REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this coIIection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704-0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Summer 2000 Newsletter Vol 3 No 3 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS IA Newsletter The Newsletter for Information Assurance Technology Professionals 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center DTIC-IA 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words IA Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC IATAC is a sponsored Information Analysis Center administratively managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Featured in the issue Support in a Coalition Environment JFCOM's Coalition Interoperability Solution EUCOM's Information Assurance Conference Intelligence Support ZENITH STAR 9 9 - The Next Generation of Warfare The Burning Zone Containing Contagion in Cyberspace Computing on the Virtual Border mil meets edu 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Interoperability 35 Cyberspace 16 PRICE CODE 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASS I FIED UNCLASSIFIED UNCLASSIFIED None him It Imr narrows i 3 5 on the cover The Hexagon-A U S Joint Forces Command Solution to Coalition Interoperability Mr Craig Vroom Allan H McClure USEUCOM information Assurance Conference Kent Waller Ia ItlatlveS JTF-CND Intelligence Support CDR Robert D Gouriey USN ZENITH STAR MAJ Gerald Burton USA Mr Richard Phares Distributed Denial of Service Tools Brian Dunphy USAF ii Air Force Materiel Command's Information Defense Col Kevin J Kirsch USAF 13 Information Assurance- The Army Prepares for the Next Generation of Warfare IVIAJ Robert Turk USA CPT Shawn USA The Burning Zone Containing Contagion in Cyberspace COL John C Deal USA IVIAJ Gerrie A Gage USA IVIs Robin Schueaemaa 18 - Computing on the Virtual Border mil meets edu LTC Eugene K Ressier USA COL Clark K Ray USA 24 In Pursuit of the Trustworthy Enterprise Mr Sean P O'Neii In each issue - ert P Thompson 29 Product 32 IATAC Product Order form 35 Calendar of Events Back Cover IAnewsletter - Volume 3 Number 3 Atewsletter Editors Robert P Thompson Robert J Lamb Creative Director Christina P McNemar Information Processing Robert L Weinhold Information Collection Aiethia A Tucker Inquiry Services Peggy O'Connor Contributing Editor Martha EIim IAnewsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC is a 00 sponsored Information Analysis Center administrative- ly managed by the Defense Technical Information Center DTIC Defense Information Systems Agency DISA Inquiries about IATAC capabilities products and services maybe addressed to Robert P Thompson Director IATAC 703 289 5454 We welcome your input To submit your related articles photos notices feature programs or ideas for future issues please contact IATAC ATTN Christina P McNemar 3190 Fairview Park Drive Falls Church VA 22042 Phone 703 289 5454 Fax 703 289 5467 STU-ill 703 289 5462 E-mail iatac@dtic mil URL Cover and newsletter designed by Christina P McNemar Distribution Statement A Approved for public release distribution is unlimited upport to coalition oper- ations in the future is an information assurance chal lenge today Since 1994 little has changed in the methods and mechanisms we use to pro- vide information to our allied partners As each coalition op- eration Haiti Somalia Bosnia Kosovo comes and goes the lessons learned statements al ways cry for improved interop- erability within the coalition The requirements are well doc- umented throughout the De partment of Defense DOD Even Joint Vision 2010 the DOD road map for the future states It is not enough to be joint when conducting future operations We must find the most effective methods for in- tegrating and improving inter- operability with allied and coalition partners True inter- ciperability with our allied part- ners will come only after we have an information exchange mil lATAC A U S Joint Forces may 3 - Command Solution to Coalition Interoperability Successful completion of the pro ject will require careful transition from risk avoidance to risk management in the way classified information is managed and safe guarded Admiral Harold Geham Commander in Chief United States Joint Forces Command system designed from the ground up for use by coalition forces Colonel Dennis Treece's arti cle in the Spring 1999 IAnewsIetter was right on target in describing the shortcomings and challenges of releasing and disseminating classified mili tary information to our multi national partners in a coalition environment As Colonel Treece says the really hard part the Achilles heel' of coali- tion information sharing is the mechanism by which any na- tion transfers information out- side its own system Because of valid security policy restric- tions we are not allowed to connect our Defense networks to multinational networks thus creating the need for sneaker nets literally run ning the releasable informa- tion from the US side across an air gap to the multinational side Anyone who has experi enced the pain of this method knows its difficulties and limi- tations In 1994 those of us in US Atlantic Command had our turn when we provided in- formation support to the 29 countries involved in Haiti peace operations IAnewsIetter - Volume 3 Number 3 Mr Craig liroom Mr Allan H McClure U S Joint Forces Command USJFCOM formerly US At- lantic Command is responsible within DOD for joint task force JTF interoperability At Joint Forces Command we have em- barked on building a system for secure information exchange It is called the Coalition Multi level Security MLS Hexagon Prototype or CMHP The CMHP is composed of six functions that will allow us to exchange information with our allies in a secure flexible manner Side 1 of the Hexagon Fig- ure 1 on page 4 Marking Stan dards uses the classification and control marking standards adopted by the US intelli- gence community These stan- dards were coordinated by the Controlled Access Program Co ordinating Office CAPCO and continue to be fine tuned by CAPCO as required Side 2 of the Hexagon is called Document Marking which is designed to imple ment human-readable mark- ings Basically this software on page 1 or gm enables the information origi nator to mark Microsoft Word PowerPoint and Excel docu ments in accordance with the CAPCO and Executive Order 12958 standards The marking is a simple operation done with the point and click of a mouse and made still easier by pull down menus that provide choices for basic classification caveats and release to op tions for countries coalitions operations organizations and exercises Once the document is marked it is then trans aluminum Figure 1 Coalition MLS Hexagon Prototype formed into a computer-read- able label side 3 of the Hexa gon A digital signature attaches the label to the document which is then and sent to the Coalition Server an Oracle 8 relational database management system Hexagon's side 4 Personal Authentication is the linchpin of A personal token called a Hexcard allows us to identify the user and all of his or her security attributes Much as an automated teller machine ATM card does the Hexcard id lAnewsIetter - Volume will store a user s fingerprint template and a credential set based on his or her clearance levels citizenship and need-to- know roles Hexcards will be inserted into workstation smart-card readers to identify the user to the system Side 5 of the Hexagon is the hardware including NT work stations fingerprint scanners and smart-card readers re quired for the CMHP Hexagon s side 6 is Security Management A special staff 56 curity officer must be assigned to coordinate system security requirements issue Hexcards to CMHP participants under- stand the information assur ance requirements and mom tor the system for improper attempts to access data The Hexagon concept pro vides the exibility required in coalition-supported joint task force operations by and protecting the object rather than the network This is the key difference between CMHP and other multilevel se curity MLS solutions Using object protection we can com pare the attributes of an indi- vidual with the objects that re side in the server If there is a match the coalition participant can retrieve and the document The CMHP will be tested and demonstrated at the Joint Battle Center JBC in Suffolk Virginia in May 2000 The ob jective of the demonstration will be to bring existing technologies to- gether to allow users with different clearance levels from different 3 Number 3 with ordered int i ll countries to use the same local area network and gain access only to information they are authorized to see After the concept is demonstrated the Joint Battle Center will provide an independent assessment of the system's military utility The ultimate goal of the Hexagon is to provide the joint task force commander a tool that increases the effectiveness of communications with allied or interagency forces 3 Mr Craig Vroom is the International Programs Branch Chief at US Joint Forces Command located in Norfolk Virginia He has an undergraduate degree in Computer Science from San Diego State University and is currently participating in DoD's Defense Leadership and Management Program DLAMP You may reach him Via E- mail at vroom@jlic jfcom mil Mr Allan McClure is a Lead Engineer supporting the US Joint Forces Command Director for Intelligence During the last seven years he has helped in the imple- mentation of Intelink and developed a collaborative architecture for the Non Proliferation Center a Director for Central Intelligence DCI controlled activity He may be reached at amcclure @mitre org imam - term Ur Antonio Pinon Staff' ergosant Figure 2 CMHP HexCard Information Assurance Conference rigadier General Charles i Croom director Unit- ed States European Command hosted COM's first Information Assur- ance Conference 30 Novem berw-Z December 1999 at the Abrams Center in Garmisch- Partenkirchen Germany The conference had three purposes To present pressing informa tion assurance IA issues and review associated IA products - To foster teamwork and syn- ergy among key IA players in the theater 0 To provide the latest IA informational updates for theater IA personnel Framework The conference attracted a total of 162 people represent ing Headquarters HQ COM US Army Europe AREUR US Air Forces Europe USAFE US Naval Forces Europe USNAVEUR Marine Forces Europe FOREUR Special Operations Command Europe SOCEUR the Defense Information Sys tems Agency DISA the Na- tional Security Agency NSA and other commands such as US Special Operations Com- mand USSOCOM US Pacific Command USPACOM and US Central Command US- CENTCOM as well as several other DOD agencies involved in USEUCOM IA Brigadier mantis t Cream By design all levels of IA professionals from enlisted to general officer grades partici pated in the sessions This arrangement ensured expres sion of various viewpoints at the forum and enabled individ uals with hands-on working ex perience to interact directly with policy makers at the high est levels Each morning's general ses sion started with a senior level keynote address The speakers were Brigadier General Gary Salisbury Mr Richard Schaeffer Office of the Secretary of Defense OSD Command Control Communi- cations and Intelligence C3I and Mr Orville Lewis DDI Chief of Staff All address- es were followed by extended question and-answer sessions IAnewsletter Volume 3 Number 3 that immediately indicated a very high level of interest in the rapidly developing IA field Mr Kent Waller Immediately following the keynote addresses were gener al session presentations from theater specific IA leaders A total of six speakers two per day from USNAVEUR HQ USEUCOM USAREUR USAFE and the North Atlantic Treaty Organization NATO present- ed issues and fielded ques- tions The afternoons were divided into three in depth breakout tracks in the areas of opera tions computer security