A Few Specific Recent Problems of Note
Here are just a few specific recent problems of note:
- The U.S. Government has had a new rash of large-system fiascos, including the Federal Aviation Administration's efforts to modernize the Air Traffic Control system, the IRS attempt at tax systems modernization, and the FBI's upgrading of the National Crime Information System (NCIC). California has had major difficulties with its new Deadbeat Dads database.
- Widespread West-Coast power outages during the summer of 1996 remind us of the propagation effects of the ARPANET collapse of 1980 and the AT&T collapse of 1990.
- In the U.S., Websites of the Central Intelligence Agency, Department of Justice, NASA, and the Air Force have been penetrated and altered by intruders. Numerous security flaws have been found in Web browsers and Web software.
- Some remarkable theoretical attacks have been described on cryptographic systems, including timing attacks that can derive private keys from observed behavior (Paul Kocher), demonstration of smart-card vulnerabilities (Ross Anderson), and introduction of electromagnetic interference to derive private keys in public-key crypto (Boneh, DeMillo and Lipton) and to derive secret keys in DES and other shared-key crypto systems (Biham and Shamir).
In addition, a class of rather efficient potential man-in-the-middle attacks on a variety of authentication protocols has been described (Sarvar Patel, IEEE Symposium on Security and Privacy, 1997).
- A National Research Council study report appeared that is worth citing, representing a comprehensive review of U.S. cryptographic policy and an analysis of the risks associated with bad crypto and good crypto. See Cryptography's Role In Securing the Information Society (a.k.a. the CRISIS report), Final Report of the National Research Council Cryptographic Policy Study Committee, National Academy Press, 2101 Constitution Ave., Washington, D.C. 20418, 1996.
References to some of these problems can be found at http://www.csl.sri.com/neumann.html on my Website, in ftp://ftp.csl.sri.com/illustrative.PS, and in back issues of RISKS.
If you wish to catch up with recent events and you are able to browse the Internet, you are encouraged to peruse the RISKS archives -- at ftp.sri.com/~risks or via ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks (the volume-summary issues are in risks-*.00; back volumes have their own subdirectories, e.g., "cd 18" for volume 18), or http://catless.ncl.ac.uk/Risks/VL.IS.html (where VL is the VoLume number and IS the ISsue number). The ftp.sri.com site directory ``risks'' and ftp.csl.sri.com both contain the most recent PostScript copy of my comprehensive historical summary of mostly one-line descriptions of the RISKS cases in the file get illustrative.PS .