Subject: RISKS DIGEST 13.78 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 4 September 1992 Volume 13 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: TCAS (Nancy Leveson [2], Jim Sims) The Glitch Telephone Network and Janet Pensig (PGN) Phone Hackers (David Ashenfelter) 15th National Computer Security Conference, PROGRAM (Jack Holleran) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@cv.vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 02 Sep 92 17:53:31 -0700 From: Nancy Leveson Subject: Re: TCAS According to a report that was just on CNN, the problem was that the pilot went the wrong way, i.e, TCAS told him to go up and he went down. In the report (which was surprisingly good) they also mentioned that the controllers hate TCAS because they lose control and that the pilots love it because they gain control. The people interviewed on the report that appeared disturbed by the incident were controllers so it is difficult to really know how serious it actually was. Nancy ------------------------------ Date: Fri, 04 Sep 92 10:35:07 -0700 From: Nancy Leveson Subject: Re: TCAS Steve Bellovin writes: According to the AP, a ``Traffic Alert and Collision Avoidance System'', designed to prevent mid-air collisions, apparently malfunctioned and nearly caused one. Two planes, a 767 and a DC-9, were separated by 1,000 feet of altitude, in accordance with FAA regulations. But the TACAS system told the pilot of the 767 to descend to the DC-9's altitude. The horizontal separation of the planes was only .5 miles, rather than the 5 miles required. This message is incorrect. There was a good report on CNN, and I also spoke to a friend at the FAA. The pilot sighted the other plane visually before the TCAS alert and mistakenly thought the plane was at the same altitude. He descended. From everything the FAA can determine, TCAS gave a correct advisory and did not "malfunction." The pilot says that he does not remember what the TCAS advisory was but that his maneuver came before the advisory and was based on his visual sighting. If you read about TCAS, you need to be aware that it is in the midst of a big political struggle. The pilots love it (there was a representative from ALPA on the CNN report). The controllers hate it. According to my friend in the TCAS office at the FAA, the data released by the controller's union about TCAS problems and printed in some newspaper reports of this recent incident is just not correct. So watch who is speaking when you hear about TCAS and its problems or advantages. In case there is anyone who doesn't know, my Ph.D. students (Mats Heimdahl, Holly Hildreth, Jon Reese, Ruben Ortega, and Clark Turner) and I are working on a formal system requirements specification of TCAS II. This will serve as the official FAA specification of TCAS and also as a testbed application for their dissertations on safety analysis and risk assessment. Nancy Leveson ------------------------------ Date: Thu, 3 Sep 1992 14:09:44 GMT From: sims@drake.mitre.org (Jim Sims) Subject: TCAS In the version of the TCAS story I saw locally about the 2 USair jets near-miss, it mentioned that for the period june -June of the previous year, over 60% of the warnings/advisements from TCAS systems nationwide have been erroneous. Many of these have been of the same sort reported -- the system told two planes that were "safe" to maneuver into an "unsafe" flight path.... sims@starbase.mitre.org The MITRE Corporation, 7525 Colshire Drive, MS Z421, McLean, Va. 22102 DECUS AI SIG Symposium Representative ------------------------------ Date: Fri, 4 Sep 92 10:39:49 PDT From: "Peter G. Neumann" Subject: The Glitch Telephone Network The current issue of The New Yorker (7 Sept 1992) has an item in The Talk of the Town on the Glitch telephone network. Call 212-228-7514 and get a "glaring light each week on some dark alley that science is currently leading us down. In the past several months, Glitch has