COMPUSEC and communi- cations security COMSEC These sessions were smaller in number of participants more technical and more discussion oriented than the general ses sions Operations discussions fou cused primarily on lessons learned from Kosovo opera- tions and plans for future sup port COMPUSEC participants dealt with information assur- ance vulnerability alerts IAVA issues and discussed the technical details of dealing with theater specific threats The COMSEC sessions which were often filled to ca- pacity explored the areas of key management infrastruc on page ti Continued from page 5 ture software test environ- ment STE migration Defense Message System DMS field ing and Global Broadcast Ser- vice GBS fielding Selected special session pre- senters were invited to display products and services particu larly associated with USEU- COM IA issues Theater Action Team To ensure meaningful con- ference results a Theater Ac tion Team TAT was formed Composed of key IA decision makers in the USEUCOM the ater and chaired by Brigadier General Croom the TAT met each evening to review and de- bate the many issues raised by the breakout tracks After nar rowing the number of issues the team selected 20 action items ranked each item s pri ority as high medium or low and assigned each action to a primary office of primary re- sponsibility OPR with a dead- line for accomplishment The TAT results were ex tremely well received by all conference participants As a result of its success the con- ference has led to the develop ment of a new European Infor mation Assurance Steering Council composed of senior IA leaders and aimed at providing continuing unified guidance to theater IA personnel Additional information All conference materials in- cluding the TAT action items attendee lists and briefings are available for download from the HQ USEUCOM SIPRNET Web site The office with primary re sponsibility for the conference was the HQ USEUCOM C31 Di- rectorate s Defensive Informa- tion Warfare Division directed by Col LaForrest Williams US Air Force USAF On behalf of Brigadier General Croom this group extends appreciation to all the speakers who made the conference a success 6 Mr Kent Waller is an Information Assurance Program Manager for HQ United States European Command He earned his BS in Engineering from the University of Oklahoma in 1986 and his Master of Public Administration from the University of Oklahoma in 1990 He may be reached at he Joint Task Force for Computer Network De fense is a new orga- nization with a new mission to direct the defense of all Depart- ment of Defense DOD com puters and networks and the information that moves in them from any threat foreign or domestic Our intelligence J2 role on this team resem- bles any other JTF-level intelli gence effort That mission is to provide the commander the JTF-CND staff and assigned components with all-source fused predictive intelligence on enemy locations capabili- ties and intentions The CND J2 must understand the enemy in cyberspace and must provide decision-makers with the actionable intelligence required to support defensive operations That task is easier said than done Those who choose to at- tack or exploit our information systems operate with great anonymity in globally inter- connected networks Addition- ally our adversaries are armed with software tools that strike at the speed of light and use tactics that are hard to detect in the noise of the net Finding the enemy in cyber- space is also complicated by the nature of this new terrain There are few useful charts by which to orient us and little agreement on what the concept of cyberspace means Perhaps the most useful definition re- mains William Gibson s origi- nal explanation of the term Cyberspace is a consensual hallucination experienced daily by an unthink- able complexity Try visualiz ing enemy locations in that The adversary may be a ter rorist attempting to attack De- partment of Defense DOD networks to draw attention to a cause or to slow our response to an act of physical terror Threats also come from espi onage agents seeking to ac- quire sensitive but unclassified information for use by a foreign state or criminal organization We may soon face nation state adversaries in cyberspace who seek military advantage possi bly by attacking our combat support infrastructure or in perhaps the most insidious at tack by attempting tO manipu- late the perceptions of senior DOD decision makers Although the computer net work defense intelligence prob lem is complex and relatively new developing in telligence tactics techniques and procedures TTP has been simple and straightforward We have based most of our TTPs on the existing playbook for JTF intelligence support the Joint Staff s Joint Doctrine for Intelligence Support to Opera- tions Joint Pub Using in- telligence doctrine as the bedrock for JTF-CND intelli- gence TTPs have already paid Off Following doctrine has in creased the intelligence com munity focus on and support of the CND mission con rmed on page 8 IAnewsletter - Volu 3 Ki ungber 3 F continued from page 7 Joint Pub 2 0 also directly as- sisted in planning for the U S Space Command SPACECOM assumption of the CND mission which occurred 1 Oc tober 1999 Intelligence staffs at and JTF-CND quickly realized the importance of adhering to joint doctrine wherever possi ble Using joint doctrine al lowed us to clarify important aspects of the new relationship including the most efficient means of handling intelligence collection and production re- quirements and appropriate di vision of labor between CINC and JTF intelligence personnel The central principle Know the adversary Perhaps Joint Pub 2-0 s most critical contribution is a clear articula- tion of the general functions that must be conducted by a JTF J2 It also provides guid ance on how these functions should be carried out The fol lowing points show J2 application of these principles The fundamental responsi- bility of the J2 is to provide decision makers with the fullest possi ble understanding of the cyber threat This understanding must include knowledge of the adversary's goals objectives strategy intentions capabili- ties methods of operation vul- nerabilities and sense of value and ioss To provide this under- standing the J2 and intelligence staff must develop and continuously refine an ability to think like the cyber threat Intelligence support is critical to operational sue cess JTF J2 staff must under IAnewsletter Volume 3 stand the adversary in order to support operations Intelli- gence must be made action- able by tailoring it into a useful form and then getting it into the hands of the commander the operations division J3 and other JTF decision mak ers Operations support also re quires J2 assessment of J3 in tentions from the adversary s perspective to determine prob- able adversary responses Intelligence support re quires the integration of in telligence efforts at strate- gic operational and tactical levels Strategic intelligence is used to formulate defensive strategies and operations at na- tional and theater levels mak- ing both SPACECOM and JTF- CND key consumers of intelligence produced on the cyber threat to our Nation Op- erational intelligence is used by SPACECOM and to determine defensive objectives and to support the planning and conduct of CND opera tions Tactical intelligence re quired for CND is a new disci- pline that is still in an initial stage When fully developed tactical intelligence procedures and processes will support rapid reaction to tactical threats by JTF-CND compo- nents Strategic operational and tactical intelligence must be employed in a way that re duties our chances of being deceived or surprised De- ception and surprise are inher ent factors in cyberspace how ever and will probably always be concerns Intelligence sources are the means or systems used Number 3 to observe sense and record or convey informa- tion J2 staff must understand the and weaknesses of all intelligence sources relevant to this mis- sion area The seven primary intelligence sources are im- agery intelligence human in telligence signals intelligence measurement and signature in telligence open source intelli gence technical intelligence and counterintelligence Unity of effort is maintained by task ing these disciplines in' accor dance with joint doctrine All results are fused to provide the best possible assessments In- tegration also helps reduce de- ception and surprise Intelligence supports all aspects of JTF-CND opera- tions JTF-CND J2 will partici- pate in planning from the out- set of any operation Early involvement in plan ning will allow the J2 to articu- late intelligence collection and production requirements to the intelligence community and to formulate at an early stage in telligence guidance for JTF- CND components It will also allow the J2 to provide intelli- gence at every stage of the de cision-making process Providing understanding of the enemy to support counterintelligence and op- erational security measures Concurrent with planning and operating process the J2 will provide the commander with an under- standing of the adversary's command and control process es and adversary intelligence collection capabilities so ap propriate operational security and counterintelligence opera tions can be implemented Evaiuating the effects of defensive operations The JTF-CND J2 will assist the JTF commander and J3 in evaluat ing operational results and de- termining when objectives have been attained so forces may be reoriented or opera tions terminated Some defen sive measures that may have to be taken on networks to thwart a sophisticated adver- sary could affect millions of DOD computer users making intelligence support for exit strategies of paramount impor- tance intelligence systems will be interoperable usable scalable reliable and user- friendly Joint Pub 2-0 pro vides overarching guidance on establishment of a joint intelli- gence architecture for support to a JTF Much of this architec- ture already exists in the mili tary intelligence community infrastructure CND intelli- gence architecture is based on the Joint Worldwide Intelli- gence Communications System JWICS and the Joint Deploy- able Intelligence Support Sys tern JDISS By tailoring JWICS and JDISS to the HF- CND mission JTF-CND joins a network linking the entire in telligence community New threat databases are being established to support this mission and many new in- telligence fusion collaboration and visualization tools are being developed to support CND intelligence As they are developed strict ad- herence to joint doctrine and joint standards where they exist will help ensure interop- erability and proper mission focus Intelligence Tii Ps must be understood by all players A key reason for having joint doo trine is to know how the rest of the team will play Intelligence TTPs spell these plays out in detail describing agreed-upon ways that organizations inter act For example components will follow joint doctrine in stating intelligence collection and production re 1-in-3 1 l aamw flu- Mm quirements to JTF-CND for fur- ther validation prioritization and tasking When operations require JTF-CND will issue statements of intelligence in- tentions to components clari fying additional support proce dures tailored to the particular mission Component comman- ders will also provide feedback to the JTF on Service related is- sues affecting the joint com mand and will plan and devel- op implementing instructions for wartime intelligence sup- port including augmentation of joint forces Many aspects of this new mission area have yet to be cov ered by joint doctrine That is to be expected in any modern military operation But by start lAnewsletter - Volume 3 Number 3 ing with a foundation in joint doctrine areas that have yet to be resolved are being discov- ered quickly and dialog is al ready underway to address them A Final Note Operational units