Date: Fri, 30 Jul 93 16:29:05 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V3#006 Computer Privacy Digest Fri, 30 Jul 93 Volume 3 : Issue: 006 Today's Topics: Moderator: Dennis G. Rears Re: First Person broadcast on privacy Re: First Person broadcast on privacy at work Final program for 5th Incident Response Workshop The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Todd Jonz Subject: Re: First Person broadcast on privacy Date: 28 Jul 1993 23:53:58 GMT Organization: Sun Microsystems, Inc. Kevin Calmes writes: > What did you think of last nights Maria Schriver story about privacy > in the workplace? I thought the thing about private e-mail was a > bit of a stretch. After all it is the employers computer and it is > the employers right to know what is there. Simply, don't put your > private information in the company's computer. I agree with your basic premise that all company resources belong to the company, may only be used as sanctioned by the company, and may be monitored, accessed, and controlled as deemed appropriate by the company. However I find it difficult to apply a common standard to seemingly similar situations. If we assume, for sake of argumument, that it's acceptable for my employer to monitor and access my "private" e-mail, then: o Is it also acceptable for my employer to do monitor my telephone calls as well? It is, after all, their telephone, and they put it on my desk for business use. Does this then give them the right to monitor my calls, with or without my knowledge? o How about voice mail? Isn't voice mail the moral equivalent of e-mail that just uses an alternate storage and I/O format? Should different rules apply to voice mail and e-mail? o Let go the limit: when the mail robot stops by and I drop a bill payment in the "Outbound" box, does my company have the right to open it? (Please, debate the ethics, not the legalities; I'm not sure when the mail in this box formally becomes U.S. Mail with which it would be illegal to tamper.) o How does the previous example change if the "Outbound" box is, by policy, for business related mail only, but I ignore policy and use it for personal use? Have I relinquished any rights? I'm not as interested in who has what rights as I am in how anyone can justify applying *different* policies for these various scenarios. It seems to me we need a single, consistent policy that covers all these bases. -- Todd ------------------------------ From: "Glenn R. Stone" Subject: Re: First Person broadcast on privacy at work Date: Wed, 28 Jul 93 22:08:04 PDT In David Hoffman writes: >I thought Schriver's piece was a little alarmist and sensational - >she made every attempt to convey the message that "big brother is >watching and you can't trust anyone - especially your employer". I didn't see the show (I don't watch network tv anymore, not even FOX... I watch TBS, PBS, and the two independent stations here in town. All broadcast, all free, .... and I digress.) but I think that viewpoint is right on the nose. There are those in another department at my work who, I am told by sources I trust, go snooping where they don't belong... and seem to do so with relative impunity. >Not once did she mention anything about encryption, which I think >would have given the stories a very different slant. It's quite a >trip from "your boss can and will scrutinize every word you type >and there's nothing you can do about it" to "the wires aren't >bug-proof, but you can still make the message private". I guess >it's more dramatic television if you just ignore the fact that >there are solutions. True, and true. However, some folk don't have access to the necessary compilers, some folk wouldn't know where to begin if they did, some folks' employers would probably go ballistic if the employees started sending encrypted mail even between officemates, nevermind offsite, and some folk just need to be alerted that the spooks really are out there right now and that healthy paranoia is just that. As for me, I resorted to several approaches.... the most extreme of which is actually one of the simplest: I'm paying a commercial provider for this account and keeping my employer totally out of the loop. Twenty bucks a month is a small price to pay for being able to say what I want and not have to worry about prying fingers. Granted that, as much network TV does, it leaves out the solution and only succeeds in crying about the problem, methinks from what has been written here that for once, the networks have done us a service by simply alerting the general public to the problem. Maybe instead of taking preventative measures, the masses might generate enough outcry to elimiate the problem, rather