ON COMPUTER AND NETWORK SECURITY

TABLE OF CONTENTS

The Network is a Dog

Where Angels Fear to Click

Fire Burn, Cauldron Bubble

Attack of the Killer Data

Oh, What a Tangled Web We Weave

All Creatures Great and Small

Snow White, Archimedes, and Tylenol

Private Parties on the Party Line

Shootout at the E-COM Corral

Famous Last Words

Family Jewels

Digital Flotsam

Recent Footage

CONTACT INFORMATION
CREDITS

THE NETWORK IS A DOG

What a difference a year makes, and certainly a year on the Internet. It's been said that an Internet-year is like a dog-year, having within it the development of seven normal human years. When we published our first issue on computer and network security, the Internet was an interesting frontier and those splashy IPOs of Internet companies had not yet begun. Now here midway through 1996, it has become a ubiquitous communication channel. In the US, for example, a URL is as essential for many businesses as a toll-free 800 phone number. In the last twelve months, the first wave of businesses, entrepreneurs, professionals, and consumers has adopted the networked desktop computer as an information appliance.

Computer and network security used to be problems for large or specialized organizations and the provenance of technical professionals steeped in lore and arcana. Now there are many network users who do not have the advantage of these resources and must practise safe networking and know how to protect themselves. Likewise, our first issue of Netsurfer Focus on computer and network security largely addressed the concerns of system administrators. In this issue, we will continue to bring you new developments in these areas. In addition, we will touch upon problems of concern to small business and home users alike. For new readers who are interested in the topic, we highly recommend you also visit the revised edition of our first annual issue on Computer and Network Security.

Netsurfer Focus on Computer and Network Security

http://www.netsurf.com/nsf/v01/01/nsf.01.01.html

The original network and the dog

http://www.netsurf.com/nsf/v01/02/nsf.01.02a.html#s14

WHERE ANGELS FEAR TO CLICK

You are connected to a network. Every click of your mouse can take you to into the unknown. Do you know where you are going? Do you know what will happen there?

The original application of the World Wide Web was perfectly safe. You download text and graphics, the browser interprets and displays them, and you can always view the source code the browser interpreted. There is no hiding behind secret files or obscure binary code that only a trained programmer or a computer can read. Although you may not know much about the web site you are visiting and whether you can trust it or not, the content you get does not do anything to your computer system.

But along came the downloadable plug-ins, Java applets, Javascripts scripts, and ActiveX controls. Each is a piece of software that runs on your system and has varying capabilities to modify the local software and hardware. Clicking on a hotlink to a file of a special mime-type can cause a plug-in to run, but at least you have to have the plug-in and to click on the link. Java and Javascript are more insidious because support comes with popular browsers, and applets and scripts run immediately when the page has been downloaded. Although the language designers have taken pains to make Java and Javascript safe, problems are still being identified. ActiveX controls, on the other hand, have much greater access to your PC system, and being newer to the Net, has had less time for its potential flaws to be discovered.

The trick is to not let any unknown code, no matter where it is from, run on your computer without strong precautions. If you have not disabled these features in your browser, every time you click on the URL of a web page, you are potentially allowing code that you might not even know is on the page run on your computer. Unlike a BBS download or even an e-mail attachment, there is no separate and conscious step to run an executable. The first click of your mouse is the crucial one.

When the Web first started, those who had heard about viruses were wary, and we were able to reassure them that it was perfectly safe to point and click. Now that we have trained the world to think that it is safe to point and click and surf the Net, we need to bring the precautions back.

FIRE BURN, CAULDRON BUBBLE

Judging by the industry response, Java is proving to be a potent brew. Its strength comes from being a programming language that does most of the "right" things by modern programming standards; or as Sun Microsystems itself describes it, Java is fully buzzword-compliant. The security challenge comes when we rely on it to run, sight unseen, applets from the four corners of the earth.

To keep applets from running amok in the system, a browser that supports Java constrains them to a "sandbox". By definition, this sandbox includes only access to the screen and computing power of the client computer, and connection to the host computer from which the applet came. It usually cannot get to your local file system, and it cannot get to other computers on the network.

