wine
  Books & Reading
  Viewpoint
  Jobs

Frequently Asked
   Questions

Contact Us

About the site

Advertisers

Cybercrime
with Fred Cohen, Ph.D
Friday March 31, 2000 11 a.m. EST

Has YOUR privacy been invaded? Has your personal information including credit card numbers, addresses, and phone numbers fallen into the hands of cyber bandits?


Today's guest, Fred Cohen, Ph.D, will answer these and more questions.

Fred Cohen coined the term 'computer virus,' and is the inventor of computer viruses and virus defense techniques. In the 1970's he designed network protocols for secure digital networks carrying, voice, video and data. In the 1980's, he developed integrity mechanisms for secure operating systems. During the 1990's, he developed protection testing and audit techniques and systems, secure Internet servers and systems, and defensive information warfare techniques and systems.

Today, the protection techniques he pioneered are now used in more than three quarters of all the computers in the world.

Cohen is the Director of Fred Cohen and Associates and is a principal member technical staff at Sandia National Labs. He also writes a monthly column for Network Security magazine on managing network security and has written several books on information protection.

You may submit your questions for Fred Cohen in advance and any time during the Live Online hour.

dingbat






Test Question: Test Question: Please do not reply

Fred Cohen: Welcome to this month's forum on cybercrime and punishment.
My name is Fred Cohen, and I am ready to take your questions

FC


washingtonpost.com: Welcome to the washingtopost.com's Live Online discussion with Fred Cohen. We are ready to get started so please send Fred your questions now.


Chevy Chase, MD: When I return to a Web site that requires me to fill in some blanks, such as when ordering something over the Internet , I've noticed that the information I've previously entered appears automatically in the appropriate box as soon as I key in the first letter or number. This includes names, addresses and credit card numbers. Furthermore, all the different variations of that information also appear if I have previously entered it in more than one way. This is especially scary when a credit card number is involved. Where is this information stored? Is it retained by the Web site and sent back when I start to complete the appropriate box or is it stored in my own computer ? How can I delete this data if I am willing to re-key it in myself?

Fred Cohen: The information is usually stored on the remote web server and then downloaeded over the Internet insecurely to your browser by way of a java applet or other similar method.

Unfortunately, you are not in control of the vast majority of the data about you. the legal debate is only just beginning over who owns your information and the way it get settled will have dramatic effects on how we all live in the information age.


GMT -0500: Cyber-Safety section of the Post:
Why don't you ask the post if they will put up some bookmarks-favorites -URL's- for folks looking for good sites on the Net for keeping current on how to protect their data and privacy online. Other discussion boards and List on the Net have areas where Links and files are made easily available for the public. It would be great if the Post would provide "Live Online" with some resources so this kind of service would be available for its users-readers.

Fred Cohen: I normally refer people to:

http://all.net/
http://www.cert.org/
http://www.htcia.org/
http://sans.org/

Many other pointers are available from there.

FC


GMT -0500: Congressional Testimony:
Prior to your last Washington Post Live Online session you testified before Congress's Joint Economic Committee about computer security and the nations economy. What was the gist of your testimony and where can it be found on the Net?

Fred Cohen: http://all.net/ => My written and verbal congressional testimony


Cyber Civil Defense Corps: Why doesn't Congress fund an ongoing "Cyber Manhattan Project" to develop -or at least test and validate- world class software security tools that could be deployed by the average small or large business or individuals or families? What kind of budget does your "College Cyber Defenders" group at Sandia Labs have to help develop or test such
<BR>important tools? A 'Manhattan Cyber' group tried to undertake a project like this several years ago but ran out of funding and went away without a bang. -Maybe they were too far ahead of their time-.

Fred Cohen: The government is not really all that good at doing large projects like that in times of peace - at least that's my personal experience. And I don't think that that sort of project is necessarily a good solution to today's problems. We don't need a single amazing new technology to solve the information protection problems of our society. We need a solution that embraces all of the people who use and manage systems.