than merely providing a solution. We can only hope. taliesin taliesin@netcom.com ------------------------------ Date: Thu, 29 Jul 1993 12:10:18 -0500 Subject: Final program for 5th Incident Response Workshop From: Gene Spafford Organization: FIRST Steering Committee This is the final program for the upcoming workshop. We have a first-rate agenda of speakers from around the world on incident response & security. To answer two common questions: 1) It is still possible to register for the workshop, although it is at the higher rate. The hotel still has rooms available. Registration at the door will be possible, but you may not be able to get copies of the handouts on-site unless you pre-register. 2) St. Louis is not underwater....at least the workshop hotel and airport are not. A message from the St. Louis convention bureau is at the end of this announcement describing conditions. Please pass this on to anyone interested! --gene spafford Workshop Program Co-chair FINAL AGENDA 5th Computer Security Incident Handling Workshop Sponsored by the Forum of Incident Response and Security Teams (FIRST) August 10-13, 1993 St. Louis, MO TUESDAY, August 10, 1993 Full-day Tutorials 1. Creating a Security Policy, presented by Charles Cresson Wood: Independent Information Security Consultant Sausalito, California Based on his information security consulting work with over 80 organizations, Wood will discuss the practical aspects of information security policies. He will draw heavily from his third book, entitled "Information Security Policies Made Easy," which contains 525 already-written policies. His presentation will cover risk assessments, the role of policies, policy needs analysis, policy writing, management approval, policy issuance, user training, proper uses of automated and manual controls, and policy enforcement. The intention of the workshop will be to acquaint attendees with the need for policies, how they are best used, and how to handle policies in-house (avoiding the need to hire a consultant). Wood will also discuss how policies can help move an information security effort ahead with velocity while at the same time keeping security costs down. Special attention will be paid to the people aspects of information security policies. The workshop will end with critiques of the policy statements brought by attendees (so bring your policies). 2. Vulnerabilities of the IBM PC Architecture: Virus, Worms, Trojan Horses, and Things That Go Bump In The Night presented by A. Padgett Peterson: An intensive look into the architecture of the IBM-PC and MS/PC-DOS -- What it is and why it was designed that way. An understanding of assembly language and the interrupt structure of the Intel 80x86 processor is helpful. The day will begin with the BIOS and what makes the PC a fully functional computer before any higher operating system is introduced. Next will be a discussion of the various operating systems, what they add and what is masked. Finally, the role and effects of the PC and various LAN configurations (peer-peer and client server) will be examined with emphasis on the potential protection afforded by login scripting and RIGHTS. At each step, vulnerabilities will be examined and demonstrations made of how malicious software exploits them. Demonstrations may include STONED, MICHELANGELO, AZUSA, FORM, JERUSALEM, SUNDAY, 4096, and EXEBUG viruses depending on time and equipment available. On completion attendees will understand the vulnerabilities and how to detect attempted exploitation using simple tools included with DOS such as DEBUG and MEM. 3. Unix Security presented by Matt Bishop: This tutorial will examine four areas of security critical to the functioning of UNIX systems: * user authentication, which provides the first line of defense against attackers attempting to penetrate the system; * management of privileges, and managing access to the superuser account as well as programming for security; * defending against malicious logic, which will include a discussion of the workings of the Internet worm of November 1988, and several techniques for detecting malicious logic as well as blocking its effects; and * networking, covering the security mechanisms available in NIS, NFS, privacy-enhanced electronic mail, and Kerberos, as well as the Berkeley "trusted hosts" mechanism, Secure RPC, the network daemons and calls used by Berkeley's implementation of rlogin, rsh, and their kin, and (if time permits) both HoneyDanBer and 4.3 BSD UUCP. WEDNESDAY, August 11, 1993 8:30 - 8:45 Opening Remarks - Rich Pethia - CERT Coordination Center 8:45 - 9:30 Keynote Speaker - Dr. Vinton Cerf - Corporation for Research Initiatives 9:30 - 10:00 Break 10:00 - 12:00 International Issues - Computer networks and communication lines span national borders. This session will focus on how computer incidents may be handled in an international context, and on some ways investigators can coordinate their efforts. SPEAKERS: Harry Onderwater - Dutch Federal Police John Austen - New Scotland Yard John Neily - Royal Canadian Mounted Police 12:00 - 1:30 Lunch with Presentations by various Response Teams 1:30 - 3:00 Professional Certification & Qualification - how do you know if the people you hire for security work are qualified for the job? How can we even know what the appropriate qualifications are? The speakers in this session will discuss some approaches to the problem for some segments of industry and government. SPEAKERS: Sally Meglathery - ISC2 Lynn McNulty - NIST Genevieve Burns - ISSA 3:00 - 3:30 Break 3:30 - 6:00 Incident Aftermath and Press Relations - What happens after an incident has been discovered? What are some of the consequences of dealing with law enforcement and the press? This session will feature presentations on these issues, and include a panel to answer audience questions. SPEAKERS: Laurie Sefton - Apple Computer Jeffrey Sebring - MITRE Terry McGillen - Software Engineering Institute John Markoff - NY Times Mike Alexander - InfoSecurity News 7:00 - 9:00 Reception THURSDAY August 12 8:30 - 10:00 Preserving Rights During an Investigation - During an investigation, sometimes more damage is done by the investigators than from the original incident. This session reinforces the importance of respecting the rights of victims, bystanders, and suspects while also gathering evidence that may be used in legal or administrative actions. SPEAKERS: Mike Godwin - Electronic Frontiers Foundation Scott Charney - Department of Justice Frank Dudley Berry Jr. - Deputy District Attorney Santa Clara County 10:00 - 10:30 Break 10:30 - 12:00 Coordinating an Investigation - What are the steps in an investigation? When should law enforcement be called in? How should evidence be preserved? Veteran investigators discuss these questions. A panel will answer questions, time permitting. SPEAKER: Jim Settle - FBI Jack Lewis - US Secret Service John Smith - Santa Clara DA's office 12:00 - 1:30 Special Interest Lunch 1:30 - 3:00 Liabilities and Insurance - You organize security measures but a loss occurs. Can you somehow recover the cost of damages? You investigate an incident, only to cause some incidental damage. Can you be sued? This session examines these and related questions. SPEAKERS: Mark Rasch - Arent Fox Bill Cook - Willian, Brinks, Olds, Hoffer, & Gibson Marr Haack - USF&G Insurance Companies 3:00 - 3:15 Break 3:15 - 5:30 Incident Role Playing -- An exercise by the attendees to develop new insights into the process of investigating a computer security incident. Organized by Dr. Tom Longstaff of the CERT Coordination Center. 7:30 - ? Birds of a Feather and Poster Sessions FRIDAY August 13 8:30 - 10:00 Virus Incidents - How do you organize a successful virus analysis and response group? The speakers in this session have considerable experience ans success in doing exactly this. In their talks, and subsequent panel, they will explain how to organize computer virus response. SPEAKERS: Werner Uhrig - University of Texas, Austin David Grisham - University of New Mexico Christoph Fischer - CARO Karen Pichnarczyk - LLNL/DoE CIAC 10:00 - 10:15 Break 10:15 - 11:15 Databases - How do you store incident, suspect, and vulnerability information safely, but still allow the information to be used effectively? The speakers in this session will share some of their insights and methods on this topic. SPEAKERS: John Carr - CCTA Michael Higgins - DISA/CISS 11:15 - 1:00 Threats - Part of incidence response is to anticipate risks and threats. This session will focus on some likely trends and possible new problems to be faced in computer security. SPEAKERS: Karl A. Seger - Associate Corporate Consultants, Inc. Craig Worstel - Boeing Genevieve Burns - Monsanto 1:00 - 1:10 Closing Remarks - Dennis Steinauer (NIST/FIRST) 1:10 - 2:00 Lunch 2:00 - 3:00 FIRST General Meeting and the Steering Committee Elections 3:00 - 4:00 FIRST Steering Committee Meeting ^^^^^^^^^^^^^^^^^^^^^Registration Information/Form Follows^^^^^^^^^^^^^^^^^^^^^ INQUIRES: Direct questions concerning registration and payment to: Events at 412-268-6531 Direct general questions concerning the workshop to: Mary Alice "Sam" Toocheck at 214-268-6933 st@cert.org Return to: Helen E. Joyce Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Facsimile: 412-268-7401 TERMS: Please make checks or purchase orders payable to SEI/CMU. Credit cards are not accepted. No refunds will be issued, substitutions are encouraged. The registrations fee includes materials, continental breakfast, lunches (not included on August 13), morning and afternoon breaks and an evening reception on August 11. GOVERNMENT TERMS: If your organization has not made prior arrangements for reimbursement of workshop expenses, please provide authorization (1556) from your agency at the time of registration. GENERAL REGISTRATION INFORMATION: Workshop................................. ..............