in the field or eet who have a need for in- telligence on cyberthreats can also rely on joint doctrine for intelligence It is the basis for J2 procedures in every CINC area of responsibility and is worth a good read by all uni- formed professionals 8 Commander Gourley is the Director of Intelligence Joint Task Force- Computer Network Defense CND He received a 3 8 in Chemistry from Middle Tennessee State University in 1981 an MS in National Security Affairs from the Naval Postgraduate School in 1985 and an MS in Military Science from the Marine Corps University in 1996 He may be reached at gourleyr Endnotes Gibson William Neuromancer Berkley Publishing Group New York NY July 1984 Joint Pub 2-0 Joint Doctrine for Intelligence Support to Operations Pentagon Washington DC 5 May 1995 Joint Pub 2-0 Ill-4 Joint Pub 2-0 vii Joint Pub 2 0 xi Joint Pub 2-0 x MAJ Gerald Burton USA Mr Richard Phares 13 and 14 October 1999 IATAC conducted an exercise on information op- erations IO for computer net- work defense CND for the Joint Task Force for CND CND This tabletop exercise Zenith Star 99 1 was designed to look both at a CND scenario similar to that used for Eligible Receiver 97 1 and at the inter- agency working level coordina tion necessary to react to such a scenario Zenith Star 99 1 also exercised the JTF-CND Tactics Techniques and Procedures TTPs and assessed progress made since the JTF-CND stand up in December 1998 Al- though the exercise used the El igible Receiver 97-1 scenario as a base it did not replay that ex ercise completely Instead it focused primarily on lated events to determine how new DOD organizations and processes built since Eligible Receiver 97 1 affect the CND community's response to a sim- ilar crisis More than 55 participants at- tended the exercise including players from US Space Com mand SPACECOM the Na- tional Infrastructure Protection Center NIPC the National Se curity Agency the De- fense Intelligence Agency DIA the Central Intelligence Agency CIA the Assistant Secretary of Defense for Com- mand Control Communica- IAnewsletter - Volume 3 tions and Intelligence ASD C31 the Joint Staff and JTF- CND and its component com mands Several observers from US Pacific Command PACOM US Special Opera- tions Command SOCOM U S Joint Forces Command JFCOM the National Com munications System NCS and others also attended Facil itators included personnel from both IATAC and Zenith Star 99-1 5 goal was to foster understanding of the process and products required in interagency coordination and the resulting impacts on the CND community's ability to perform its mission The exer cise achieved this goal by help ing participants accomplish four specific objectives Understanding the roles of new CND organizations in responding to a contingency similar to Eligible Receiver 97-1 in scope and complexity 0 Understanding interagency coordination requirements Examining processes and procedures for coordination with other sup porting agencies NIPC Intel 0 Understanding needs for improvement highlighted by several communities intelli gence law enforcement and counterintelligence and operations The exercise structure in cluded information briefings and hot washes Zenith Star Number 3 994 emphasized team play so information briefings were kept to the bare minimum re quired The exercise clock began while participants re ceived their situation brief time and real time were one and the same Participants were divided into functional teams as follows - Operations team SPACE- COM and its com- ponents 0 Intelligence team CIA DIA NSA - Law enforcement counterin telligence team Defense Criminal Investigative Or ganizations NIPC - Other team Joint Staff Office of the Secretary of Defense Participants within teams were allowed to communicate freely with each other Commu nications among teams howev er were strictly regulated Par ticipants used either real communications the secure telephone units third genera- tion available in each team room or face-to face meet ings arranged through the facil itators or simulated communi cations fax and Email Additionally the Control Cell brought participants together in a forum that allowed them to share information and work to gether on their responses Team play was driven by Red Force actions teams re ceived injects describing specif continued on page 14 was a dark and stormy nothing else to do you search for places that don't rain using your favorite Web search engine only to get an ominous Error 404 It is quite possible that the search engines Web site is under at tack from hundreds of systems at once just as Yahoo s page was in mid February for 3 hours Could such a coordinat ed attack occur in reality Un fortunately a single individual could with relative ease and little chance of repercussion stage such an attack using a new breed of tools referred to as Distributed Denial of Service tools Reality 1 The number of poorly con- figured systems connected to the Internet is rapidly increas ing This is partially the result of well-connected university dormitories and high speed connections to the home cable-modems and DSL con nections Reality #2 Based on the observed rate of network wide probes and publicly available hacker tools intruders are more interested in the number of compromised hosts rather than specific tar gets The reality is that using publicly available tools a deter- mined intruder can compro- mise 100 systems Internet wide in a matter of days Sadly edD Distribut the number of vulnerable sys tems riding the Internet has outpaced a typical intruder s ability to do something useful with the compromised sys tems Distributed intruder tools have matured in this environ- ment and now enable an in- truder to use a large number of compromised systems in a co- ordinated and collective man- ner The first widely used ex ample of distributed intruder tools is denial of service tools though others are expected to follow shortly With the current generation of tools and little ef fort an intruder can flood a tar get with a massive amount of traffic from hosts around the world These tools are called names such as TrinOO Tribe Flood Network TFN and Stacheldraht and are available on UNIX and Windows sys tems It is believed that vari- ants of these tools were used to successfully launch large-scale attacks against such popular Web sites such as Yahoo E bay CNN and others Many of the victims have been very well connected sites with over a gi- gabit per second of sustained bandwidth The current generation of DDOS tools requires an intrud- er to install a daemon on each of the compromised systems At least one master system keeps track of the daemon sys- tems and directs the attack When prompted by an intruder the master contacts each of the daemons and specifies the tar cont nued on page 12 lAnewsletter Traffic Central Traffic Figure 1 Example network continued from page '1 1 get and method of attack From the victim's perspective they appear to be under attack from hundreds of systems from around the world all at once There are two primary com- puter network defense goals with relation to the recent dis- tributed attacks Don't be a partici pant in an attack The Internet community is already struggling with the scale of these attacks Vulnera ble DOD systems can be unwit ting participants in a DDOS net- work serving only to increase the scale and complexity The current set of tools are installed after a sys tem is compromised by an inn truder and does not exploit any specific vulnerability Based on past incidents most DOD com promises are the direct result of unpatched vulnerabilities that DoD s Information Assurance Vulnerability Alert IAVA Process has documented Sites are encouraged to routine ly check their systems for IAVA IAnewsletter - Volume 3 compliance Sites are also ad vised to do the following - Periodically run scanning tools Sites are encouraged to use either vendor or government devel oped tools to detect known instances of tools -The National Infrastruc- ture Protection Center NIPC has produced a host based scanning tool to detect known tools The tool only runs on Solaris and Linux at the time of this article The tool is available on the home- page mil resources securitydto The current DOD con- tracted antivirus vendors Symantec and McAfee have developed signatures to detect the Windows variants of the tools - Sites are pressure antivirus tion etc encouraged to their vendors intrusion detec to update their Number 3 detection signatures if they have not already done so - Enable anti-spoo ng rules at enclave perimeter Sites should configure their perimeter firewall and router to only allow out traffic with valid source IP addresses Many of the tools spoof their source IP address to make the attack look like it is origi- nating from somewhere else - Disable directed broadcast at enclave perimeter Sites should configure their router and firewall to disallow net work traffic destined for their broadcast address Don't be a Victim - of a 300$ attack While it has not happened to date it is possible that DOD sys tems will or could be targeted in the future by such attacks From a potential victim s perspective the best advice is to be prepared to be a Victim The current denial of service attacks only rely on a site s abil- ity to receive network traffic through a finite network con nection These attacks take ad- vantage of the large number of vulnerable systems connected to the Internet so there is no simple fix for these attacks Once a site has been targeted there are a number of things that can be done to restore ser vice in a timely manner Sys tems owners are advised to be prepared in the following man ner Identify mission essential systems that must be avail- able to users from the Internet If a denial of ser- continued on page 34 Air Force Materiel Com-hands Information Defense Cyberterrorism Internet attacks malicious intrusions and hacker activity are on the rise Credit card data for thousands of people is offered for sale over the net ir Force systems and net- works are targets Pro- tection of our systems and data is the new challenge and Air Force Materiel Command AFMC is structuring itself to meet that challenge with a ded icated effort addressing all as pects of information assurance IA Efforts to attack sabotage and corrupt government and in dustrial systems and data sometimes in sport and some times as a conspiracy have be- come a widespread problem plaguing everyone from the smallest businesses to the biggest government organiza tions Network defenses and vigilance have been the two most common responses but waiting for the next hacker is an insufficient approach to net- work protection In AFMC we have taken a proactive approach to protecting our systems In an aggressive effort begin- ning in late 1998 AFMC devei- oped and deployed a team of network security and opera- tional experts under the banner of Operation Palisade The team's continuing mission is to seek out network security weaknesses before they can be exploited and to remove them through the implementation of security network practices and technologies The effort is fo- cused on the single goal of pro tecting the mission critical in formation contained on AFMC networks throughout the Unit ed States and the 'world The challenge is particularly daunt- ing because relation ships with various research centers and contractors mean that our networks have a larg er than-expected number of po tentially open components The primary foundation on which Operation Palisade builds is the full application of the Air Force s Barrier Reef process This proven methodol ogy is designed to create boundary protection for all AFMC base intranet networks protect those networks at their entry points to the Internet provide specific network secu rity training to base network managers and increase AFMC network monitoring and audit ing as soon as security weak nesses are identified We feel that our Operation Palisade