But as we gain experience with Java, we are finding sins of both commission and omission. A number of design and implementation bugs have been reported and quickly fixed. Among other things, these allowed attacks on computers behind firewalls, and also attacks that seem to come from an unwary and innocuous third party. More bugs will doubtlessly be discovered and remedied with new releases and continued scrutiny. Other problems that come up are part of the nature of the beast. For example, while applets may stay in the sandbox, they can raise quite a ruckus and do each other harm in the process. These "hostile applets" are able to lock up your screen, crash the browser, sabotage or kill other applets, try and steal your password by putting up a login screen and asking you to enter your password, or simply siphon off system resources to work on computational problems and report the results to the originating server. There are currently no way to control these types of applets except to restart the browser or the computer.

The Internet is not always a safe place, but there is no point in throwing out the Java with the grounds. Turn off Java support in your browser while visiting sites you do not trust, and use up-to-date versions of browsers and Java development kits to get the latest fixes. With the prevalence of applet-sharing on the Net, the possibility of popular applets (such as the ticker tape) being turned into Trojan horses is also very real. So it is equally important not to use or post any applets to your web site unless you know exactly what it does.

Two easy pieces

http://developer.netscape.com/standards/java-security2.html

http://www.cs.princeton.edu/sip/java-faq.html

The Princeton paper on Java security

http://www.cs.princeton.edu/sip/pub/secure96.html

History of Java Security Bugs

http://java.sun.com/sfaq/

On hostile java applets

http://www.math.gatech.edu/~mladue/OBCArticle/Article.html

Netscape Navigator update

http://home.netscape.com/newsref/std/java_security_faq.html

Javascript, not to be confused with Java, is a scripting language supported by the Netscape browsers to improve the interactivity of HTML pages. While Java applets can get at each other, Javascript code has access to your computer and what you do within the browser. Instead of stealing resources a la applets, the bugs that have been found tend to violate the privacy of your system. Malicious Javascript code can track the history of your websurfing, read your files and file directory listings, and send all the information back to the server from which it originated. Most of these problems have been fixed as of this writing but continued scrutiny may reveal new ones. So the same precautions that are used for Java applies to Javascript also.

Javascript problems

http://www.osf.org/~loverso/javascript/

ATTACK OF THE KILLER DATA

Programs such as Microsoft Word have a macro language that can modify program behaviour and enable greater functionality. If macros are carried along in the same file as the data, then the program is susceptible to macro viruses. Whether you are downloading the file through FTP or the Web, the data file is not as innocuous at it seems. And actually, you don't even have to go to the trouble of downloading the file containing a macro gone bad. E-mail will take care of it for you just fine. Safely ensconced in the protective sheath of a MIME attachment, the lethal payload is carried through the firewall and only released when you open the file. Likewise, someone can also send you an infected program as an e-mail attachment. The old sneakernet viruses have turned into netsurfing jetsetters, and their geographic spread has escalated through use of the Internet.

In each case, the culprit comes through intervening firewalls unscathed. But of course nothing stands still in the spy-versus-spy world of computer security. In the last few months, a number of firewall-based virus-scanners have been announced. These will usually check e-mail attachments and Web and FTP downloads into your organization for potential invaders.

Anti-viral products for e-mail, Web, and FTP access

http://netra2.mcafee.com/corp/press/051496.html

http://www.trendmicro.com

List of common viruses on the Internet

http://www.mcafee.com/support/techdocs/vinfo/t_1111.html

Microsoft Word Macro Viruses

http://www.research.ibm.com/xw-D953-wconc

Some viruses aren't

http://netra2.mcafee.com/new/notvirus.html

OH, WHAT A TANGLED WEB WE WEAVE

As computers reach across the ether and interconnect to one another, regardless of whether they are browser clients or servers, they take on a certain amount of risk. In addition to the basic dangers of being a computer on the Net and being hacked, the World Wide Web brings them new and wonderful hazards.