The CCD program at Sandia is funded at about $250,000 this year - way up from last year. The money goes entirely to paying student-employees for their time. The employee time involved is largely volentary, with some research funds leverages into the program for projects that the CCDs can help work on.


Richmond, VA: I heard there are free online storage vaults where I can keep backups of important files. Where are they and how do they work?

Fred Cohen: There are lots of places that would be happy to have a copy of all your data. I would not trust them with my data.


South Carolina: A virus infected my "normal" template in Microsoft Word. How do I create a new one?

Fred Cohen: I am not a Microsoft expert, but I think you can simply copy a normal.dot file from another computer. Make sure you are
not running Word while you do it...


Washington: I recently placed an order on American Airline with a credit card and I noticed during the transaction there was no idication that the Web site was secure -no pop up warning, no padlock icon no 'https' and so forth - all th enromal indication si usually get.- I don't normally do dumb things like that but I had searched long and hard for the right fare and time and didn't want to loseit so I submitted anyway. Are credit card numbers only available during transmission? Do I need to cancel that credit card? Is there a file now on my computer that I should delete that has saved that number? Please help and I promise NEVER to do this again!

Fred Cohen: It is probably possible to get your credit card numbers while this sort of process is going on, but unless you have a clear indicator that it has been stolen (somebody is using to make lots of charges), you shouldn't probably do anything harsh. Your liability is only $50 for credit card frauds resulting from this sort of activity. On the other hand, DO NOT use a debit card in this arena - your liability is unlimited.


Chicago, Il: I was on my computer when it just started on its own opening Outlook Express, then Quicken, then Turbotax, then went back to Outlook Express. All of the time I watched this happen I was trying to close the open windows and take control of the computer, to no avail. Unfortunately, I did not think of pulling the phone cord or shutting down the computer while this was happening. The hard drive was working very hard, as I could hear it very clearly. The Internet connection was open at this time. It looked like someone accessed Quicken and Turbotax and sent information somewhere. This all happened extremely quickly, in less than a minute. I checked the computer scheduler and we do not have any automatic updates for either Quicken or Turbotax. We have automatic updates for
Norton Utilities -set for other dates and times-, which typically show data being downloaded and is somewhat slow. This was not like that at all. This was a very strange occurrence and I would like to know if you have heard of this happening before. I would like to know if there are any government
agencies I should inform, or if there is any kind of central clearinghouse for these types of computer occurrences.

Fred Cohen: Looks like you have been had - so to speak.

First step - unplug it from the net. That should halt the remote control that seems to be hapenning.

This is fairly common - programs like back oraface and similar off-the-Internet attack programs make this easy for the bad guys to do.

Ther is no clearinghouse, and to be perfectly honest, unless you have lost many thousands of dollars, there is nothing that law enforcement will be able to do to help you. You might report the crime (assuming you can establish that this is what it is) to your local police. It will help them get more statistics and, in some cases, they may be able to help you.


Mexico City: I recently read about a shop in the UK being investigated after it sold an ex-demonstration computer that contained confidential patient files. We're about to upgrade most of our department's Windows 95 computers, which will be transferred to our staff training department. Can you explain which is the best way to ensure that any important client data on the hard drives is deleted and can't be accessed by staff from other departments?

Fred Cohen: For details on how to remove data from systems, refer to the data remnants standard.

http://all.net/ => Protection Standards => DoD Standard: Data Remnants Standard


Alexandria VA: Has governemnt been more advanced in sealing upystem vulnerabilities than major corporations?

Fred Cohen: no


Washington, DC: What was one of the worst virus outbreaks?

Fred Cohen: There have been many serious outbreaks. I think that the Influenza outbreak in the early part of the 20th century killed 40 million people.


Freemont, California: Our company has been using e-mail for sometime. To minimize the risk of virus infection, all incoming e-mail is checked by the mail server, and we only have one stand-alone PC that connects to the Internet. However, a lot of time was wasted last month when a well-intentioned employee caused a panic regarding a potential e-mail virus threat that turned out to be bogus. What's your experience of such attacks?