ef- forts combined with the man dated actions laid out in applic able Air Force regulations and instructions have positioned IAnewsletter - Volume 3 Number 3 IV I Col Kevin J Kirsch USAF us not only to respond to prob- lems but to prepare our subor dinate bases and organizations to position themselves proac- tively for the threats that surely lie just around the corner Are we where we want to be or need to be in our defensive posture The answer is clearly We need to move beyond Barrier Reef and Operation Pal- isade We need to address all the capabilities of the Air Force s Defensive Counter-in- formation DCI Operations program including not only in- formation assurance but also operations security electronic protection counterintelligence and other capabilities as spelled out in Air Force Policy Directive 10 20 In the process of moving forward AFMC has put the IA lead in charge of the overall command DCI program and given me the responsibility to coordinate all of the efforts in the realm of Defensive Infor mation Operations By consolidating IA and Operations leadership we have put ourselves on a path for con tinuous improvement and created a self-initiated chal lenge to succeed There is much to do AFMC is a target- rich environment for both the continued on page 14 ontmued from page We are proud to be part of the large team Working hard with the other MAJCOMS the Services and in industry to stay one step ahead of the next inci dent We feel we have a posi- tive story to tell but recognize that others do also For every good idea we have we seek multiple opportunities to gath- er the best practices of others and to explore in the field or in the lab environment the best use of current capabilities and information on products under development 3 Colonel Kirsch is the Chief Mission 7 Support Network Operations Security Division 7 Command Wright-Patterson AFB OH He was commissioned as a 2nd Lieutenant following completion of the ROTC program and graduation from Duquesne University in Pittsburgh PA He has held a variety of base level and tactical positions to include four com- mand positions ranging from a detach- ment in Iceland to Installation Commander of RAF Croughton England In his current position he is responsible for assessment of the opera- tional effectiveness and ef ciency of information security applications and systems for customers throughout Air Force Materiel Command and is the overall lead for the command Defensive Counter Information program i-An-ews text at recreational hacker and the iri dustrial spy Onw the other our challenges are no ' different from those faced by y 1 industry other Air Fence Majdr Cemmands MAJCOM or our Sister serVices HQ Air Force Material JV em Zenith Star continued from page it ic events from the facilitators at predetermined times The par ticipants were expected to eval- uate the events in real time and formulate a response While this sounds relatively simple the intent of Zenith Star 99-1 was to examine interagency c0- ordinationm thus the teams had to present a coordinated re sponse to the Control Cell for a specific event If the partici pants recommended an appro priate action within a reason able amount of time long duration events would be stopped prematurely by the Control Cell Otherwise events continued until terminated as determined by the scenario Coordination between teams was conducted using the com- munications available to the participants All coordination activities such as phone calls simulated E mails and faxes were recorded on templates provided to the participants Facilitators were also present at any face to-face meetings Using the exercise scenario as ground truth facilitators were therefore able to assess situa tional awareness within and across teams and determine the overall state of the exercise at the end of each day These assessments helped facilitators identify lessons learned and is- sues for future consideration Participants generally found the exercise to be beneficial Zenith Star 99 1 showed that the CND community is making significant progress toward de veloping an effective CND process Specifically the on Number 3 going efforts to increase CND coordination between opera tors intelligence and law en forcement are paying divi- dends Continued planning initiatives and exercises will help to refine processes fur- ther and prove valuable to the CND community as a whole The Zenith Star 99-1 After Ac- tion Report AAR is available on the SIPRNET Web site Questions and comments are welcomed and encouraged 3 Major Gerald Burton USA is a Defensive IO Planner in the 15 7 Section He is an Information Operations Functional Area Officer and holds an MS from Central Michigan University He may be reached at Mr Richard Phares is a member of the IATAC and designs develops and executes Information Operations wargames for various clients He holds an MS from the Naval Postgraduate School Monterey may be reached at iatac@dtic mil the Army prepares to digitize the force a new threat is developing one that is unlike any the Army has seen before Rather than spend- ing billions of dollars on ma teriel our enemies are now in vesting in information warfare IW Future conflicts are ex pected to be asymmetric which means that IW forces will inflict substantial damage on large computer dependent adversaries In the Washington Times the Chinese People's Liberation Army PLA publicly an- nounced its plans to conduct In- ternet warfare against the Unit ed States The PLA is gearing up for wartime computer attacks on networks and the Internet that will affect everything from banking to our military s com- munications structure In the past year attempts to gain unauthorized access to the Army s networks have greatly increased from the Melissa virus to computer attacks against the Pentagon by an ls raeli hacker and two teenagers from California The Army is now placing as much attention on protecting communications networks as it spent in prepar- ing for the rollover to the year 2000 Y2K The US Army Sig nal Center Fort Gordon Geor gia has responsibility for the combat developments of tacti- cal strategic and sustaining base communications systems and the security systems that protect them The Signal Cen ter represents the warfighter in lnfor rnati- The Army Prepares for the Next Generation of Warfare the development of informa tion assurance IA tactics techniques and procedures to protect our tactical networks from our enemies During a recent IA Industry Day Conference Lieutenant General David Kelley Director Defense Information Systems Agency DISA stated that an Information Pearl Harbor is imminent It is not a matter of whether such an attempt will be made but when The Signal Center is taking this new threat into consideration as the Army migrates to the Warfighter In- formation Network Tactical which will replace the Tri Services Tactical Com munications and the Mobile Subscriber Equip ment MSE switch systems is the Army s Force XXI command control com- munications computers intel ligence surveillance and re connaissance C4ISR tactical communications network and it will integrate joint multina tional commercial and battle field networks into an intranet that provides mobile secure survivable and multimedia seamless connectivity between all elements within the battle- space from theater to battalion level backbone will support multiple security lev els cial Compartmented Informa- tion SECRET and Sensitive but Unclassified various modes of information including voice data video and imagery iAnewsletter MAJ Robert iurk usn 4' CPI Shawn Hollingsworth IISA Network-based monitoring technology within the Defense Information Infrastructure DII is being mandated on a large scale across the will include IA security features throughout the net- work that will employ the DoD's defense in-depth strate- gy to protect detect and re spond to attacks on the mili tary s information systems IA offers authentication verifica- tion of the originator nonre- pudiation incontestable proof of participation availability unimpeded access to autho- rized users confidentiality protection from unauthorized disclosure and integrity pro tection from information dam age The layering of IA technolo gy solutions is the fundamental principle of the defense in depth strategy which includes three key areas of protection external perimeter internal network and local computer hosts Protected electronic perime ters are needed for local en claves because many end-user systems have little built in pro- tection against external access These systems are difficult to administer well enough to pro- vide an effective defense Pro tected perimeters are like cas- tle walls and gates which enable professional administra- continued on page 16 - Volume 3 Number 3 My ex ne aw meme continued from page 15 tors to control flow in and out They 'also enable traffic through the gate to enter and leave at various levels during changing information condia tions and allow specific ser vices to be deactivated if they come under successful attack The external perimeter safe- guards include firewalls intru sion detection inline tors and where necessary physical isolation Internal net work protection consists of a combination of security guards i we is 55333 f o f t or iv mm- 1V for etmn firewalls and or router filter ing devices to serve as barriers between echelons and or func- tional communities Host based monitoring technologies can detect and eradicate mali cious software virus de- tect software changes check configuration changes and generate an audit audit reduc tion and audit report The defense-in depth strate- gy will provide a robust and re- silient infrastructure designed to limit contain and repair damage that results from at- tacks Fundamental criteria of 1arfere the defense-indepth strategy is that no single attack can lead to the failure of a critical function and that no critical function or system is protected by a single protection mechanism This strategy is a key element in the successful implementation of 1A in the WIN-T network The illustration below de- picts the conceptual security architecture which follows the layered protection strategy Each layer will consist of a different configuration of IA tools designed to prevent a would-be intruder from gaining fr re 31% mum trim a Exam mum if frame 17 25 We rt Lunatm m or more F't cvr rm Emu Ext- 9 r n a Perimeter Protection means not mm a w a w Will a t iv mg i wWi ElfSS LEN Figure 1 layered Protection for a Secret High Backbone Supports Multiple Security levels 16 rt IAnewsletter Volume 3 Number 3 mil iATAC access to all systems by defeat ing one layer External Layer The strongest layer of pro tection in the network is the first line of defense in the de fense in depth architecture The primary focus of the perimeter is protecting the in- side from the outside but en clave boundaries also provide some protection against mali cious insiders those who use the enclave to launch at- tacks Protection measures in- clude firewalls filtering routers replication servers strong authentication authen- tication servers Internet Proto col IP security virtual private networks VPN and measures to defend against back doors that circumvent firewalls such as internal use of cellular phones or modems send- ing data through voice public branch exchanges The exter nal layer and its suite of IA equipment will interface with external connections such as the Secret IP Router Network SIPRNET SBU IP Router Net- work NIPRNET and Joint Worldwide Intelligence Com munications System JWICS Network Layer This layer focuses on net- work based monitoring intru- sion detection thereby provid- ing the capability to identify attacks and suspicious network activity It captures and for- wards event data to a prede fined IA cell or the Regional Computer Response Team RCERT ser Level Command and control C2 protect tools will be employed on the individual host worksta tions Host-based