赛博ul.

html.

释放双眼,带上耳机,听听看~!

cyberul.html,html,

Cyber-UL-“论文讨论了计算机安全系统的评级方式以及这些评级与现实的脱节程度。也许基于UL用于报警系统和保险箱的评级的系统更有意义。

网络空间保险商实验室[2]tan@l0pht.com网络空间保险商实验室-1999年11月1日保险商实验室保险商实验室由波士顿的电气检查员威廉·亨利·梅里尔(William Henry Merrill)于1894年创建。1893年,由于未经处理的直流电路和新的、甚至更危险的交流电路技术的扩散,芝加哥当局对公共安全越来越担心。这些新的、鲜为人知的技术以频繁的火灾威胁着我们的社会,这使得批评者质疑这项技术是否能够得到安全的利用。美林被叫进来,用350美元的电气测试设备建立了一个单室实验室,并于1894年3月24日发表了他的第一份报告。在波士顿,保险公司拒绝了美林的计划,即建立一个无偏见的电气设备认证测试设施。然而,芝加哥接受了这个想法。美林利用芝加哥的情况开始运作,并在数月内获得了国家层面的支持。如今,UL已经在全球范围内测试了12500多种产品,是国际公认的安全和技术权威。UL认证标志的出现,为客户和制造商之间赢得了一定程度的信任,并使我们的社会能够安全地利用数百项原本不适合公共使用的发明。虽然最初的目标是可能对用户造成身体伤害的发明,但UL已经扩展到报警系统产品和报警系统安装程序的列表中。个别产品被列为符合UL标准,安装这些产品的公司也被列为有资格按预期安装产品。保险公司利用保险商实验室的审查来适当确定他们的风险。如今的网络空间,技术继续高速增长,甚至可能失控。互联网的商业化使得许多企业在被称为野生西部(WWW)的地方提供服务。因此,公共安全受到威胁。公用事业公司正在将控制系统与连接到Internet的后台系统连接起来。银行提供“网络银行”,商家在网上交易时收集有关消费者的信息。随着个人隐私和信托银行及商人的行为越来越普遍,数百年来建立起来的个人隐私和信托银行及商人都面临着新的威胁。与早期的电气发明类似,今天的计算机安全产品在最终用户实施时可能带来更多的弊大于利。虽然这些产品中的一些做了他们声称的事情,但大多数没有。由于缺乏标准和有意义的认证,允许销售有意或无意的蛇油产品。虽然许多产品可能会解决老问题,不经意间会引入更糟的问题,但有些产品根本没有广告宣传的那样表现。例如,有些产品被市场认为使用了最新和最好的加密机制,而事实上,它们销售的版本根本不使用任何加密。就像19世纪末一样,消费者对他们购买的发明几乎一无所知。他们是由产品的营销人员提出索赔,并没有办法证明这些索赔是真是假。就像当年一样,这并没有阻止这些发明的大规模应用,不顾公共安全。在20世纪末,没有人站出来将UL的角色扩展到计算机安全产品或将其作为自己的角色。在某种程度上,像Nomad Mobile Research Center和L0pht Heavy Industries这样的组织已经扮演了现代美林的角色,发布了对这种影响没有偏见的调查结果。这并不是说计算机secu认证过去从未尝试过rity产品。例如,ICSA对产品实施认证计划。CISSP和其他组织也提供信息安全专业人员的认证。然而,这些组织在提供UL在更一般的“技术”层面上提供的东西方面已经彻底失败。可以对这些失败进行详细的检查,但这样的过度操作不在本文的讨论范围之内。ICSA的底线是它没有UL所拥有的严格标准,因此它的信誉受到了影响。ICSA没有将认证过程视为持续的或周期性的,允许产品继承其“认证”。因此,一些人认为存在一个问题,即缺乏对软件的无偏见检查,金钱购买的证书多于好的产品设计和实现。CISSP认证计算机安全行业的个人。在对那些精通行业术语和概念的人进行分类时,CISSP的工作仍然缺乏责任感,因为他们的认证与测试挂钩,而不是UL所说的“现场反检查”。