Fred Cohen: Many false positives exist. when you hear about a possible virus, it is usually prudent to check the web page of your anti-virus vendor. They will have a link to known false alarms.


Bethesda: How do I get rid of my browser's history?

Fred Cohen: Browser history and cache files are stored in files kept with the browser software. If you look through your disk, you will find a directory under netscape called Cache or some such thing and files with names like 'history' and so forth. Shut down your browser, delete the files, and restart.


Fairfax: We're going to develop our own Intranet. Now that the decision has been made, we want to get it up and running as quickly as possible, while enthusiasm is still high. For speed and ease of use, we've decided to employ Microsoft's FrontPage, but I've heard there are security issues with regard to FrontPage extensions. Can you please elaborate?

Fred Cohen: All technology carries risks and benefits. Frontpage has benefits in ease of use and risks as all software. It would take a lot of time to elaborate on risks associated with various products, so I will simply refer you to the CMU CERT

www.cert.org

IF you look there, widely published large-scale vuilnerabilities are listed for public consumption.

To do a good job of risk management requires a lot of time, effort and knowledgte, and this only comes from experienced experts today. You might try to find one to help you if you have enough invested to make it worth your while.


St Petersburg, FL: Hi Fred! -from Barry Jones, Florida Power Corporation-

Given that there are a lot more nasty exploits out there than what's been seen with the recent DDoS attacks, what do you foresee as the greatest challenges for information security personnel for the rest of this year? Next year?

Thanks,
-Barry

Fred Cohen: I don't usually predic the future in this way. But I think it is clear we will see many more large-scale attacks with high impact reported in the media. The real challenge may be improving the way we do our work so that we are efficient and yet reasonably secure.


DC: Our company is considering setting up an office Intranet, and then expanding it to an Extranet. At the moment, we only have a peer-to-peer network. Most books on Internet security assume an expert level of knowledge. Can you briefly explain the basic security risks involved with installing a Web server so we can tackle each individually?

Fred Cohen: In your situation, I would almost certinaly purchase access to a server from a major ISP. Have them host your web site and simply upload content as needed. Then, you don't have to be as much of an expert. As your needs expand, consider a good consultant.


Langley: Supposedly, the Web is going to allow us to get rid of the middleman and allow a free flow of goods and information. But aren't we just trading one intermediary for another? And, in the process, have we lulled ourselves into a flase sense of security in not realizing that this new intermediary has an unprecedented depth of power on us, the things we are exposed to and ultimately the things we buy?

Fred Cohen: We are indeed just trading one intermediarty for another.

I don't think I have a false sense of security, but I am certain that many people do.


Georgia: When Berkeley graduate students broke Netscape Navigator's security through its pseudo-random number generator -PRNG-, it made the front page of the New York Times. What is the role of pseudo-random number generators in encryption, and why are they called pseudo-random number generators anyway?

Fred Cohen: I like this question...

Encryption that is secure requires that something is very hard to guess. A random number selected from a large set of possible numbers is hard to guess because the likelihood of guessing it on each try is a function of the size of the total space of numbers you have to choose from. This is how you get a good key.

Unfortunately, computers are very deterministic - nothing really random happens at all if the designers did a good job. So we need to generate pseudo-random numbers - not really random, but with similar properties. Unfortunately, this is very hard to do well.



New york: I read an article a couple of months ago reporting on the theft of cargo caused by the use of EDI -Electronic Data Interchange- to automate the documentation involved in the movement and transfer of cargo between handlers. Any thoughts on how the security of such transactions can be improved.