monitoring will reside on servers and end user systems and will detect at- tacks against individual hosts The detect capability of this type of monitoring is more fine-grained than network based monitoring and can be the best line of defense in de- tecting malicious insiders Local host protection software consists of Transmission Con trol Protocol TCP Wrappers for individual access control a security profile inspector SP1 a Simple Watch SWATCH for alerting when audit anomalies occur in the profile and McAfee virus protection This C2 package is the last line of de fense against unauthorized use and entry Voice subscribers will be able to place and receive secure telephone calls to subscribers located on switched networks that incorporate National Secu rity Agency NSA Type I-ap proved devices will pro vide selected users with a handheld device that will con nect via terrestrial and avail able satellite means to the infrastructure and via airborne platforms to commu nicate within the area of opera- tions both in and around com mand posts tactical operations centers TOC It will have a se- cure NSA approved capability that provides voice data and video communications Another form of IA that will be available to the user is the Public Key Infrastructure PKI PKI refers to the frame work and services that provide for the generation production distribution control and ac- counting of public key certifi cates It provides critical sup port to security applications providing confidentiality au- IAnewsietter - Volume 3 Number 3 p thentication of network trans- actions data integrity and non repudiation WIN-T is not designed to counter a specific threat How ever certain security IA com- ponents are designed to protect WIN-T from the IW threat As part of this strategy IA protects the Army s C2 information net work from attempts to pene- trate the network to obtain dis- rupt or manipulate the resident information It allows simultaneous access and pro cessing protection for users at different security levels IA and the security features within the network will continue to change after the network is fielded in 2005 Even as technology evolves and the threat changes the Army must continue to protect its vital communications net- works 8 Major Robert Turk USA is the acting Branch Chief Switching and Networks Branch Materiel Requirements Division Directorate of Combat Developments United States Army Signal Center He received his 3 5 and MS in Computer Science from Alabama A and M University Huntsville Alabama and lbwson University Towson Maryland He may be reached at turkr@emh gordon army mil Captain Shawn Hollingsworth USA is the IA of cer Switching and Networks Branch Materiel Requirements Division Directorate of Combat Developments United States Army Signal Center He received his MS in Technology Management from Mercer University Atlanta Georgia He may be reached at hollings @emhgordon armymil Cmnteining COL John 0 Deal USA MAJ Gerrie A Gage USA Ms Robin Schueneman the recent denial of ser- vice attacks against America Online Yahoo and other ISP and Content Providers suggests that comput- er networks are vulnerable to widespread attack from a vari ety of adversaries Complicat- ing these issues are the global nature of such activities and the disparate nature of the kinds of attacks these services have to guard against Critical to this discussion is the fact that the dispersal of the tookkits available to hackers makes it all but certain that sniffing out tracking down and eliminating these threats will occupy the best network minds for some time to come As webmasters systems ad ministrators and network secu- rity managers rethink the prob lem they will out of necessity focus a large part of their effort on mitigating virus attacks in all their forms The similarity between com puter network systems and bio- logical systems is uncanny This comparison is common both within Information Tech- nology publications and among users of computer network sys- tems Addressing computer net- works as living systems from the standpoint of health makes IAnewsietter - Volume Contagiwn in CyberspaCe 3 one recognize the plethora of vulnerabilities that exist One of the greatest threats to the health of an organization s com puter networks is computer viral infections or contagion Containing these contagion and eradicating them before the health of a network is degraded requires understanding and real-time vigilance on the part of users network administra- tors and software developers The Pathology of Computer Viruses A computer virus is a pro- gram or software code de- signed to replicate and spread generally with the victim being oblivious to its existence The mere mention of computer virus sends computer novices and experts scrambling to download the latest update of Norton McAfee or IBM anti virus software Their reaction is justified Every large corpora tion and organization has expe rienced a virus infection most experience them Ac cording to data from High Integrity Computing Laborato- ry corporations with 1 000 or more personal computers PC now experience a virus attack every 2 to 3 months and that frequency will likely double in a year 1 The number of virus at tacks may seem unusually high if it is viewed independently However when Symantec Cor poration a supplier of an- Number 3 tiviral software defines and cat egorizes 21 389 known viruses and McAfee the other supplier of antiviral software to DOD categorizes more than 40 000 viruses the number of virus attacks is put in a new light These viruses usually benign or annoying can slow perfor mance absorb resources change screen displays and in the end disrupt or deny service to such an extent that it affects organizations bottom line - profit or mission accomplish ment Computer viruses come from a variety of sources and spread by attaching themselves to other programs word processors or spreadsheet appli- cations or to the boot sector of a disk When the infected file is activated or executed or when the computer is started from an infected disk the virus itself is also executed Viruses can also lurk in computer memory waiting to infect the next pro gram that is activated or the next disk that is accessed Dataquest's 1991 study of major US and Canadian com- puter users for the National Computer Security Association found that most users blame in- fected diskettes 87 percent as the source of a virus Forty three percent of the diskettes responsible for introducing a virus into a corporate comput- ing environment were brought from home Nearly three-quar- ters 71 percent of infections occurred in a networked envi- ronment making rapid spread a serious risk Seven percent of computer users said they had acquired their virus while downloading software from an electronic bulletin board ser- vice or Web site Other sources of infected diskettes included demo disks diagnostic disks used by service technicians and shrink wrapped software disks these other sources con tributed 6 percent of reported infections 2 Although no new statistics are currently avail- able networking enterprise computing and inter-organiza- tional communications are growing Accompanying the growth in telecommuting and networking is an increase in in fections Viruses are growing in com- plexity and variety In 1986 there were just four known PC viruses In today s virus rich en vironment more than three viruses are created every day for an average of 110 new virus- es created in a typical month There are several variations of viruses but there are only three ways that a virus can access a system Computer Viruses Past Present and Future de- scribes these three methods as follows File Viruses Most of the thousands of viruses known to exist are file viruses including the Friday the 13th virus These viruses infect files by attaching themselves to a file generally an executable file the EXE and COM files that execute applications and programs The virus can insert its own code in any part of the file provided it changes the host s code somewhere along the way misdirecting proper program execution so that it ex ecutes the virus code first rather than the legitimate pro- gram When the file is executed the virus is executed first Boot Sector Parti- tion Table Viruses Although there are only about 200 boot sector viruses they make up 75 percent of all virus infections Boot sector viruses include Stoned the most common virus of all time and Michelangelo perhaps the most notorious These viruses are so prevalent because they are dif- ficult to detect They do not change a file s size or slow PC performance so they are fairly invisible until their trigger event occurs Events such as re- formatting a hard disk or scan- ning a disk serve as a trigger The boot sector virus infects oppy disks and hard disks by inserting itself into the boot sec- tor of the disk which contains code that is executed during the system boot-up process Boot- ing from an infected oppy al- lows the virus to jump to the computer's hard disk The virus executes first and gains control of the system boot program code even before the operating system OS is loaded Because the virus executes before the OS is loaded it is not OS-specific and can infect any PC operating system platform MS-DOS Windows 08 2 or Windows NT The virus enters the random access memory RAM and infects every disk that is accessed until the com puter is rebooted and the virus is removed from memory Par- tition table viruses attack the hard disk partition table by moving it to a different sector cerit nizeii 1111 page 2t lAnewsletter Trojan Horse Like its classical namesake the Tro jan Horse virus tvpica lly masquerades as something desirable eg a legitii j mate software program The Tz oian Horse generally does not replicate a1 though researchers have diSCovered replicating Trojan Horses Rather waits until its trigger event and disks Al origSide the Trojan Horse is Trojan Mule which fools author users into giving their LOGIN informa tion passwords and user IDs Ohce a user types in the vaiid user iD pass 11-'ord information the virus sends that information to the file im plementers and displays a LOGIN error 111essage As the authorized user re types the information the virus has al ready exited the real program regains control and the user never sus pects that LOGIN i1'1formation has been ode intact and adding them selves to as many tiles as possible in nocuous versions of til ove1 1-v1iters may not be intended to do anytl'iing more than replicate but even then they take up space and slow perfor- mance And because file like most other viruses are often flawed they can damage or destroy files inadvertently The worst file over- writers remain hidden only until their trigger events Then they can deliber ately destroy files and disks continued on sidebar of page 20 - Volume 3 Number 3 171's creators uses into poiy nsute that poivrnor oniy proliferate ovei years Like the human AIDS virus which mutates frequently to escape detection by the body' 5 de- fenses the poiymorphic computer virus r11ut-atesto escape detection by antivirus software that compares it to an inventory of known viruses within the v1'1u's includes anLe tion routine to 11191 the tine to restore the trims to its engina state when it executes phic boot sector viruses have a Tea been discovered Stealth Viruses These viruses are Specie neered to elude detectio b al ai'itievirus tools The adds itself to a file or when the host softwar' appears normal and stealth virus performs 11s lurking in memory when ed There it monitors and the OSs cal is When the 03 See open an inlecled ii le the stealth virus races ahead disinfects the file and ai- 1 lt' WS the OS to open appears 1'1or111al When the OS closes tl 1e file the virus reverses tl 1ese actions there by reinfecting the file Boot sector slealth viruses insert themseives in the system s boot sector and relocate the legitimate boot sector code to an other part of the