Java and Javascript abuse at malicious web sites and virus-infected content can cause problems. But they are not the sole villains in the drama. As part of the http protocol, the browser gives out a great deal of information about you to the server. The "cookie" mechanism can be used to closely track and record your activities on any given site - just like going into a store and having every movement you make recorded filmed for use and analysis.

But the web server is not always the evil spider inviting the fly to step into its parlor. Sometimes the fly comes in armed with a chainsaw, and not always by the front door. The web server equally faces all the hazards of connection, without many of the protections of the underlying operating system. For example, you may restrict access to members only, and use the web server's user ID and password mechanism. First of all, an attacker can make repeated attempts to guess the password - the server does not shut him down after the third try as do many operating systems. In addition, the password is not strongly encrypted as it traverses the Net, but traverse the Net it does. To increase the odds of capture and discovery, user name and password are sent not once but each time any protected document is accessed.

CGI scripts, those solid workhorses of interactive web pages, are programs running on your server computer, and therefore potentially large security holes. How, you might ask; well myriad are the ways. Suffice it be said that the first law is never to trust user input. An innocent but unexpectedly large input that overwrites part of system memory has been the downfall of many a program. And given the fact that these scripts frequently work with system commands (such as 'remove all files'), they are attractive targets that can cause disproportionate damage.

And last but not least, the friendly, helpful robots that scuttle across the Web indexing all pages in their path do not discriminate against files you did not plan for the world to see. Carelessly managed sites have had their password and system configuration files scooped into massive Web index databases, waving the red flag of a vulnerable site under the nose of potential hackers. Exposure of other files is a lesser risk, but do you really want to share all your organization's secrets with all of cyberspace?

A good summary

http://www.swcp.com/~mccurley/danger/infect.html

What malicious web sites can do

http://netlib.att.com/netlib/att/cs/home/ches/secure/sec.html

http://www.digicrime.com

What the server got out of the browser

http://www.popco.com/cgi-bin/env-testers

Cookies

http://home.netscape.com/newsref/std/cookie_spec.html

WWW Security FAQ

http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

Writing secure CGI scripts

http://www.primus.com/staff/paulp/cgi-security/

http://hoohoo.ncsa.uiuc.edu/cgi/security.html

Search engines and web server security

http://ciac.llnl.gov/ciac/notes/notes96-01.shtml#SEARCH

Securing Internet information servers

http://ciac.llnl.gov//ciac/documents/ciac2308.html

ALL CREATURES GREAT AND SMALL

In addition to the web page traps and viruses that snare unwary netsurfers, the Net ecosystem is also home to a growing host of robots, agents, spiders, worms, ants, and other creatures. Speaking the language of HTTP and other network protocols, these are basically small programs that traverse the Net for a variety of purposes. The best known are the spiders that index Net resources for public and private use. Alta Vista, Infoseek, and Lycos are a few that come to mind. Others help webmasters manage their sites, checking for and pruning away defunct hotlinks. Newer programs can help you harvest Net resources, look for updated pages, download entire sites while you sleep, or even shop for bargains. In the brave new world, intelligent agents will not just bring you information, but become active in coordinating schedules, executing transactions, and performing other tasks at your behest.

These programs or robots can have intended and unintended effects on the network and web sites they traverse. Overeager spiders have overwhelmed web sites by requesting too many documents too rapidly. As described elsewhere, they can also ferret out information that a careless system administrator leaves accessible on his disk. Efforts are under way to create formal Internet standards of behaviour for web robots. The current version, the Robot Exclusion Standard, allows site administrators to place a 'robot.txt' file on their web indicating where robots should not go. For example, a large archive of bitmap images would be useless to a robot that is trying to index HTML pages. Serving these files to the robot is a needless use of net resources; however, they need to remain accessible to a human with a browser or FTP. The standard is a voluntary one for the moment, and an etiquette is evolving for robot developers as experience is gained with their deployment.