Fred Cohen: Each system is unique in its security needs. Your specific question relates to integrity of data, and there are a lot of controls for integrity depending on the particulars of the situation. To get an idea of this, try:

http://all.net/ => New Security Database => Integrity

It lists these controls:

[Defense54 - accountability]
[Defense131 - adversary principle (GASSP)]
[Defense135 - alarms]
[Defense62 - analysis of physical characteristics]
[Defense32 - anomaly detection]
[Defense30 - audit analysis]
[Defense29 - auditing]
[Defense45 - augmented authentication devices time or use variant]
[Defense88 - authenticated information]
[Defense61 - authentication of packets]
[Defense47 - authorization limitation]
[Defense8 - automated protection checkers and setters]
[Defense35 - awareness of implications]
[Defense5 - background checks]
[Defense46 - biometrics]
[Defense57 - change management]
[Defense105 - Chinese walls]
[Defense49 - classifying information as to sensitivity]
[Defense120 - clear line of responsibility for protection]
[Defense123 - compliance with laws and regulations]
[Defense58 - configuration management]
[Defense91 - conservative resource allocation]
[Defense96 - content checking]
[Defense99 - deceptions]
[Defense129 - democracy principle (GASSP)]
[Defense72 - detailed audit]
[Defense13 - detection before failure]
[Defense87 - disable unsafe features]
[Defense75 - disconnect maintenance access]
[Defense118 - document and information control procedures]
[Defense60 - drop boxes and processors]
[Defense7 - effective mandatory access control]
[Defense76 - effective protection mind-set]
[Defense139 - environmental controls]
[Defense71 - Faraday boxes]
[Defense21 - fault isolation]
[Defense138 - filtering devices]
[Defense38 - financial situation checking]
[Defense56 - fine-grained access control]
[Defense39 - good hiring practices]
[Defense34 - improved morality]
[Defense65 - increased or enhanced perimeters]
[Defense102 - independent computer and tool use by auditors]
[Defense109 - independent control of audit information]
[Defense119 - individual accountability for all assets and actions]
[Defense74 - information flow controls]
[Defense116 - inspection of incoming and outgoing materials]
[Defense89 - integrity checking]
[Defense55 - integrity shells]
[Defense130 - internal control principle (GASSP)]
[Defense79 - inventory control]
[Defense10 - isolated sub-file-system areas]
[Defense53 - known-attack scanning]
[Defense37 - least privilege]
[Defense124 - legal agreements]
[Defense84 - limited function]
[Defense85 - limited sharing]
[Defense86 - limited transitivity]
[Defense59 - lockouts]
[Defense82 - locks]
[Defense111 - minimize traffic in work areas]
[Defense31 - misuse detection]
[Defense42 - multi-person controls]
[Defense43 - multi-version programming]
[Defense108 - numbering and tracking all sensitive information]
[Defense22 - out-of-range detection]
[Defense69 - path diversity]
[Defense98 - perception management]
[Defense36 - periodic reassessment]
[Defense134 - periods processing and color changes]
[Defense15 - physical security]
[Defense77 - physical switches or shields on equipment and devices]
[Defense112 - place equipment and supplies out of harms way]
[Defense25 - policies]
[Defense28 - procedures]
[Defense121 - program change logs]
[Defense104 - protection of data used in system testing]
[Defense16 - redundancy]
[Defense101 - regular review of protection measures]
[Defense140 - searches and inspections]
[Defense51 - secure design]
[Defense80 - secure distribution]
[Defense81 - secure key management]
[Defense83 - secure or trusted channels]
[Defense40 - separation of duties]
[Defense115 - separation of equipment so as to limit damage from local events]
[Defense41 - separation of function]
[Defense133 - simplicity principle (GASSP)]
[Defense27 - standards]
[Defense1 - strong change control]
[Defense48 - security marking and/or labeling]
[Defense117 - suppression of incomplete, erroneous, or obsolete data]
[Defense64 - tempest protection]
[Defense20 - temporary blindness]
[Defense52 - testing]
[Defense125 - time, location, function, and other similar access limitations]
[Defense9 - trusted applications]
[Defense78 - trusted repair teams]
[Defense97 - trusted system technologies]
[Defense17 - uninterruptable power supplies and motor generators]


Washington, DC: I've heard that you should never fill out and return one of those warranty cards. Whatever you bought is already covered by the warranty as long as you keep the receipt. Some of those cards ask stufflike your age, number of people in the house and how much you earn. Pretty intrusive don't you think?

Fred Cohen: When I fill out things like this, I usually only put in information I am willing to have published to the world.

You ar enot required to fill out anything like your age in order to get warranty service.