alerted us to the hazards of computer technology, the vulnerability of telephone privacy, and the folly of the high-speed chase." I called Janet Pensig, who runs this line. Her message of the week deals with polymorphic viruses. She also notes that The New Yorker fabricated all sorts of quotes and missed the content of what she was saying. She is said by the article to be "deeply pessimistic about the future", which she says on the tape is not at all what she told them! I left her a message, and when she called me back I discovered that she has been faithfully reading the RISKS section of the ACM Software Engineering Notes, as well as Inside Risks in the CACM. She is very serious about what she is doing. This seems like a wonderful educational opportunity for new yorkers (lower case to distinguish them from the magazine). The Talk of the Town writer ended the last paragraph of the item like this: "We knew that ... we would never know the true face of doom -- so we just thanked her for her time and told her that we now felt much worse." Check out Glitch if you wish. PGN [The NYer item was called to my attention by John Rushby, who got to his issue before I got to mine...] ------------------------------ Date: 2 Sep 1992 15:47:25 -0800 From: "Peter G. Neumann" Subject: Phone Hackers By David Ashenfelter, Detroit Free Press Knight-Ridder/Tribune Business News DETROIT--Sept. 1--In the late 1980s, high-tech pranksters got their kicks by breaking into unprotected computer systems. Then, they infected computers with harmful binary viruses. Today, hackers are wreaking havoc on computerized telephone systems. "It's a big problem and getting worse," said John Haugh, a Portland, Ore., a telecommunications expert who estimated that hackers are responsible for about $4 billion a year in toll fraud. "Once they get inside the system and get a dial tone, they can make phone calls all over the world," Haugh added. "By the time the customer gets his phone bill, the criminals are long gone." The Detroit Newspaper Agency (DNA), publisher of the Detroit News and Detroit Free Press, recently became a victim of one variation of the telescam. Three months ago, DNA employees started finding strange messages in the company's computerized voice mail system. The messages were intended for someone else and were left by callers who identified themselves as "Black Lightning," "Phantom," or "Plastic Man." What initially appeared to be a glitch in the voice mail system turned out to be the work of a hacker who broke into the message system through a dial-in maintenance line, said DNA telecommunications manager Ricardo Vasquez. Once inside, the hacker cracked the system administrator's pass code and set up scores of voice mailboxes for friends and associates who dialed in on the DNA's toll-free number. Later, officials at Shell Oil Co. in Houston and Shearson Lehman Bros. in St. Louis notified Vasquez that their voice mail systems had been penetrated by hackers who left messages urging their friends to call a mailbox at the DNA. "We were lucky," Vasquez said. "Our losses amounted to only a few hundred dollars for calls on our toll-free phone line." He said the company's losses would have been far worse had the system been equipped to allow the intruders to make worldwide long-distance calls on DNA phone lines. Vasquez said the DNA does not plan to request a criminal investigation because losses were small. Officials at Shell Oil and Shearson Lehman declined to comment. Michigan Bell security employees referred inquiries to the public relations staff, which, in turn, referred inquiries to the Tigon Corp., an Ameritech subsidiary in Dallas which sells and leases voice mail systems. "It is a growing problem and people need to be aware of it," said Tigon spokesperson Jill Boeschenstein. "In most cases, hackers try to get in to have some fun and fool around with the message system. "The real expense comes when they're able