$300.00 All registrations received after July 10, 1993..........$350.00 Tutorial................................................$190.00 NAME: TITLE: COMPANY: DIVISION: ADDRESS: ZIP: BUSINESS PHONE: EMERGENCY PHONE: FACSIMILE NUMBER: E-MAIL ADDRESS: DIETARY/ACCESS REQUIREMENTS: CITIZENSHIP: Are you a U.S. Citizen? YES/NO Identify country where citizenship is held if not the U.S.: (Note: there will be no classified information disclosed at this workshop. There is no attendance restriction based on citizenship or other criteria.) GENERAL HOTEL INFORMATION: RATES: A block of rooms has been reserved at the Hyatt Regency at Union Station, One St. Louis Union Station, St. Louis, Missouri 63103. The hotel will hold these rooms until July 10, 1993. Hotel arrangements should be made directly with the Hyatt, 314-231-1234. To receive the special rate of $65.00 per night, please mention the Fifth Computer Security Incident Handling Workshop when making your hotel arrangements. ACCOMMODATIONS: Six-story hotel featuring 540 guest rooms, including 20 suites. All rooms have individual climate control, direct-dial telephone with message alert, color TV with cable and optional pay movies. Suites available with wet bar. Hotel offers three floors of Regency accommodations, along with a Hyatt Good Passport floor, and a special floor for women travelers. LOCATION/TRANSPORTATION FACTS: Downtown hotel located in historic Union Station one mile from Cervantes Convention Center and St. Louis Convention Center and St. Louis Arch. Fifteen miles (30 minutes) from St. Louis Zoo. DINING/ENTERTAINMENT: Italian Cuisine is features at Aldo's, the hotel's full-service restaurant. Enjoy afternoon cocktails in the Grand Hall, an open-air, six-story area featuring filigree work, fresco and stained glass windows. The station Grille offers a chop house and seafood menu. RECREATIONAL/AMUSEMENT FACILITIES: Seasonal outdoor swimming pool. Full health club; sauna in both men's and women's locker rooms. Jogging maps are available at the hotel front desk.SERVICES/FACILITIES/SHOPS: Over 100 specialty shops throughout the hotel, including men's and women's boutiques, children's toy shops and train stores. ================================================== July 19, 1993 TO: Meeting Planner FROM: St. Louis Convention & Visitors Commission RE: Flooding The ongoing Midwest flooding along the Mississippi River obviously is a great and unfortunate drama--and we in no way seek to minimize the tragedy of loss of lives, homes and businesses. However, in the midst of national media coverage of flooding above and below St. Louis, people are being left with the impression that St. Louis itself is under water. The St. Louis Convention & Visitors Commission's telephone lines are constantly busy as our information specialists answer calls from anxious travelers who have made plans to visit St. Louis this summer. They wonder if the Arch is "OK," if Union Station is "submerged" as they have heard, and where the Cardinals will be playing baseball if Busch Stadium is under water! We're doing our best to battle these and other misperceptions, but your help would be greatly appreciated in getting the word to your readers. Here's the truth: A visitor to St. Louis will be able to do everything he could have done before the floods (see baseball games, ride to the top of the Arch, enjoy dockside riverboat gaming, visit the brewery, zoo, art museum, etc...) with the exception of taking Mississippi River sightseeing cruises. And all highway access to St. Louis is clear and open. The flood crested today, and the waters are beginning to recede. So, as you can see, it is a battle of perception versus reality in St. Louis' hospitality industry. If you're interested in talking about this aspect of the flood, please contact the Convention Services Department at 1-800-325-7962. Thanks very much for the consideration. ST LOUIS CONVENTION & VISITORS COMMISSION 10 SOUTH BROADWAY SUITE 1000 ST. LOUIS, MISS0URI 63102 (314) 421-1023 (800) 325-7962 FAX (314) 421-0039 ------------------------------ End of Computer Privacy Digest V3 #006 ******************************