Prague, Czech Republic: Do you feel that Central & East European countries that are first round candidates for EU and NATO membership could be good potential partners in the fight against high-tech-aided crime and infowar originating from other regions? If so, why does it seem that so many US, and other foreign, IT vendors employ local managers that know so very little about these topics or show no real interest in such future-oriented topics -they don't tune into many known channels-? Can efforts to educate be stronger? And do managers in IT companies back in the US really care to become more informed of the threats and opportunities, in terms of high-tech-aided crime and infowar, eminating from Central & Eastern Europe?

Fred Cohen: I don't understand the politics of NATO membership, so I cannot really make intelligent commentary on this issue.

The Central and Eastern European nations are already partners with the rest of the world in fighting cybercrime - at least at the level of the police. Police from all over the world work together on criminal issues whenever they can help each other.

The reason so many know so little about this field is because the information age is just dawning. How many people knew about car engines and gas mileage impacts of different engines and fuels at the start of the automotive era?

I am trying hard to educate the educators so they can educate their students, but today we simply don't have enough expertise to go around.

You might like to look at:

www.cybercrime.org
www.newhaven.edu/california
www.search.org

and other sites where security education is done on a regular basis


Carlsbad, CA: How long have viruses existed?

Fred Cohen: Viruses have existed for billions of year.

Computer viruses were 'invented/discovered/named' in 1983.

For details:
http://all.net/ => Technical Safeguards => 1984: Computer Viruses - Theory and Experiments


Cyber Civil Defense Corps: The government tested many technology tools for law enforcement during the LEAA era and one of the greatest legacies of the Law Enforcement Assistance Administration was the professionalization of law enforcement through support of education for law enforcement. We are in "Internet time" in the battle against cybercrime. Is the government going to deploy lumbering bureaucratic Battleships in the war against cybercrime or Fast Frigates -swiftly tasked virtual teams- in the spirit of the legendary Admiral Grace Hopper?

Fred Cohen: I don't think that the real innovators will end up on top, but they will change the world and have satisfaction in this.


Washington, DC: Where do you think the greatest threat to privacy comes from--government or the private sector

Fred Cohen: In my view, the private sector is a far greater threat to personal privacy today than the government - at least in the United States.


GMT -0500: Supercomputers for Public Safety:
You work around Supercomputers all the time at Sandia National Labs. Sandia's motto is "Exceptional Service in the National Interest". Why can't some of the power of these supercomputers be made available to
help Cybercops in their battle against cybercriminals?

Fred Cohen: I am working hard to use parallel processing to help LE do its job. There are lots of political and financial limitations to the ability of LE to use high technology, but the primary issue I see as limiting is the lack of adequate trust in the local-level people to work the issues and collaborate to solve the big problems.


Dayton, Ohio: Why isnít the FBI hiring more qualified computer security experts who do not have their degree? I have been in the field for some time and started in Satellite and Digital Phone systems in the Army, then reclassified to Military Police. Yet canít even get an application looked at because I went into the Army at 17 and havenít had time to complete my degree. I have over 10 years communications experience and over 3 in computer security.

The entire DOD and numerous other top-level departments are not taking note. The only major Government agency that I have seen post a job description that didnít require a degree was the Department of Energy last November. Will have to wait until our national security is compromised again before the other agencies wise up and hire the people who know their stuff? Isnít it still cheaper to the tax payers to hire someone rather than hire a consultant?

Thanks for your timeÖ

Randy Hinders
MCT, MCSE, MCP+I & A+
Randyh-donet.com

Fred Cohen: The FBI cannot pay enough to get these people to work for them. They offer - in some cases - slaries int he $100,000 range - but an expert in this field can get $200,000 a year from companies and not have the serious difficulties associated with working for the government or the risks of being shot at.

Education is a requirement for much high-tech work today. Perhaps you could take a test and get an equivalency degree, then get a Masters at a University - although it seems like a lot of effort for a job that pays half as much as you might be able to get from industry already.