Web robots, wanderers, and spider information

http://info.webcrawler.com/mak/projects/robots/robots.html (detailed resources)

http://apt.usa.globalnews.com/d3/agents.htm (overview article)

Harvesting web pages

http://www.ffg.com/internet.html

http://www.freeloader.com/

http://www.documagix.com/documagx/products/dhotpage.htm

Bargain Finder

http://bf.cstar.ac.com/bf/

General Magic's white paper on a common agent platform

http://www.genmagic.com/internet/cap/

Robot Exclusion Standard

http://info.webcrawler.com/mak/projects/robots/norobots.html

SNOW WHITE, ARCHIMEDES, AND TYLENOL

Things are not always what they seem. The case of cyanide-laced Tylenol tablets, Snow White eating the beautiful apple from the Evil Queen, and Archimedes's encounter with gold that had been adulterated with base metals. How do you trust what you get? It's no different in cyberspace. The applet that screams "download me" at your favourite game site. The robot knocking at the door to your web server. It's just often harder to verify the reliability of 1's and 0's.

We have few qualms about installing shrink-wrapped software packages because we get it from a retailer we know, or because it carries a brand name we trust. These days we extend trust to Net sites that we visit. The momentum behind using digital signatures to show that a message or a piece of software actually came from the person or organization that we trust is growing. The Java API including signed applets will be available in Q3 of 96, and Microsoft is spearheading a code signing proposal. So in the not-too-distant future, we should be able to enforce greater security and functionality by verifying content, robots, applets, and transactions through the signature on the digital ID card. ID card providers (certificate authorities) are appearing, and even the US Postal Services is getting into the act.

Signing and security in java applets

http://www.javasoft.com/products/apiOverview.html#security

Microsoft proposal on code signing

http://www.microsoft.com/intdev/signcode/authcode.htm

Getting into the card issuing business

Verisign - http://digitalid.verisign.com/

The US Post Office - http://nic.nasa.gov/ana/projects/usps.html

Phone Companies - http://www.cybertrust.gte.com/Caservic/caservic.html

PRIVATE PARTIES ON THE PARTY LINE

The Internet is one big party line where packets of information bounce hither-thither from source to destination, free to spend a night or a lifetime with some random computer somewhere along the way. But as a public thoroughfare, it has great cost advantages compared to private networks from stringing your own wire. So how do you have the best of both worlds of low cost and privacy? Although some large scale network providers such as MCI can provide a facsimile of private lines by routing your traffic entirely over network segments that it manages, the trend has been to more control over your own destiny through virtual private networks (VPNs).

And the party line on privatizing the party line? IP level encryption. Sender to recipient, end-to-end encryption of information being transmitted across the Internet means that stray packets are unintelligible to anyone but the intended recipient. Encryption at the IP level of the Internet protocol stack also allows easy support of different application protocols such as HTTP, FTP, and Telnet, on a variety of underlying network technology such as Ethernet, Frame Relay, or ATM.

Products that secure the communications between designated sites in your private network on the Internet are springing up like mushrooms after a rain. They can be software-only, such as Digital Equipment's Internet Tunnel, or hardware-based, as NetFortress from Digital Secure Networks Technology. The SunScreen solution from Sun Microsystems provides firewall and cryptographic key clearinghouse services as well as the basic site-to-site encryption. These solutions work well for organizations that must secure communications between different facilities. The Security Middleware products from Virtual Online Network Environments use smartcard authentication to verify individual users rather than host computers. This product, if deployed by Internet Service Providers, would allow even small Mom-and-Pop outfits to have affordable private networks. And on the large enterprise side of the story, an industry coalition is forming to enable secure wide area networks (S/WAN) through encryption and key management standards.