to make outgoing calls that the company ends up paying for. That can be a considerable sum before company realizes what is going on." Boeschenstein said companies that buy or lease voice mail systems are responsible for unauthorized usage. She said companies can protect their phone systems relatively easily by using longer pass codes and disconnecting maintenance phone lines which enable system administrators to operate the system from a remote location. Boeschenstein also said companies should do a more thorough job of monitoring their systems. Telecommunications expert Haugh, whose company interviewed more than 400 toll-fraud victims or near victims, said the most sinister telephone hackers break into a phone system and set up hidden mailboxes, then sell them to drug, prostitution and child pornography rings that want to make free calls that are hard to trace. Hackers also market mailboxes to nationwide rings which sell long-distance phone calls for $10-$30 apiece from pay phones on the streets of large U.S. cities. Haugh said many of the customers are immigrants who want to call relatives in their homelands. A favorite time for hackers to sell phone service is on weekends when companies aren't using or monitoring their phone systems, some of which are capable of handling hundreds of long-distance calls simultaneously. Haugh said one nationally-known manufacturer which he declined to identify belatedly discovered that it was on the hook for $1.4 million worth of long distance calls made on its phone lines in just one weekend. And after companies are victimized, they rarely are willing to discuss it publicly. "They're afraid of bad publicity or liability and in almost all cases their fears are unfounded," Haugh said. "It's a very foolish attitude. Until the problem becomes better understood, other companies aren't going to do enough to protect their systems from abuse." ------------------------------ Date: Fri, 4 Sep 92 16:40 EDT From: Jack Holleran Subject: 15th National Computer Security Conference, PROGRAM Registration Information: Tammie Grice (301) 975-2775 Tuesday October 13 10:00a.m., Hall E, OPENING PLENARY Welcome: Mayor Kurt L. Schmoke, Baltimore City (invited) James H. Burrows and Patrick R. Gallagher, Jr. Keynote Speaker: Roland Huber, Commission of the European Communities Systems Security Award Ceremony Best Paper Awards Wednesday October 14 CONFERENCE BANQUET (7:00p.m.) Speaker: Dr. Peter G. Neumann, SRI International Computer Security and Human Insecurity Thursday October 15 Conference Awards Reception (6:00p.m.) Friday October 16, 11:00a.m., Room 307 - 308 - 309 CLOSING PLENARY E. Troy, Chair, NIST Panel Discussion International Standards: A Path to International Harmonization Panelists: D. Herson,United Kingdom ; S. Knapskog, ISO/SC27/WG3; U. Van Essen, Germany; R. Verrett, Canada Technical Program 2:00p.m. Hall E Panel - Criteria I: Perspectives and Progress on International Criteria E. Troy, Chair, NIST "The IT Security Evaluation Manual" Y. Klein, Service Central de la Securite des Systemes d'Information, Paris, France Panelists: LTC R. Ross, NSA; D. Ferraiolo, NIST; E. Bacic, Canada; J. Wood, European Communities Room 309 Covert Channels, Part I: Analysis Dr. B. Burnham, Chair, NSA "Architectural Implications of Covert Channels" N. Proctor and P.G. Neumann, SRI International "A Foundation for Covert Channel Analysis" T. Fine, Secure Computing Corporation "A Tool for Covert Storage Channel Analysis of the UNIX Kernel" D. Willcox, Motorola Microcomputer Group Room 307-308 Panel: The TPEP and Product Innovation R. Henning, Chair, Harris Corporation; Panelists: J.Adams, SecureWare; L. Baron, Sun Microsystems; W. Boebert, Secure Computing Corporation; Dr. M. Branstad, Trusted Information Systems, Inc.; Dr. R. Schell, Gemini Computers Room 301-303 Threats and Security Overview LtCdr. A. Liddle, Royal Navy, National Defense University Room 319-321 Panel: Virus I: Virus