The US government is not very good at this sort of thing. And frankly, if our government were very aggresive in this way, I think there would be a lot of criticism to go along with the inevitable mistakes you make when you go as fast as you can like commercial companies do.



Wheaton, Md: Isn't the battle for privacy over by now? With social security numbers floating all the hell over the place, supermarket cards that tell marketers what we buy and personal data being sold left and right--well, this is one cat you can't shove back into the bag. Or do you disagree?

Fred Cohen: The battle has just begun. You would be surprised what can be shoved back with the threat of jail.


Springfield, Virginia: Who are the five most influential people in cybercrime technology? Why do you name them?

Fred Cohen: I don't know who is most influential in terms of creating technology for criminal use. I think that some of the emerging bad-guys supposedly turned good-guys are influentual in terms of leading the criminal element, but you would have to ask the bad guys to get their view on it.


Tucson, AZ: How does the U.S. compare to other nations in developing comprehensive -electronic- privacy legislation? What efforts are being made in the US in this regard?

Fred Cohen: The EU is way ahead of the US in this arena. The US is still holding back on it as far as I can tell. Something about free trade vs. controlling the economy...


Scared to Death: I heard that Microsoft is planning to make the new Pentium with a special transmitter that will let them track you whenever you log on to the Internet.

Fred Cohen: Micrtosoft and products that run on their platforms already pass lots of information to their Internet sites. For example, one antivirus program sends detailed reports of every file it looks at to a web site - while Microsoft's audio/visual telecommunication product (I forget the name right now) sends registration information back to Microsoft.

Companies today assume that the web is a path from your computer to theirs and run information back and forth freely. So much for most firewalls.


Seattle, WA: What is the advantage of anonymous Web surfing? How is it done?

Fred Cohen: There are very few real advantages. Try:

www.anonymizer.com

You might try:

http://all.net/ => Press here to see if your DNS works.

It will tell you what your browser is giving away to the world and siscuss some of the related issues.

Then, do the same thong through an anonymizer and see the difference.


Wash, DC: I've been getting more and more junk E-mail lately. Can you tell me where these spammers are getting my address, and is there anything I can do to protect my privacy?

Fred Cohen: They use lots of methods - including looking at postings to email lists, getting records from the InterNIC and so forth.
It is a big market.

Today there is little you can do to protect your privacy unless you are able to do some programming or run a system like Linux. You might try looking up 'spam filter' on your favorite search engine.

Of course the real change will come when we get the political will to outlaw SPAM... (the name for junk email)


Washington, DC: How is the sharing of demographic information gathered over the Internet different than information shared among marketing companies based on other kinds of purchases. My mailbox is full of catalogues from companies whose mailing lists I know I ended up on without my consent

Fred Cohen: It is not fundamentally different, but because of the high volume and automation involved in information systems, far more information can be colleted and analyzed far more quickly and used in real-time to put the right ad in front of the right face.


Doha, State of Qatar: I would like your views on the US Government's export restrictions on encryption code. It seems to me a short sighted view harmful to US based software developers. The technology will be developed by someone, why not by someone in the US?

Fred Cohen: I am opposed to this particular control because the technology is out there and we may as well profit from it. It is senseless that we cannot export something that we can import. It just sends money out of the nation and makes us fall behind the rest of the world in this area.

Ther other side has valid points, and I don't have time to debate them here, but this is my view on it.


NW DC: Do you foresee threats to privacy in employment and health insurance?

Fred Cohen: I think that the medical information bureau is one of the biggest threats to personal privacy that there is. It was here 20 years ago - and we still havent addressed the issue very well.


Las Vegas: A lot of Web businesses are offering "personalized" service, which requires that they gather information about each customer. Do you see a conflict between personalization and privacy?

Fred Cohen: Yes - they are in direct conflict. Anything 'personalized' is - by definition - impinging on 'privacy'. he question is - where do we set the threshold?


Mexico, Mexico D.F.: When you download an update for an antivirus pattern, this file could be infected ? Thanks.