Encryption and Cryptographic Keys

http://www.netsurf.com/nsf/v01/03/nsf.01.03.html

Internet Tunnel

http://www.digital.com/info/SP5613/SP5613PF.PDF

NetFortress

http://www.dsnt.com/nf1.html

SunScreen

http://www.sun.com/950701/SunScreen3FINAL.html

Security Middleware

http://www.v-one.com/newpages/sgate.htm

S/WAN

http://www.rsa.com/rsa/SWAN/home.ht ml

SHOOT-OUT AT THE E-COM CORRAL

Glorious sunrise on the range. The entrance to the E-COM corral, Marlboro Man look-alikes hoist the corral's new brand over the gates. Bold, wrought iron letters, SET. The crowds cheer and applaud. Suddenly, a lone cowboy in black with a gold belt buckle rides up with six shooters blazing. The natives shoot back and give chase. Exit, stage left. The scene continues undisturbed.

By late 1995, Netscape's SSL (Secure Sockets Layer) had won the standards race for secured transmission of content (read credit card numbers) across the Net. Commerce on the Internet received a crucial boost in early 1996 when leading credit card associations Visa and Mastercard finally set aside their differences and competing standards (STT and SEPP) in favour of a common specification, SET (Secure Electronic Transaction). This specification enables the other aspects of a credit card transaction, e.g., authorization of the charges, to occur online, not just the transmission of card number information.

Then First Virtual Holdings announced the identification of a major flaw in the use of software-based encryption of credit card numbers: keystroke capture at the client desktop. Their point is that if someone has managed to gain control of your computer to monitor your keystrokes, he can capture your credit card number and no amount of encryption for transmission will help protect you. With the interconnectivity of the net and the ease of downloading a hostile applet, the vulnerability of the desktop computer cannot be overemphasized, particularly for those new to computer and network security issues. However the hyperbolic press releases on a topic well known to security experts, combined with the fact that First Virtual offers electronic commerce through a mechanism without the use of encryption has led to a flurry of responses ranging from supportive to outraged.

As of this writing, the tempest has subsided to the bottom of the virtual teacup and electronic commerce marches on.

The Original SSL vs. SHTTP race

http://www.netsurf.com/nsf/v01/01/nsf.01.01.html#s12

The SET specification

http://www.visa.com/cgi-bin/vee/sf/standard.html?2+0

RSA's SET Central

http://www.rsa.com/set/

The First Virtual press release

http://www.fv.com/gabletxt/release2_7_96.html

Select e-mail responses

http://www.netsurf.com/nsf/v02/02/local/cy_email.html

Backlash

http://www.c2.org/nofv/

FAMOUS LAST WORDS

Large scale search sites are invaluable to many netizens. For example, with the growth of the Net in the past year, publishing Netsurfer Focus would be too painful to contemplate without access to sites such as Alta Vista*. The corollary is that with these high powered spiders, every utterance on the Net, be it on a web page or a newsgroup, may be a matter of public record that above all else can be readily found.

The story of your online life, whether you are a frequent poster to 'alt.sex.binaries' or 'sci.crypt' (hello, potential employer!), or your personal web page showing three beautiful children, a dog named Jimmy, and a house far beyond your 20K$ a year salary (hello, IRS!) can be there for all who cares to see. And then there are the large online directories. Coming hard on the heels of the info-preneurs that have set up directory sites, the phone companies are rushing online with their multi-million listing offerings. Privacy issues become intertwined with physical security because it has become so easy to identify and physically locate you, your beliefs and habits, and your computer.

Resources behind Alta Vista

http://altavista.digital.com/cgi-bin/query?pg=about

The Internet Archive Project

http://quake.think.com

The Smithsonian's 1996 US presidential election web archive

http://www.si.edu/organiza/museums/nmah/homepage/pressrel/web.htm

Internet e-mail and white pages

http://www.bigfoot.com

http://www.four11.com

NYNEX Interactive Yellow Pages (Big Yellow)

http://s9.bigyellow.com/

---

* How quickly those of us who are old enough to have done research in the library with index cards and books of abstracts forget! -Ed.

FAMILY JEWELS

As computers move into the home, security takes on new dimensions. Beyond the hard assets of your computer, and the soft assets of your data, you need to think about protecting your family and especially children. Bringing access to the cyberworld to your desktop means exactly that, and we all know there are parts of the world, real or cyber, that you don't want to take the kids.