Attacks & Counterattacks - Real-World Experiences J. Litchko, Chair, Trusted Information Systems, Inc. Panelists: L. Mandeville, Miller, Belis & O'Neil, P.C.; J. Keyes, NASA; G. Wellham, Maryland National Financial, Inc. Room 305 New Security Paradigms (Part I) 2:00-5:30p.m. H. Hosmer, Chair, Data Security, Inc. "A New Paradigm for Trusted Systems" Dr. D. Denning, Georgetown University Discussion Leader: Dr. L. LaPadula, The Mitre Corporation "New Paradigms for High Assurance Software" Dr. J. McLean, Naval Research Laboratory Discussion Leader: E. Leighninger, Dynamics Research Corporation "Managing Complexity in Secure Networks" Dr. D. Bailey, Galaxy Systems Discussion Leader: Dr. M. Abrams, The Mitre Corporation "Best Paper of the New Security Paradigms Workshop" Discussion Leader: E. Leighninger, Dynamics Research Corporation Panel Discussion Dr. J. Dobson, Newcastle upon Tyne; Dr. D. Bailey, Galaxy Systems; Dr. D. Denning, Georgetown University; H. Hosmer, Data Security, Inc.; Dr. L. LaPadula, The Mitre Corporation; Dr. J. McLean, Naval Research Laboratory 4:00p.m. Hall E International Harmonization E. Flahavin, Chair, NIST "Re-Use of Evaluation Results" J. Smith, CESG Panel: TMach as a Symbol of International Harmonization Panelists: B. Boesch, DARPA; Dr. M. Branstad, Trusted Information Systems, Inc.; C. Ketley, U.K. Government; K. Keus, German Government Room 309 Panel - Covert Channels, Part II: Overt Truths Behind Covert Channels P. Neumann, Chair, SRI International Panelists: R. Morris, NSA; J. Millen, The Mitre Corporation; V. Gligor, University of Maryland Room 307-308 Evolving Security Requirements F. Mayer, Chair, Aerospace Corp. "Extending Our Hardware Base: A Worked Example" N. McAuliffe, Trusted Information Systems, Inc. "Evolving Criteria for Evaluation: The Challenge for the International Integrator of the 90's" J. Fowler, Grumman Data Systems "The Need for a Multilevel Secure (MLS) Trusted User Interface" G. Factor, Digital Equipment Corp. Room 317 Information Technology Security Requirements Panel D. Gilbert, Chair, NIST Panelists: N. Lynch, NIST; S. Pitcher, Department of Commerce; M. Swanson, NIST; Dr. W. Maconochy, NSA Room 301-303 Physical, Personnel, and Administrative Security H. Looney, National Defense University Room 319-321 Viruses II: VIRUS Proposed Approaches J. Anderson, Chair, J. P. Anderson Company "Software Forensics: Can We Track Code to its Authors?" Dr. E. Spafford, Purdue University "Precise Identification of Computer Viruses" T. Polk, NIST "Data Security for Personal Computers" P. Bicknell, The MITRE Corporation October 14 9:00a.m. ROOM 309 DBMS I: Security in Database Management Systems C. Meadows, Chair, Naval Research Lab "Enforcing Entity and Referential Integrity in Multilevel Secure Databases" V. Doshi, The MITRE Corporation "A Multilevel Secure Database Management System Benchmark" L. Schlipper, The MITRE Corporation "Protected Groups: An Approach to Integrity and Secrecy in an Object-Oriented Database" J. Slack, Kansas State University "Implications of Monoinstantiation in a Normally Polyinstantiated Multilevel Secure Database" F. Kramer, Digital Equipment Corporation Room 307-308 Perspectives on MLS System Solution Acquisition - A Debate by the Critical Players Involved J. Sachs, Chair, ARCA Systems Inc. "An Approach for Multilevel Security (MLS) Acquisition" W. Neugent, The Mitre Corporation Panelists: T. Clarke, Defense Information Systems Agency; A. Cuomo, NSA; G. Evans, Loral Western Development Labs; Col. J. Hackman, USAF, Joint Chiefs of Staff; B. Loiter, Digital Equipment Corporation; H.O. Lubbes, Naval Research Lab; Dr. W. Wilson, Arca Systems Inc. Room 317 Network Security W. H. Murray, Chair, Consultant "Toward a Model of Security for a Network of Computers P. Farrell, George Mason University "Risk Management of Complex Networks R. Cox, CTA "A Local Area Network Security Architecture L. Carnahan, NIST "Priorities for LAN