disk When Lem is booted they Iet riev and replacing the original parti tion table with the virus own infectious code These viruses spread from the partition table to the boot sector of oppy disks as oppy disks are ac cessed Multipartite Viruses These viruses combine the ugliest features of both file and boot sector partition table viruses They can infect any of these host software compo- nents And while traditional boot sector viruses spread only from infected floppy boot disks multi-partite viruses can spread with the ease of a file virus but they still insert an infection into a boot sector or partition table This tendency makes them particularly difficult to eradicate Tequila is an example of a multi-partite virus Although there are only three ways to infect a system there are hundreds of variations of viruses The sidebars pages 17 through 21 contain descrip tions of virus variations taken from Computer Viruses Past Present and Future Demysti- fying Computer Viruses and Computer Security Basics This list is not all-inclusive but it describes some of the com mon variations to date Viruses affect computers and networks differently The pur pose of most viruses is to re main undetected thereby a1- lowing them to spread throughout the organization until they degrade performance or destroy data Most viruses give no of their in- fection thus driving the use of anti virus tools Anti-virus tools allow users to identify these quiet killers However many viruses are flawed and do pro- vide some tip-offs to their infecv tion Here are some indications to watch for 3 - Changes in the length of pro- grams Changes in the file date or time stamp - Longer program load times - Slower system operation Reduced memory or disk space 0 Bad sectors on the floppy - Unusual error messages - Unusual screen activity - Failed program execution Failed system boot ups when booting or accidentally boot- ing from the A drive - Unexpected writes to a drive This list of virus variations and is not all inclu- sive Additional information can be found at the following Web sites i - exploits - exploits - http ciac lln1 gov ciac CIACVirusDatabase virus information madokan mvic viruscont virus creators - avcenter index html virus information - virus information - virus information The viruses discussed above are only the most common vari- ations of computer viruses and their Computer viruses have cost companies worldwide nearly $2 billion since 1990 with those costs ac- celerating to $1 9 billion in 1994 This cost is directly relat ed to virus cleanup not loss of profit Profit loss caused by viruses is impossible to calcu- late Organizations are combat-u ing the virus problem with anti virus software The cost of this software is expected to grow from $700 million in 1997 to $2 6 billion by 2001 5 So what can an organization do to prevent computer viral in- fections and what is the best re- sponse in the event of an infec tion These questions are best answered by analyzing a real event This event is current and represents the best possible re- sponse to date by the Federal Government DOD and indus try As reported by SANS Sys tem Administration Network- ing and Security Institute the response of these organizations was impressive Containing Contagion A Case Study History will remember sever- al notable landings the landing of the lunar module on June 20 1969 the landing of ET the ex traterrestrial in movie cinemas in 1982 the landing of Mark McGwire in record books with his 70th home run in Septem- ber 1998 and the landing of Melissa in commercial mili tary educational and home PCs on March 26 1999 One might ask Who is Melis- sa The question is in fact What is Melissa Melissa is a virus conceivably the fastest spreading virus PCs have seen since the infamous Morris Worm which infected more than 6 000 computers in a mat ter of hours ftpz coast cs pur- in November 1988 By March 30 1999 Melis- sa had successfully infected about 70 000 E-mails It was the first virus to have prompted Federal law enforcement to send out a warning about com- puter viruses the Federal Bu- reau of Investigation FBI joined with the National Infra- structure Protection Center NIPC to issue a warning in an- ticipation of the tidal wave of mails that Melissa was expected to generate Melissa is a macro virus which means that its infectious code is resident in a macro a symbol name or key that rep resents a list of commands ac- tions or keystrokes contained in a Microsoft Word document see right side bar In Melissa s case the macro has instructions to disable macro detection ca pabilities read the first 50 names in a recipient s Microsoft Outlook address book and for ward itself as an attachment to those individuals or groups of individuals When this forward- ed E-mail message is received and opened the macro begins again its cycle of E-mail genera tion thus bogging clown and po- tentially crashing mail servers through its exponential rate of infection This type of attack is known as a denial of service While the shutdown of elec tronic mail servers is destruc tive enough there is at least one other potentially hazardous result of this virus Melissa is spread through a Microsoft Word document However this virus is constructed in such a way that it infects whatever document is open at the time the infected attachment is dis played and that document is the one that is forwarded with the virus Imagine this sce nario You are typing a classi fied document when you re- ceive Melissa When you open the attachment the macro virus it now places itself on ea pegge- 22 IAnewsietter useful accon iplish the boot Under examina tion the boot sector appears normal but the boot sector is not in its normal location Macro Viruses Macros are in essence _1ninipro grains that take muchxof th out of repetitive or ternpl documents For example legwor the wozk involved in t ping the date iprogramj' respondence a user cook 1 a macro to insert the day month and year all at once when the letter 5 7 is typed Macro viruses are carried in the types of data files that business com puter users most often exchange word processed documents and spread sheets Also because these data files are often exchanged by E-mail they sometimes bypass the checks that virus aware organizations already have in place Experts estimate that 40 per- igof virus attacks are made this 4 0 Macro vizuses are created waitl 1e aid of the macro routines con- ord Fprocessing and tained spreadshee as k'liCI Oso tac thems Teoftwaie such ExCel They at to any document files is macre- Code so that I through the oftnare The whole pur- of mi re languages is to insert tions into documents whichare then executed as the docu ments are opened This is what makes macro viruses easy to write But one of the reasons they have become so prevalent is the success of l licrosoft Office which has 80 percent of the global market for integrated packer ages-ma tempting target for macro virus writers Memory Resident Viruses The memory resident ci iaracteristic is the most common among viruses When viruses load into memory via a host application they remain in mem- ory untii the computer is turned off At continued on the sidebar of page 22 Number 3 Ir Volume 3 the host application is oseci the virus is closed down as well Therefore if applications are opened after a host appiication is closed there is no danger of infecting - the system with that specific virtt that time Companion Viruses To understand this character is i 1e1piul to have 21 bags understand ing of the sequential order of how 53 tem files v1 ork In launching anjex cutahle file either the user manuaily issues a command or the interface ex ecutes a command Mest applications liave a til 0- type FT extension EXE When invoking these l'l'lEii'lClS the user or the comp ters the name of the applica out the extension Th executes other syste same name before execu application's FT 2 creates a name that mat file name but with a diffs 51011 e 0 The cutes however the 3 file launches first and infects th sys tem Most antiviral software packages I can identify this characteristic Bomb A bomb is a type of Trojan Horse that is used to release a virus a worm or some other system attack it is ei ther an independent program or a piece of code that has been planted by a system developer or a progra 1111a - A bomb works by trigger '1g kind of unauthorized ac particular date 1 1m 4- image your already opened Word doc ument and forwards THAT doc- ument to the first 50 addressees in your address book Several aspects of this virus have helped its seemingly glob al proliferation One of the most significant aspects is its use of a user s own address book to forward the infectious E mail This means that an or- dinary user who would be sus picious of E-mail from an un- known source receives the virus as if a friend coworker family member etc sent it thereby instilling a false sense of security In addition this virus is spread with the help of Microsoft Word and Microsoft Outlook two programs that are resident in a vast majority of PCs today due to the over- whelming popularity of Mi- crosoft Office 6 The DoD s and Services' In- formation Assurance processes helped ensure that Melissa's im pact on DOD and the Services was minimal The Army began receiving the virus shortly be- fore 5 00 pm on Friday March 26 1999 Half an hour later the Army Computer Emergency Response Team ACERT began receiving notices from its Re- gional CERTS RCERT and by 6 00 the virus had spread throughout systems world wide Once usets began receiving E-mail from known acquain tances but with an outeof char- acter attachment they began contacting their local systems administrators who in turn alerted the ACERT at Ft Belvoir Virginia and the tech nical support staff at Microsoft which created the software the virus was designed to run on and McAfee and Norton two antivirus companies After the 3 Number 3 virus was discovered a restric tion was placed on the size of mail attachments A message was distributed to all E mail users instructing them to not open attachments or enable macros in Microsoft Word docu ments they received via E mail unless they were sure of the document s origin Working in concert with in- dustry Government officials were able to detect and attack the virus and implement fixes that were distributed to systems administrators and users in record time RCERTs went to a heightened level of manage ment and detection and the Army Signal Command direct ed the information manage- ment officials at 18 major facili- ties to scan E-maii servers using an application received from Microsoft and delete E mail traffic infected with the virus Throughout the night ACERT coordinated reports orchestrat ed solutions to the virus with McAfee and Norton and assist ed system administrators with installing fixes By Monday March 29 1999 the virus was contained and eradication was well on its way This reaction established a process termed Positive Control and the proactive efforts of all involved made this rapid containment happen along with the close cooperation with the software industry 7 Disinfecting Melissa was ac tually a fairly simple process even if labor intensive Ordinar- ily the fix would have merely involved retrieving the latest virus definitions from a rep utable virus-scanning source such as Norton or McAfee and scanning client and server hard drives The glitch in Melissa s case was that these virus scan- ners were caught relatively off guard with this virus Normally anti-virus software companies know about new viruses long before they are released and therefore are able to release updated virus definitions to their clients before the danger arrives For some reason Melis- sa was kept under close wraps until its release on March 26 In the end the damage caused by Melissa will be measured in the millions of dollars But the lessons learned from this attack are being institutionalized Con- tagion in cyberspace can be contained 