• 20.1 Template for component security analysis
• 20.2 National Laws: Legal considerations for risk analysis
  • USA
  • Switzerland
  • Ireland
  • General
• 20.7 ITU & ISO Standards
• 20.8 POSIX Standards
• 20.9 IDEA encryption licensing terms
• 20.10 Protecting against Snooping via Van Eck Radiation/ TEMPEST
• 20.11 The Ten Commandments of Computer Ethics
• 20.12 NT Administration problems/limitations (Feb. 26th 1996)
• 20.13 Types of systems
• 20.14 Windows File/Directory synchronisation tools

20.1 Template for component security analysis

The following template is used in this document for component analysis/auditing:

• Assurance: Documentation, Certification level (ITSEC, TCSEC), Physical security
• Accountability: Identification / authorisation, Audit Trail, Logging (detail, analysis & alerting tools/automation level)
• Accuracy: Integrity checking mechanisms.
• Access Control: Discretionary Access Control, Secure system startup.
• Object reuse
• Secure data exchange / communications: Network Peer entity authentication, Network Data integrity, Network Data confidentiality, Non repudiation of origin / receipt, Network Access control.
• Availability: Backup and restore, Prevention of Resource Abuse, Change/release management, Redundancy / Replication, Disaster Recovery

20.2 National Laws: Legal considerations for risk analysis

USA

In the U.S. the following laws should be considered during a risk analysis/security incident handling. There are probably additional relevant laws (e.g. in different states, or concerning civil liability) not listed here.

• Abuse of credit cards, account numbers, access codes, passwords (USC 1029, title 18)
• Accreditation Manual for Hospitals
• Banking Circular 177 from the Office on the Controller of the Currency
• Bulletin R-67 from the Federal Home Loan Bank
• Clinical Laboratory Information Act
• Computer Fraud and Abuse Act, 1986 (USC 1030)
• Computer Security Act, 1987 (Public Law 100-235).
• Copyright Violation (USC 506b, title 17)
• Electronic Funds Transfer (USC 1693n, title 15)
• Electronic Privacy Act, 1986 (USC 2701)
• Emergency Planning and Community Right-to-know Act, 1986 (3USC 300)
• Fair Credit Reporting Act
• Federal Procurement Regulations
• Foreign Corrupt Practices Act, 1977.
• Letter #161 from the National Credit Union Association
• Letter A-130 from the Office of Management and Budget (OMB)
• Privacy Act, 1974 (5USC 552a)
• Wire Fraud (USC 1341, title 18)

Switzerland

Privacy laws: Personal data is protected by Swiss Law. The VDSG (Vollzugsverordnung zum Bundesgesetz uber den Datenschutz) of 14.6.1993 specifies technical and organisational measures necessary to protect personal data, based on the data privacy law, Datenschutzgesetz Artikel 6,7,8,11,16,24 and 36.

Measures for Swiss government bodies are specified in Articles 20-23 and 34. Measures for non government bodies are specified in Articles 8-12.

In addition, Swiss Law (Artikel 135, 197, Ziffer 3, 259, 261, 261bis und 305bis des Schweizerischen Strafgesetzbuches) forbids incitement to racism, gambling, money laundering or the use of, or distribution of, pornographic or violent material. This includes electronic media such as the Internet.

Ireland

More information can be had from the "Office of the Data Protection Commissioner" mailto:info@dataprivacy.irlgov.ie . A few relevant laws are:

• Criminal Damage Act (1991)
• Data Protection Act (1988) (section 22 for illegal access to data, section for the data controller's responsibilities)

General

• The "International Law Crypto Survey" of cryptographic laws and regulations throughout the world at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm.
• RSA Data Security, Inc. offers "Frequently Asked Questions: Export" at http://www.rsa.com/PUBS/exp_faq.pdf
• More discussion on US export issues at the Electronic Frontier Foundation's http://www.eff.org/ .

20.7 ITU & ISO Security standards

What ISO security relevant standards exist?
The standards are available on-line, for a fee. See http://www.itu.ch/ .