Security: A Case Study of a Federal Agency's LAN Security S. Chang, NIST Room 301-303 Trusted Systems Concepts Dr. C. Abzug, National Defense University Room 319-321 Panel - Information Systems Security Organization: Retooling for the Future Dr. W. Maconachy, Chair, NSA Panelists: S. Barnett, NSA; R. Quane, National Cryptologic School; A. Whieldon, NSA Room 305 New Security Paradigms (Part II) 9:00-12:00a.m. Dr. J. Dobson, Chair, Newcastle upon Tyne "The Multipolicy Paradigm" H. Hosmer, Data Security, Inc. Discussion Leader: Dr. T. Haigh, Secure Computing Corporation "Metapolicies II" H. Hosmer, Data Security, Inc. Discussion Leader: Dr. L. LaPadula, The Mitre Corporation "Separation Machines" Dr. J. Graff, Amdahl Discussion Leader: M. Smith, AT&T "Mediation and Separation in Contemporary Information Technology Systems" J. Heaney, The Mitre Corporation Discussion Leader: E. Leighninger, Dynamics Research Corporation 11:00a.m. Room 309 Panel - DBMS II: New Initiatives in Data Base Management Systems C. McBride, Chair, NSA Panelists: L. Vetter, Oracle; R. Varadarajan, Informix; M. Tinto, NSA; Dr. D Downs, The Aerospace Corporation Room 307-308 Issues in Trust & Specification M. Woodcock, Chair, U.S. Naval Academy "Issues in the Specification of Secure Composite Systems" J. Hemenway, Grumman Data Systems "A Note on Compartmented Mode: To B2 or Not B2?" Dr. T.M.P. Lee, Trusted Information Systems, Inc. Room 317 Panel - Addressing U.S. Government Security Requirements for OSI N. Nazario, Chair, NIST Panelists: T. Humphreys, XISEC Consultants, U.K.; T. Bartee, IDA; D. Walters, NIST Room 301-303 Trusted Networks R. Kenneth Bauer, Arca Systems, Inc. Room 319-321 Panel - ISSA Initiatives D. Gary, Chair, Carnegie Mellon University 2:00p.m. Room 309 Panel: The Electronic Certification: The Time has Come, Part I M. Smid, Chair, NIST Panelists: C. Martin, Government Accounting Office; B. Johnson, Army Corp of Engineers; K. Rose, NSA; Room 307-308 "The New TPEP Process" S. Nardone, Chair, NSA "Concept Paper - An Overview of the Proposed Trust Technology Assessment Program", P. Toth, NIST Room 317 Panel: Forming A Computer Security Incident Response Capability (CSIRC) D. Steinauer, Chair, NIST Panelists: R. Pethia, Carnegie Mellon University; Dr. E. Schultz, Eugene Schultz and Associates; J. Wack, NIST Room 301-303 Trusted Database Systems Dr. G. Smith, Arca Systems, Inc. Room 319-321 Panel: Publications, Services, and Bulletin Boards R. Lau, Chair, NSA Panelists: C. Hash, NSA; S. Radack, NIST; M. Schanken, NSA; M. Swanson, NIST Room 305 2:00p.m. - 5:30 p.m. Group Decision Support for Developing a Curriculum DACUM Dr. Corey Schou, Idaho State University 4:00p.m. Room 309 Panel: The Electronic Certification: The Time has Come, Part II D. Dodson, Chair, NIST Panelists: G. Ostrem, Datakey; W. Bialick, NSA; L. Shomo, NASA; L. McNulty, NIST Room 307-308 Panel and Paper Current Information Security Initiatives within the U.S. Armed Forces LTC R. Ross, Chair, USA "Standard Certification - Progression" Captain C. Pierce, USAF, AFCSC Panel Discussion: Challenges Facing Certification and Accreditation Efforts of the Military Services Panelists: B. Zomback, U.S. Army; L. Merritt, U.S. Air Force; J. Mildner, U.S. Navy Room 317 Panel: Health Care G. Lang, Chair, The Harrison Avenue Corp. "Application Layer Security Requirements of a Medical Information System" D. Hamilton, Hewlett Packard Panelists: B. Bahramian, Beta Management Systems, Inc.; P. Fallon, Toshiba America Information Systems; S. Price-Francis, Canon Canada, Inc.; M. Schwartz, Summit Medical Systems, Inc. Room 301-303 Trusted Integration & System Certification J. Sachs, Arca Systems, Inc. Room 319-321 Student Papers Dr. H. Highland, Chair, Compulit "PM: A Unified Automated Deduction Tool for Verification" G. Fink, UC Davis "Finding Security Flaws in Concurrent and Sequential Designs Using Planning Techniques" D. Frincke, UC Davis "Electronic Measurement