8 Colonel Deal is the Commander US Army Information Systems Engineering Command Ft Huachuca Arizona He earned an MS in Electrical Engineering from the Naval Post Graduate School and an MA in National Security Studies from the Naval War College and an MA in International Relations from Salve Regina University Major Gage is the Operations Officer for the News Systems Training Office Directorate of Combat Development 306th MI BN Ft HuachucaBiology from Florida Southern College an MS in Material Acquisition Management from Florida Institute of Technology a MS in Engineering Management from University of Missouri-Roda and a MA in Computer Information Resource Management from Webster University Robin Schueneman supports the Army's Information Assurance Directorate of DISC4 She is the DISC4 lead to the Information Assurance Vulnerability Alert IAVA Compliance Verification Team CVT Ms Schueneman earned a BA in Communications from UNC Chapel Hill North Carolina in I 994 End notes 1 Symantec Corporation Computer Viruses Past Present and Future Anti-Virus Research Center March 29 1999 Ibid 3 Lowenthal Overview of Computer Viruses Information Paper SAIS- IAS March 1999 4 Ibid 5 Davy Jo Ann Virus Protection Managing Office Technology 1998 6 Schwartz John New Virus Snarls E-Mail Systems The Washington Post p E1 March 30 1999 7 Singer Jeremy Melissa blunted by response teams QUICK RESPONSE MAKES ARMY SYSTEMS LY IMMUNE TO EMAIL Inside the Army April 5 1999 Bibliography Corbitt Terry Datafiles in Danger Accountancy available online at January 1999 Davy Jo Ann Virus Protection Managing Office Technology avail- able online at http proquest umi com pqweb 1998 Jarvis Kenneth Demystifying Computer Viruses Management Accounting available online at http progquest umi com pqdweb April 1997 Lowenthal Overview of Computer Viruses Information Paper IAS March 1999 Russell Deborah 81 Gangemi G T Ed Viruses and Other Wildlife Computer Security Basics United States of America O'Rilley and Associates Inc 1991 pp 79 88 SANS Newsbites available online at March 1999 and Schwartz John New Virus Snarls Mail Systems The Washington Post p E1 March 30 1999 Singer Jeremy Melissa blunted by response teams QUICK RESPONSE MAKES ARMY SYSTEMS LY IMMUNE TO E-MAIL Inside the Army April 5 1999 Symantec Corporation Computer Viruses Past Present and Future Anti-Virus Research Center avail- able online at html March 29 1999 lAnewsletter a cum There are two types of bombs time and logic A time bomb particular date or after some period of time has elapsed The Friday the 13th 11 us 11 as a time bomb A logic bomb is one that is set to go off when a paiticulai event osctus Soft ware deve iopers have bee explode logicl bOmbs at key linents after installation ii for example the 1 customer fails to pay a bill or tries to 1 make an illicit copy Spoof This is a generic name for a pro- gram that tricks unsuspecting users into giving at-vay privileges Often the spoof is perpetrated by a Trojan Horse mechanism in which an authorized user is tricked into inadvertently run ning an unauthorized program The program then takes on the privileges of the user and may run amok nIacteHa These are programs that do l'lOthli ng but make copies hemselves but by doing so they ritually use up all memory disk These programs attack the display of data on computer terminal screens Samnn Salami slices away rather than hacking away tiny pieces of data or example salami alters one or two numbers or a decimal point in a file or it shaves a penny off a customer s banl' inteiest talc tytlalions andt deposits the pennies in the intruder 3 account Volume 3 Number 3 Computing on the Virtual Border l 7 LTC Eugene K Ressler USA 01 Clark K Ray USA 4 he US Military Academy USMA at West Point confronts a novel information age challenge to balance the needs of a dynamic technolo- gy-rich undergraduate experi ence for 4 000 cadets with the availability security and inter operability concerns for an en terprise local area network LAN operating within the De- partment of Defense network infrastructure Despite Figure 1 Work at 21 1-248 circa 1988 resource technology and cul- ture challenges this balancing act has been unusualiy success- ful over an evolution spanning the 10 years since the USMA network was created in 1989 Perhaps surprisingly cadets' education benefits from the moderate discipline imposed by operating the network in ac cordance with require- ments and professional best practices Typical university data networks by contrast op erate as mostly unfettered ser- vices in which almost any- Qi- lAnewsletter - Volume 3 I thing goes with regard to hard ware software protocols and modes of use Although this ap proach affords great individual freedom its overall effect may be to reduce network useful ness Recent trends in campus computing seem to be drawing the rest of academe closer to the computing model em ployed at West Point West Point occupies a rare crossroads of edu and mil domains This is literal in the sense that many network hosts have names in each domain Browsing will take a virtual visitor to the same place as and The Academy is first and foremost a primary commissioning source for Army officers It is an Army post and the post network is an Army information system Dot mil naming and conformance to Department of the Army DA standards is expect ed and required However West Point is also a tier 1 accredited academic institution with strong ties to the academic community for research and other professional exchanges Military and civilian faculty members find that in some set tings an edu address commu nicates the seriousness with which the USMA views its role in undergraduate teaching learning and research Attracting the best qualified of American s high school grad uating class each year is an es sential aspect of the West Point program Among bright knowl- Number 3 edgeable high school students sophisticated technological in frastructure is high on the list of criteria for college choices After admission cadet families expect and deserve electronic mail E-mail and other elec tronic contact with their cadets It follows that a principle of in formation assurance IA at West Point is to support tech- nology programs and systems that meet the expectations of diverse clients outside the gate Connecting with the American public is essential to fulfilling its institutional mission so West Point can seldom afford to escape risk by reducing access The military educational du- ality continues inside the gate Inquiry is the soul of learning and inquiry has increasingly come to involve innovative uses of technology The com- puting environment at West Point must provide cadet stu dents and faculty members the freedom to experiment with hardware and software and to exchange information world- wide with great convenience while still providing informa tion assurance Cadets pur chase their own computers and software much as they do text- books and other tools of the academic program so they have a reasonable expectation of control over their computers configuration On the other hand the USMA network is a military facility where official business takes precedence The Army reasonably expects to en force usage policies and config uration management of net- work resources To be sure universities and colleges share many of challenges Although few have a dual presence on the Inter- net each campus has business to conduct in security and with high reliability while also pro- viding academic freedom of in quiry Educating students on acceptable use of technology facilities is a shared concern Students everywhere stay on the leading edge of new infor mation services Downloadable software of all varieties music in com pressed form and elec tronic stock trading il lustrate developments that have put college of- ficials in catch up mode deciding what students can properly and legally do deter mining their own legal and ethical institutional responsibilities and fig uring out how to en force their policies USMA differs from its peer academic instituu tions in the way it con- fronts IA challenges A key example is the USMA approach to stu- dent computing Al though cadets do own and pay for their computers the config- uration is standard chosen through a best value competi tive government solicitation with software installed in ad- vance Although some disk space is reserved for cadets to configure however they choose a precondition for physical connection to the USMA network is use of a gov- ernment-installed controlled managed and monitored oper ating environment For exam- ple all cadet computers must currently run WindowsNT as their operating system when connected to the network and except for selected individuals users may not exercise full ad ministrator privileges Acceptance of these limita tions is a modest sacrifice for the services provided in return Internet and intranet access shared files printers and pub- lic bulletin boards and stan dard directory and E mail facil ities Configuration standards at West Point allow the orga Figure 2 Iypical cadet work space today nized planning and delivery of a wide spectrum of services a range exceeding that at most schools A current project will provide each cadet with a high reliability network home direc- tory that is Web-accessible via Hypertext Transfer Protocol HTTP IA measures such as antivirus software updates op- erating system patches often issued in response to Army IAnewsIetter Computer Emergency Re sponse Team alerts software upgrades and neces sary configuration changes are dispensed each time cadets log in to their network accounts Army intrusion detectors alert USMA technicians to Internet attacks on cadet computers Teams are usually able to clear or repair any damage before the cadet knows what has hap- pened The latest cadet com puters include hardware fea tures for central monitoring that have averted significant maintenance problems Technical support is another difference Most American stu dents come to college with a computer of their own choosing To an un- comfortable degree they must fend for themselves in solving software hardware and configuration problems Some institutions are currently finding that students on stipend can fill some of this gap in technology support West Point has made cadet Information Sys tems Officers ISO part of the Corps of Cadet chain of command for more than a decade A small team of government techni- cians mentors 1303 in a range of system administration tasks considered to be second eche lon support forgotten pass words installation of hardware drivers and the like This structure provides an excep tional developmental experi- ence for the 1803 and an effec tive zero dollar although not zero person-hour source of support Government and con continued on page 26 - Volume 3 Number 3 2 55 Dr tract personnel perform more sophisticated repairs All cadets take a one-semester course in computing fundamentals in their first year Additionally each year as many as 20 per- cent of cadets select academic majors or sequences minors in disciplines directly related to information technologies pro viding a level of expertise to classmates who share their liv- ing areas not found at many other institutions The ethical and moral as pects of cadet development programs are another essential part of IA at West Point Inside the West Point firewall designs to safeguard systems and data are able to assume that mali designers frequently have no choice but to assume that many students will intentionally abuse institutional systems The Athena project at the Mass achusetts Institute of Technolo gy MIT and the proliferation of virtual LANs and other elab- orate security control mecha nisms on campuses stand as ex amples The upshot of meth- ods is better education and training for cadets On any given day approximately 99 6 percent of cadet computers are available on the USMA net work At other institutions the popularity