• X.400: Email standard or "message handling system, two versions: 1984 & 1988. X.400 runs o the Application layer of the OSI model.
  Interoperability is problematic, standard is not tight enough. However many enterprises use X.400 backbones and most proprietary email systems offer gateways to X.400.
• X.500: Enterprise directory services. The directory is a collection of systems that co-operate to provide a logical database about real world objects. Users can retrieve/modify the directory depend on permissions, using a Directory User Agent (DUA). The information in the directory is called a Directory Information Base (DIB). The directory should support a wide range of applications. DSA= directory service agents
  X519 specifies DAP, Directory Access Protocol for obtaining credentials.
• X.509: The ISO certificate standard is X.509 v3 and is comprised of: Subject name, Subject attributes, Subject public key, Validity dates, Issuer name, Certificate serial number and Issuer signature. X.509 names are similar to X.400 mail addresses, but with a field for an Internet email address. The X.509 standard is used in S/MIME, SSL, S-HTTP, PEM, IPsec Key Management. X.509 defines two-way peer-to-peer authentication scheme, with certification authorities?
• FTAM (File Transfer, Access and Management) is the OSI standard for remote file access.
• EDI (Electronic Data Interchange) is a standard for the exchange of computer based business information. It is designed to handle specific messages such as bank transactions, invoices & orders etc.Used by very large companies, since the entry level costs are high.
• X.736: Security alarm report record.
• X.740: defines a standard for audit trail information?

Since TCP/IP is now the accepted protocol standard, several ISO standards designed for OSI protocols are now being moved to TCP/IP:

• LDAP is a "lightweight" implementation of the X.500 DAP (see above).

20.8 POSIX Standards

POSIX.1 is the standardised programming API for access to system services
POSIX.12 is the API for access to the GUI.
POSIX.? Is the system administration commands standard.

20.9 IDEA encryption licensing terms

The IDEA encryption algorithm is not in the public domain. The following text comes directly from the patent holders:

Non commercial use of IDEA is free. The following examples (regarding PGP) should clarify what we mean by commercial and non-commercial use
Here are some examples of commercial use of PGP:

1. When PGP is used for signing and/or encrypting e-mail messages exchanged between two corporations.
2. When a consultant uses PGP for his communications with his client corporations.
3. When a bank makes PGP available to its clients for telebanking and charges them money for it (directly or indirectly).
4. When you use the software you receive from a company for commercial purposes (telebanking included).

Some examples of non commercial use:

1. When an individual uses PGP for his private communications.
2. When an individual obtains PGP on the Internet and uses it for telebanking (assuming this is approved by the bank).
3. When you use the software you receive from a company for private purposes (telebanking excluded).

You may use IDEA freely within your software for non commercial use. If you include IDEA in your software, it must include the following copy right statement:

Copyright and Licensing Statement
IDEA(tm) is a trademark of Ascom Systec AG. There is no license fee required for non-commercial use. Commercial users of IDEA may obtain licensing information from Ascom Systec AG.
e-mail: IDEA@ascom.ch
fax: ++41 64 56 59 54

For selling the software commercially a product license is required:
The PRODUCT LICENSE gives a software developer the right to implement IDEA in a software product and to sell this product world-wide. With the PRODUCT LICENSE we supply a source listing in C and a software manual. We charge an initial fee per company and a percentage of sales of the software product or products (typically between .5 and 4 per cent of the sales price, depending on the price and the importance of IDEA for the product).

For further information please do not hesitate to contact us.

Best regards,
Roland Weinhart, Ascom Systec Ltd, IDEA Licensing, Gewerbepark, CH-5506 Maegenwil, Switzerland.
Phone ++41 64 56 59 54 Fax ++41 64 56 59 98

20.10 Protecting against Snooping via Van Eck Radiation/ TEMPEST

Professional espionage does exist. It has been shown (even on popular television) that the radiation given off by computer monitors can be picked up by sensors hundreds of meters away and used to construct an exact copy of the screen contents. An other method is placing a device inside the screen which monitors the video signals (removing sync signals) and retransmits the signals externally to a vehicle (say) on the street.

Since spooks have been at this for years it is assumed that the equipment necessary is now available to professional spies.

Prevention: use of low radiation monitors provides less signal for detection and is better for the user's health. Shielding of buildings and locating sensitive monitors away from windows.

TEMPEST stands for Transient Electromagnetic Pulse Surveillance Technology and is the US Government's program for evaluation of electronic equipment that is safe from eavesdropping. Tempest equipment is not legal for civilian use. The requirements on electromagnetic radiation for Tempest endorsement are defined in the classified document NACSIM 5100A.