of Software Sharing for Computer Virus Epidemiology" L. de La Beaujardiere, UC Santa Barbara October 15 9:00a.m. Room 309 Panel - Intrusion Detection: Can we Build Models of Intrusions T. Lunt, Chair, SRI International Panelists: T. Garvey, SRI International; S. Snapp, Haystack Laboratories, Inc.; D. Icove, FBI; Dr. K. Levitt, UC Davis Room 307-308 Certification & Accreditation Experiences in Civil Agencies A. Friedman, Chair, The MITRE Corporation "Accreditation: Is It a Security Requirement or a Good Management Practice?" T. Anderson, USATREX International Inc. Panelists: S. Smith, FAA; P. Camero, DEA; F. Brant, DoS; W. Donovan, FEMA Room 317 Operational Policies R. Shilinski, Chair, NCSC "Some More Thoughts on the Buzzword "Security Policy"" D. Chizmadia, NSA "Operational Support of Downgrading in a Multi-Level Secure System" D. Nelson, Digital Equipment Corporation "Security Within the DODIIS Reference Model" B. McKenney, The MITRE Corporation Room 301-303 Trusted Systems Concepts Dr. C. Abzug, National Defense University Room 319-321 Panel: The National Research Educational Network (NREN): A Proposed Security Policy & Status Report S. Wolff, Chair, National Science Foundation Panelists: Dr. D. Branstad, NIST; Dr. S. Kent, BBN; Dr. S. Crocker, Trusted Information Systems, Inc.; V. Cerf, CNRI Cryptography Dr. H. Highland, Chair, Compulit "New Dimensions In Data Security" K. Mundt, CE Infosys "The Kinetic Protection Device" M. Bianco, Hughes Aircraft Company "Provably Weak Cryptographic Systems" Dr. J. Higgins, Brigham Young University 9:00-11:00a.m. Forming an Incident Response Capability Dr. Gene Schultz, Eugene Schultz and Associates 11:00a.m. Room 309 Panel: Security Protocols for Open Systems P. Lambert, Chair Motorola Panelists: R. Housley, XEROX; D. Maughan, NSA; D. Solo, BBN; D. Walters, NIST; M. White, Booz-Allen & Hamilton Room 307-308 INFOSEC Design and Certification Initiatives D. Arnold, Chair, NSA "General Issues to be Resolved in Achieving Multilevel Security " W. Neugent, The Mitre Corporation Panelists: CDR. D. Campbell, USN, NSA; R. Flowers, NSA; S. Westendorf, NSA Room 317 Panel - What Senior Federal Managers Think About Security C. Bythewood, Chair, NCSC E. Springer, Office of Management and Budget I. Gilbert Perry, NIST Room 301-303 Trusted Networks J. Sachs, Arca Systems Inc. Room 319-321 Panel: Federal Information Systems Security Educators' Association (FISSEA) Dr. W. Maconachy, Chair, NSA Dr. C. Schou, Idaho State University; J. Pohly, U.S.A.F.; D. de Zafra, Public Health Service; V. Marshall, Booz-Allen & Hamilton;, B. Guffie, Social Security Administration Room 323 Intrusion Detection T. Lunt, Chair, SRI International "Intrusion and Anomaly Detection: ISOA Update" J. Winkler, PRC, Inc. "Internetwork Security Monitor: An Intrusion Detection System for Large Scale Networks" T. Heberlein, University of California - Davis 2:00p.m. Room 309 ACCESS CONTROL D. Dodson, Chair, NIST "Role Based Access Control" R. Kuhn, NIST "Knowledge-Based Inference Control in a Multilevel Secure Database Management System" Dr. B. Thuraisingham, The MITRE Corporation "A TCB Subset For Integrity and Role-Based Access Control" D. Sterne, Trusted Information Systems, Inc. Room 307-308 Multilevel Security (MLS) Prototyping and Integration: Lessons Learned and DoD Directions C. West, Chair, Defense Information Systems Agency Panelists: R. Hale, NRL; Major R. LeSieur, USAF, ESC; E. Schwartz, NSA; C. Cross-Davison, DIA Room 317 PANEL - Privacy I - Domestic Privacy: Roll of Honor and Hall of Shame W. Madsen, Chair "E-Mail Privacy and the Law" C. Axsmith, Esq., ManTech Strategic Associates, Ltd. Panelists: L. Schaefer, The MITRE Corporation; J. Abernathy, The Houston Chronicle Room 301-303 Trusted Database Systems Dr. G. Smith, ARCA Systems, Inc. Room 319-321 Considerations for Assurance T. Malarkey, Chair, NSA "A Model of Risk Management in the Development Life Cycle" Capt