Fred Cohen: When you use a product from a vendor, you are trusting the vendor. Every download you are trusting them again - as well as the infrastructure between you and them. The pattern files don't normally contain information that can be interpreted so as to cause harm, but I wouldn't say it is universally impossible. Updating software remotely is a big hazard - and a great feature.


Iowa City Iowa: Is there software that will thwart someone from hacking in on my cable modem, which I always leave on?

Fred Cohen: There is hardware - disconnect it.

There are personal firewalls - search the web for 'personal firewalls' and you should get lists of them.


Dulles: Recently, I saw an advertisement for data loss insurance. Our company doesn't have the resources to hire our own security specialist, and I wondered if you thought some form of insurance against a network break in is a good idea?

Fred Cohen:
insurance companies make money by taking risks you cannot afford to take. Decide whether you can afford to take the risks yourself and if you think the insurance is worth the price, go for it.


DC: Rumor has it that in my government office all of the work we do on our computers is observed-recorded by software managed by our technical department. While I never do anything that would be considered embarassing , I work with very confidential material which could provide uncomfortable for others. Without reformating my HD how can I locate and disable this access. I figure if my tech guys can observe me -no just PC Anywhere- then someone else and unwanted most certainly could.

Fred Cohen: That is a hard task indeed. You need to get an expert to figure out a viable solution for your entire organization. In my case, I have a 'company' computer where they do there thing - and an isolated computer where I keep confidential information - not connected to the network at all.


Alexandria: Our company has grown very quickly in the last 18 months, thanks to our e-commerce site. Unfortunately, our LAN security has been badly neglected during this time as we rushed to meet the demands of increased sales. We're now in the process of preparing a security plan. Any pointers on how to go about this would be gratefully received.

Fred Cohen: You might start reading the information at:
http://all.net/

=>Managing Network Security
=> Protection Standards
=> Documentation
=> Technical Safeguards

These have lots of useful information that wil help you get started.


Sunnyvale, CA: which features define a good firewall, especially for small-medium businesses?

Fred Cohen: Features do not define a good firewall. The thing that makes a firewall good is the people who operate it.


NY, NY: Our company has five offices spread over New York state. Up until now, we've used couriers and, more recently, PGP e-mail to send documents back and forth. We're currently considering networking the offices to make a wide area network -WAN- and would appreciate your views on the security of the protocols used in a Virtual Private Network.

Fred Cohen: This question is to complex to answer without a lot of detailed information about the threat, vulnerabilities, and consequences that are specific to your situation.

Risk management is the issue here.


Largo, MD: Being concerned about security , I purchased InternetAlert'99 from Bonzi.com software. This alerts and logs attacks on my computer . Well, I was more than surprised at the number of attacks and went to the site recommended to find out the identity of the intruder's ISP. Each time, no such address could be found. I am presently on a phone line with modem, but plan to go a cable connection when available in my area. Should I disconnect from the cable access after each use? The number of attacks is disturbing, as well as the fact that they cannot be identified. The attacks are coming through my Internet service provider's server, I presume. Can they prevent these attacks? This seems to be a more serious problem than many people realize, and serious harm could be caused if the attackers got into the computer.

Fred Cohen: Unless you know what you are doing in terms of system security, you should disconnect the cable modem from your computer when you are not using the Internet.

Your ISP is unlikely tpo be able to prevent these attacks because the very features that make the Internet worth using make is insecure.


Rosslyn, VA: What is P3P?

Fred Cohen: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification


washingtonpost.com: Much thanks to Fred for taking time to be with us today.




© Copyright 2000 The Washington Post Company

   
  On Our Site
  • Shannon Henry's The Download column.
  • TechThursday
  • E-mail
    henrys@washpost.com
  • Live Online this week

  •  
      Our Regular Hosts:
    Carolyn Hax: No-nonsense advice for the angst-ridden under-30 crowd.

    Tony Kornheiser & Michael Wilbon:
    These sports experts hold nothing back.


    Bob Levey: Talk to newsmakers and reporters.


    The complete
    Live Online host list

     
     
     
     
    washingtonpost.com
    Home   |   Register               Web Search: by Google
    channel navigation