20.11 The Ten Commandments of Computer Ethics

The following is a code of ethics suggested by the Computer Ethics Institute, Washington, D.C, USA.

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorisation or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow human being.

20.12 NT Administration problems/limitations (Feb. 26th 1996)

• The printer manager cannot browse printers in other domains (as guest for example), however they can be mounted on the command line (e.g. in a logon script):
  net use lpt3: \\MYCOMPUTER\MYPRINTER /USER:Guest
• An NT server cannot share Netware client printers.
• Many GUI options for setting up NT are not available on the command line. For example in Account policy:
  Options only available via the command line: Force logoff.
  Options only available via the graphical interface: Account lockout options, Force disconnect when logon hours expire, Users must logon to change password.
• NT backup can only backup the local machine and has no on-line indices, primitive logging options and primitive error handling.
• No NIS+, NIS, NFS or Kerberos clients are delivered with NT.
• DCE is not nearly fully implemented (only RPC is available).
• Using NT as an LPD printer server: Install a Generic only/text printer driver and connect it to the local printer. UNIX clients can then connect to it and send jobs in the format that the printer understands. Otherwise NT will try to translate, so that if the UNIX client sends postscript, NT will print the postscript code, rather than let it be interpreted by the printer!
• NT Workstation cannot print to UNIX printer clients.
• Colorado tape streamers (i.e. IDE interface) are not supported.
• Any password checking libs available?
• Get a decent 3rd party quota software.

20.13 Types of systems

• Clients: Workstations, Laptops, PCs, Character Terminals, X-Terminals.
• Naming Services Servers: DNS, DHCP, WINS, NIS, NIS+, Kerberos (& DCE), Novell, Lan Manager (NT or OS/2) Logon servers.
• Resources Servers : File, Printer, Database, WWW, Application servers.
• Gateways: Emulation / application gateways & Firewalls (filters, proxies and
  encryption gateways).
• Network components: Routers, bridges, hubs, switches, repeaters, etc.

20.14 Windows File/Directory synchronisation tools  (9.Aug'99)

I use an NT4 Laptop alot and need a reliable way to synchroniase files with my main Workstation.
Microsoft's "Briefcase", delivered with Win95 and NT4 is pretty good, but would some times hang, could not handle certain excel files, on rare occasions got sompletely confused, and always did some kind of timeout when opening directories in the Briefcase offline - so offline access could be dog slow.
I have hundreds or Megabytes in the hundred folders to be synchronised, so I had a look at some other products. However, testing some of them caused me to lose a few files dur to minusderstandings.. I recommend you set up some test directories and use those.

Ease of use is a key requirement, the software must synchronise files as we "expect" (which is not trivial  and needs a good GUI).

Summary: I've not found anything that provide the same functonality as Briefcase, most are pure directory sync or file sync products (and only for one directory or tree).
Typical search words used on the sites below: "directory compare", "directory sync", "file sync"

1. http://www.tucows.com/:
   • SynchronX: Couldn't handle several directories, can't select action per file which thinks should be updated, not enough detail, no drag and drop. Did have an understandable GUI and could add sync Items to the Desktop.
   • TreeComp V3.5: Worked for a while, but then got constant error "R:\ not found" (R was the workstation directory mounted), could no longer change directories. GUI is pretty good.
   • Directory Monitor V4.1: unstable, functionality not enough.
2. http://www.shareware.com/ (search for "file sync") This site only lists zip files and does not offer a summary of tools, to help before you decide which to download:
   • FileTiger 1.11: Is more like a File Explorer, not briefcase.
3. http://www.download.com/ ("directory compare" and "briefcase", got a list of 16 products)
   • Directory Compare V1.4: Not bad, not enough like Briefcase, can only compare one tree/directory.
   • Araxis Merge 99 Professional V5, $149: not enough like Briefcase, can only compare one tree/directory.
   • Briefcase Plus V1.2: Couldn't get it to work.
   • Comparator V2.0, free: is simple, but works quite well. GUI in English, French, German.
     Can only compare one tree/directory. I'm going to try this one for a while..
   • MirrorTree, free: Difficult to use.