C. Pierce, USAF, AFCSC "Concept for a Smart Card Kerberos" M. Krajewski, Jr., The MITRE Corporation "Operating System Support for Trusted Applications" R. Graubart, The MITRE Corporation "Potential Benefits from Implementing the Clark-Wilson Integrity Model Using an Object-Oriented Approach" C. Schiller, Science Applications International Corporation Room 323 Defense Against Computer Aids H. Peele, Air Force Intelligence Command Room 305 2:00-5:30 p.m. Making it Work: Applying INFOSEC to the Real World C. Barker, T. Parenty-Winkler, Trusted Information Systems, Inc. 4:00p.m. Room 309 Data Assurances Profesor S. Jajodia, Chair, George Mason University "Integrity and Assurance of Service Protection in a Large, Multipurpose, Critical System" H. Johnson, Information Intelligence Sciences, Inc. "An Example Complex Application for High Assurance Systems" S. Padilla, SPARTA "Mandatory Policy Issues of High Assurance Composite Systems" J. Fellows, Grumman Data Systems Room 307-308 Trusted Network Products P. Woodie, Chair, NSA "Towards a Policy-Free Protocol Supporting a Secure X Window System" M. Smith, AT&T Bell Laboratories "An SDNS Platform for Trusted Products" E. Borgoyne, Motorola "SDNS Security Management" W. Jansen, NIST Room 317 Panel: Privacy II - International Data Privacy: Roll of Honor and Hall of Shame W. Madsen, Chair, CSC Panelists: G. Montigny, Privacy Commission of Canada; E. Hendricks, Privacy Times Room 301-303 Trusted Integration & System Integration Dr. W. Wilson, Arca Systems Inc. Room 319-321 Trust Documentation W. Geer, Chair, AFCSC "Current Endorsed Tools List (ETL) Examples: Lessons Learned" C. Garvey, TRW Systems Integration Group "Companion Document Series to the Trusted Database Management System Interpretation" L. Notargiacomo, The MITRE Corporation "Assessing Modularity in Trusted Computing Bases" Dr. D. Baker, The Aerospace Corporation Room 323 Panel: Electronic Crime: An Investigative Perspective Jack Holleran, Chair, National Computer Security Center Speakers: Special Agent Jack Lewis, Electronic Crimes Branch, Secret Service Special Agent Mark Pollett, Federal Bureau of Investigation October 16 9:00a.m. Room 309 Panel: R&D Future Needs B. Snow, Chair, NSA Panelists: Dr. S. Kent, BBN; W. Boebert, Secure Computing Corporation Room 307-308 Information Security Engineering ENS S. Mitchell, USN, Chair, NSA "Information System Security Engineering: Cornerstone to the Future" Dr. D. Howe, NSA "Network Security via DNSIX, Integration of DNSIX and CMW Technology" H. Heller, Harris Corporation "Issues to Consider When Using Evaluated Products to Implement Secure Mission Systems" Lt Col W. Price, USAF, Air Force Space Command Room 317 Panel: Privacy III - Government Surveillance Policy and Capabilities as the Telephone Network Goes Digital --- The FBI's Digital Telephony Initiative Dr. L. Hoffman, Chair, George Washington University Panelists: A. Bayse, FBI; J. Edwards, NORTEL Federal Systems, Inc.; J. Podesta, Podesta Associates Room 301-303 Access Policies Mechanisms M. Schaefer, Chair, CTA, Inc. "Implementation Considerations for the Typed Access Matrix Model in a Distributed Environment" G. Suri, George Mason University "A Lattice Interpretation of the Chinese Wall Policy" Professor R. Sandhu, George Mason University "Experience with a Penetration Analysis Method and Tool" Dr. S. Gupta, University of Maryland Room 319-321 Data Distribution K. Rowe, Chair, NSA "A Tamper-Resistant Seal for Trusted Distribution and Life-Cycle Integrity Assurance" M. Bianco, Hughes Aircraft Company "Use of a Case Tool to Define the Specifications of a Trusted Guard" R. Lazar, The MITRE Corporation "A Security Reference Model for a Distributed Object System and its Application" V. Varadharajan, Hewlett-Packard Labs., U.K. Room 305 9:00a.m. - 5:30p.m. Intrusion Detection Workshop Teresa Lunt, SRI International ------------------------------ End of RISKS-FORUM Digest 13.78 ************************