A number of companies have sprung up to help you avoid the back alleys and redlight districts of the Net. Software such as SurfWatch or NetNanny block access to known sites where offensive material are available, or to any site that you deem inappropriate. The sites that are blocked vary from package to package. Some include on their verboten-list not just pornography but web resources about homosexuality, or feminism, or anything that does not promote "family values". Yet other packages can log all the surfing activities, enabling Orwellian possibilities right in your own home. In sum, they are tools that do not excuse us from our responsibilities to decide what is appropriate in our households.

In addition to the reviewer-based systems, another development that will facilitate appropriate surfing is some widespread form of labelling or self-labelling. Just like the "PG", "R", and "X" movie ratings in the US, labelling provides a more standardized way to assess the content of a web site. The PICS (Platform for Internet Content Selection) standard is a technical specification for how to label Net content. It is developed by the World Wide Web consortium and can be used to implement any rating system. Currently, there is much industry momentum behind RSACi, the Recreational Software Advisory Council Internet rating system. This is an extension of the rating system for computer games, and has been endorsed by major online services. Most of the leading blocking products do or will support RSACi.

PICS definition

http://www.w3.org/pub/WWW/PICS/

Recreational Software Advisory Council System

http://www.rsac.org/labels.html

Comparison of blocking products

http://www.neosoft.com/parental-control/ntable.html

Surfwatch screening product

http://www.surfwatch.com

SafeSurf self-rating system

http://www.safesurf.com/classify/index.html

DIGITAL FLOTSAM

Reach out and hack someone

A year ago, an enterprising cryptographer named Hal Finney issued a challenge to his colleagues to crack the encryption on an SSL (Netscape's Secure Sockets Layer) transmission. Appropriately for Internet time, not one, but two independent successes turned up within a month. This was the start of a series of black-hat testing of net software by cryptography and security aficionados across the Internet community. Rooted in the belief that strength of security solutions comes from careful scrutiny and not obscurity, expert volunteers continue to probe and pummel away. Ongoing efforts include a series of challenges issued by Internet service provider Community ConneXion. The reward? The archetypical programmer's notch - a t-shirt.

The Crack SSL challenge

http://www.netsurf.com/nsf/v01/03/local/nscpchal.html

The Netscape random number generator problem

http://hplyot.obspm.fr/~dl/netscapesec/cypherp1.txt

The Community ConneXion challenge series

Netscape - http://www.c2.org/hacknetscape/

Microsoft - http://www.c2.org/hackmsoft/

Java - http://www.c2.org/hackjava/

Digicash - http://www.c2.org/hackecash

The Tracker Industry

Hacker Shimomura turned tracker when cracker Mitnick reputedly broke into Shimomura's computer around Christmas, 1994. Since then, the event has turned into a mini-industry of its own with not one or two, but three books written about the incident. A web site was also created to promote "Takedown", Shimomura's book. This time, however, crackers had the last laugh when they hi-jacked the URL for the Takedown site by forging a change-of-address e-mail message to address keepers at the Internet Network Information Center. We can be assured of future pranks and publicity stunts as the movie rights are sold and the cameras begin to roll.

The First Two Books, Reviewed

http://cgi.sjmercury.com/business/hackr114.htm

The Other Book

The Cyberthief and the Samurai. Jeff Goodell, 1996. Dell Publishing.

The "Takedown" Site

http://www.takedown.com

The Prank

http://cgi.sjmercury.com/business/hijac212.htm

International Arms Trafficking     

In February, the US State Department announced an amendment to the International Traffic in Arms Regulation (ITAR) allowing U.S. persons to temporarily export cryptographic products for personal use without the need for an export license (aka the 'Matt Blaze exemption'). However, US cryptographers and their allies continue their campaign for the availability and export of strong (>40 bit key) cryptography. The software industry is clearly concerned about their inability to compete in the international markets with the current export controls. IBM-Lotus struck a compromise with the government by giving it exclusive access to 24 bits in the 64 bit key used in Lotus Notes Release 4. RSA went the other way and located a development center in Japan. This allows RSA to provide identical encryption technologies outside of the US without tripping over ITAR. On the heels of the successful challenge to the Communications Decency Act, an industry coalition to lobby Washington is also forming.