of campus wide stu- dent computer purchase pro grams is growing These often cious intent on the part of users is a rare and readily punishn able occurrence Cadets are instructed to consider technol- ogy system abuses to be failings of personal conduct or ethics In short students are asked and required to be part of the IA effort West Point s in tranet security intends to keep honest people honest and to detect the occasional outlying bad behavior On the other hand most campus network lAnewsIetter Volume include limited standard con- figuration efforts However few published data measure overall availability statistics Whereas most campuses sport an eclec tic array of standards West Point cadet faculty and staff computers run identical mail office suite mathematics and multimedia software al- lowing faculty members to give instructions and assignments that incorporate configuration details Technology support 3 Number 3 and security costs are reduced so available dollars can be fo- cused on improving capabili ties rather than on security and middle ware Although cadets do not have complete freedom to connect devices and run dis- approved software in the USMA network environment cadets with bona fide educational needs to operate nonstandard configurations are able to do so in controlled circumstances under the guidance of a faculty mentor The lessons of experience are somewhat counterintuitive The military and government environment of education at West Point benefit its cadet stu- dents rather than detracting from their experience A com prehensive approach to IA for student computing is part of the solution rather than a problem to be solved 8 Lieutenant Colonel Eugene K Ressler Jr is Professor of Computer Science and Associate Dean for Information and Educational Technology at the United States Military Academy at West Point New York He has served as an Army engineer and computer scientist in various assignments He graduated from the USMA in 1978 and received a mas- ter's degree in computer science from the University of California at Berkeley in 1984 and a in computer science from Cornell University in 1993 He may be reached at ressler@usma edu Colonel Clark K Ray is the USMA Computer Science Program Director in the Department of Electrical Engineering and Computer Science and has previous ly served in Army engineering and automation assignments He is a 1976 graduate of USMA and received his mas ter s and degrees in computer and systems engineering from Rensselaer Polytechnic Institute He may be reached at ray@eecsl eecs usma edu In Pursuit of the Trustworthy Enterprise Editor s Note Inclusion of this product within the Anon slot does not consti tute as an endorsement by or DOD oday's consumers may be immediately concerned with protecting their Visa card numbers during on-line pur chases and until just a few weeks ago government infor- mation technology IT man- agers were primarily obsessed with exterminating the year 2000 Y 2K bug However indi viduals in both private and pub- lic sectors feel growing appre hension about security threats from the Internet Shared Concernewiw side and Outside the Beitway Citizens and government managers alike recognize not only the potential dangers posed by hackers computer virus writers Web saboteurs and other Internet attackers but also the need to increase the soundness of overall Inter net security infrastructure Just as businesses and con- sumers are beginning to tap the Internet s potential for electron- ic commerce e commerce purposes government agencies are leveraging the power of the Web to deliver enhanced ser- vices and information Howev er with the efficiencies offered by the Internet come opportu nities for disaster As the world rushes into the Internet age the opportunities for security breaches and cyber terrorism continue to escalate The Internet opens the e- commerce door to millions of users while simultaneously ex- posing Web sites and placing at risk invaluable corporate data mission-critical business appli cations and consumers' confi- dential information Web en abling technologies also have the potential to compromise the integrity of government net works and crucial defense re- sources The Internet may soon serve in effect to launch com mercial hijackings and cyber terrorism directed against the U S national infrastructures A Real and imminent Danger According to the FBI the av erage American corporation will experience a major elec tronic intrusion once every 2 years On the government side the General Accounting Office has warned that federal govern- ment systems such as tax col lection national defense and air traffic control networks may face serious threats of severe disruption unless adequate de- IAnewsletter - Volume 3 Number 3 Mr Sean P O'Neil fense measures are quickly put in place Fortunately sophisticated tools are now available to pro tect E commerce transactions IT assets and network re sources The most powerful of these e-commerce security tools are equally effective in sensitive government IT envi ronmentsw-where property and lives are at stake not just dol lars and credit ratings Computer Associates Inter national Inc CA has devel- oped such a tool Its eTrust se curity solutions are used at government and commercial sites to safeguard information and maintain the integrity of vital enterprise resources eTrust protects mission-critical IT resources and offers broad functionality including risk as- sessment attack detection and consolidated administration of policy and audit trails eTrust solutions can also be scaled to suit an environment of any size Government agencies and commercial entities deploy eTrust as either standalone products or as a comprehensive security suite eTrust was de signed to be used with Uni center TNG enterprise manage- ment solution thus offering IT managers a consistent ap proach to building deploying and managing security as part of the larger IT administration and control task By supporting and exploiting security features of the 08 390 continued on page 28 continued from page 27 UNIX and Windows NT operat ing systems and applications eTrust's open expandable ar chitecture allows organizations to leverage their existing tech- nology investments Public key infrastructure PKI LDAP and smart-card products are a few of the standards based technolo gies used by Global 2000 cus- tomers and government clients in conjunction with enter prise management and security products When the Firewalls Come Tumbling Down Together with network intru- sion detection systems fire walls have traditionally provid ed first-level defense against external attacks However holes must be punched through firewalls to grant legitimate ac cess to Web enabled applica- tions Implementing these ap plications concurrently provides an opportunity for hackers to exploit application or server vulnerabilities and breach security controls Equally disconcerting is the fact that moving to e-commerce and Internet-enabled environ- ments has done nothing to eliminate traditional security threats On the contrary these developments have escalated vulnerabilities by increasing the number of people with ac- cess to specific internal ser- vices For these reasons con- ventional security devices are no longer effective by them- selves Simultaneously imple menting several stand alone se- curity tools is also ineffective because it results in a patch- work solution that leaves weak spots unprotected IAnewsletter - Volume Protecting Against Security Threats on All Fronts Using eTrust CA has part nered with government and commercial customers to pro vide a complete security solu tion tailored to specific require- ments and organization goals a solution that supports Internet use and also protects the infra- structure Tight integration among eTrust offerings gives government agencies and busi ness organizations enter prisewide security and also al- lows them to adopt incrementally eTrust solutions that seamlessly work with one another Solutions include- - eTrust Access Control which provides policy-based control to determine who can access specific systems what they can do with them and when access is allowed eTrust Admin which simpli fies user and resource admin istration reducing its com plexity expense and suscep- tibility to error eTrust Audit which collects enterprisewide security and system audit information - eTrust Content Inspection which safeguards systems connected to the Internet from malicious code attacks - eTrust Directory which ensures high performance and reliability of critical directory service applications 0 eTrust which seamlessly safeguards infor mation against intrusion as it is transferred across a Transmission Control Protocol Internet Protocol network eTrust which pro- vides a scalable distributed Online Certificate Status Number 3 Protocol OCSP responder implementation giving client applications the current sta tus of a digital certificate from a trusted authority in real time 0 eTrust Firewall which con- trols Internet intranet and extranet access to mission critical applications exclud ing unauthorized users - eTrust Intrusion Detection which delivers advanced net work protection and includes an integrated antivirus engine with automatic signa ture updates - eTrust Policy Compliance which enables organizations to protect against unautho- rized usage or attacks by identifying potential weak points in security policies automatically generating cor- rections and constantly mon itoring the network - eTrust VPN which delivers secure Internet communica tions and safeguards all virtu- al private network VPN uses CA also offers a Security In tegrity Services SIS portfolio which includes a complete range of consulting services for security assessment policy de velopment product installa tion support implementation and outsourcing For further in formation on eTrust prod ucts and services see cai com solu tions enterprise etrust 8 Sean P O Neil is a freelance writer and President of Write Hand Communications Inc He holds an M B A from Bowling College as well as a BA in English from Sta re University of New York at Albany He may be reached at spoemai1@aol com Third International Hiding Workshop ATAC recently attended the Third International Informa- tion Hiding Workshop in Dres- den Germany This workshop is the primary forum for scien- tists engaged in the field of In formation Hiding techniques including steganography and digital watermarking The workshop focused on algo rithms and techniques rather than on systems and policy The information presented at this workshop is intended to NATEHMAHK REGISTRATION AUTHORITY wa SEARCH Figure 1 Watermarking System IAnewsietter Information Mr Robert P Thompson Director IAIAC provide a comprehensive View of the current state-of the-art in data embedding research Conference sessions were separated into steganography and watermarking tracks The steganography track was divid ed into sessions on fundamens tals paradigms and examples asymmetric steganography en gineering and attacks The wa termarking track featured ses- sions on proofs of ownership detection and decoding water- marking techniques protecting private and public watermark ing information new designs robustness and software and hardware protection The steganography sessions illustrated that steganography research is improving and cer tain institutions are gaining ex- pertise along with more opera tional insight than is usually expected in academia In gener al steganography is designed to make it more difficult to detect embedded data Researchers and developers are beginning to make more realistic assump- tions about host data files many are stating that initial assump- tions about Least Significant Bit LSB substitution appear to be false and the security of these techniques is questionable gorithm developers are paying more careful attention to where to hide data focusing on areas continued on page 30 - Volume 3 Number 3