The original arms smuggler

http://www.netsurf.com/nsf/v01/01/local/courier.html

Arms smuggler gets a reprieve

http://www.atria.com/People/dawson/tbtf/archive/0068.html

A way to circumvent ITAR

http://www.digicrime.com/itar.html

The Notes compromise and more offers of the same

http://www.lotus.com/corpcomm/2266.htm

http://www.sjmercury.com/news/nation/crypt713.htm

Industry and citizens unite

http://www.crypto.com

6TH USENIX Security Symposium: Focusing on Applications of Cryptography

http://www.usenix.org/sec96.html

The Lighter Elements

DigiCrime: Where do you want to break in today?

http://www.digicrime.com/

Microsoft Bob helps you with your passwords

http://catless.ncl.ac.uk/Risks/17.12.html#subj5

Storming the castle

ftp://ftp.research.att.com/dist/internet_security/firewall.book/cover.gif

A portrait of J. Random Hacker

http://www-sc.ucssc.indiana.edu/cgi-bin/jargon/000007c8.html

RECENT FOOTAGE

A yardstick of the success of a technology is the linear footage of books written about it. A recent purchase of 7 books about the Internet stacked up to 9 inches in height and a price of $426.43 per foot. Computer security has come certainly into its own on this front. When we published the first Netsurfer Focus on Network and Computer Security, there simply weren't that many books out there. Since then, things have changed for the better. So here is an updated selection for your consideration.

• Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick and Steven M. Bellovin, 1994. Addison-Wesley.
  A practical guide and a classic.
• Fundamentals of Computer Security. Edward Amoroso, 1994. Prentice-Hall.
  The more theoretical approach.
• Information Security: An Integrated Collection of Essays. Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, 1995. IEEE Computer Society Press, Los Alamitos, CA.
  Papers on a variety of topics including formal methods and network and database issues.
• Internet Firewalls and Network Security. Karanjit Siyan and Chris Hare, 1995. New Riders Publishing.
  Another useful, practical guide.
• The Underground Guide to Computer Security. Michael Alexander, 1996. Addison-Wesley.
  Entertaining and PC-oriented.
• Network and Internetwork Security: Principles and Practice. William Stallings, 1995. Prentice-Hall.
  Broad coverage from secure network and email management to intrusion detection to cryptography and authentication.
• Network Security: How to Plan For It and Achieve It. Richard H. Baker, 1995. McGraw-Hill.
  Strong organizational and MIS focus.
• Original selections from our first edition
  http://www.netsurf.com/nsf/v01/01/nsf.01.01.html#s17

CONTACT INFORMATION

Netsurfer Focus Home Page: http://www.netsurf.com/nsf/index.html

Flames, flowers, and flip remarks to: focus@netsurf.com
We appreciate hearing from you even if we do not manage to respond to every message that is sent to us. We reserve the right to quote you in future issues of Netsurfer publications or on our website, so don't say anything you'd regret, OK?

To subscribe to Netsurfer publications:

By WWW form: http://www.netsurf.com/subscribe.ht ml
By e-mail: nsdigest-request@netsurf.com
Body:

     subscribe nsdigest-text
     subscribe nsdigest-html

CREDITS

Netsurfer Focus Publisher: S. M. Lieu Production Manager: Bill Woodcock

Netsurfer Communications, Inc. President: Arthur Bebak Vice President: S. M. Lieu

---

(c) S. M. Lieu. This document may be distributed freely in electronic form in its entirety and without modification. All other rights reserved.

NETSURFER DIGEST is a trademark of Netsurfer Communications, Inc. Other publication, product, and company names may be trademarks of their companies. "God is in the details" is a quote from Mies van der Rohe. "Fire burn, cauldron bubble" from William Shakespeare, Macbeth Act 4 Scene 1.