然而,和大多数计算机认证一样,这只是一个考试技能的测试,而不是经验和理解力的测试。每个版本的产品都需要进行赛博UL产品认证。在应用于计算机软件时,可能波及到传统技术而导致安全问题的微小变化至少是10倍。计算机安全产品的认证和UL目前执行的报警系统和组件的清单之间可能有许多相似之处。UL有一套严格的测试,在寻求UL列表的物理安全系统上执行。例如,保险箱和保险库有许多不同的标签,表明它们遵守不同的标准。UL利用“年轻的热门”安全饼干希望自己的名字,做实际的测试。通过这种方式,专家们被激励(不仅仅是名声,还有经济补偿)来证实供应商的营销人员想要提出的索赔。整个保险箱和保险库业务围绕这些评级开展,以向客户传达产品的设计目的。基于价值和风险,客户可以选择多花或少花在评级较高或较低的标签上。影响评级水平的两个主要因素是时间和工具。“热门”安全饼干的样品和指导方针,他们试图击败其安全性。例如,TL-30等级意味着爆竹仅限于工具,不包括火把或爆炸物,并给予30分钟的实际工作时间,以击败安全。如果X6附加在额定值之后,则额定值不仅适用于门,还适用于容器(保险箱的其余部分)。这使供应商的索赔与产品的实际性能保持一致。另外,如果新版本的safe出来了,它不会继承旧版本的列表,必须重新列出。这解决了安全厂商肯定会出现的一个大问题,并且在计算机安全领域肯定已经上升。由于人性的原因,客户希望产品被认证为“安全的”。正如客户喜欢听到安全方面的承诺一样,供应商也喜欢做出承诺。1913年,UL测试了第一批“安全设备”。随着安全设备的扩展,他们认识到需要将“已批准”替换为“已检查”或“已列出”。由于UL已经建立了安全设备,客户不会被欺骗进入一个错误的安全意识,供应商也不会做出离谱的声明。向客户展示的是“x产品评级为y”,而不是“其ICSA认证”。供应商声称在一定时间内对某些工具集具有抵抗力。这不是计算机安全领域今天的样子,而是它需要去的地方。制造商和消费者必须意识到,测试“安全性”与测试“功能性”并不相同,因此,索赔需要调整以适应现实。如果门把手打开一扇门,门就会工作。如果你拨密码时保险箱锁打开,并不意味着保险箱能工作。但是,您可以在保险箱上执行测试,以确保其在特定的热约束和力约束下按广告所示运行。虽然将单个设备列为符合UL标准对安全专业人员或消费者很有用,但这只是图片的一小部分。组件的安装和配置对于安全解决方案的实际有效性至关重要。因此,安装报警系统是UL的另一个影响领域。这似乎是一项艰巨的任务,因为实现的数量与产品的数量成指数关系。UL公司目前只有约4000名员工,在40多个国家上市12500多种产品,制定了600多项产品安全标准。确保警报系统正确安装的策略是列出警报安装公司。UL上市公司安装的系统可获得UL颁发的证书。该证书登记了客户的报警系统成为“现场计数器检查”(抽查)的合格候选人,该检查旨在确保所列安装人员不会偷工减料。如果接收到证书的系统未能通过字段计数器检查,安装程序可能会丢失它们的UL列表。UL通过根据需要调整现场计数器检查的数量来维持质量程序。该模型的问题虽然UL安全设备模型似乎解决了围绕网络空间的许多相同问题,但在部署计算机安全设备模型时仍存在一些问题。第一个问题是,如果一个安全系统在现实世界中失败了,周一上班的人通常会非常明显地看到钱没了,保险箱也成了碎片。对于周一上班的人来说,网络入侵的检测通常不是很明显。因为这个事实,安全破解者破解金库的时间非常有限。另一方面,黑客有无限的时间破解一个系统。一旦他们进入,安全的饼干通常删除项目,然后成为’失踪’。黑客通常会复制物品,除非他们的动机是出于政治目的,而不是出于财务目的,从而使原件和系统完好无损。为了让网络入侵变得不那么隐蔽,入侵检测需要成熟,并且更广泛地部署,如果“时间”是这个过程中一个有意义的因素的话。商业模式是以贵重物品,特别是珠宝和现金的储存为基础的。除了(美国)UL标准(TL-15、TL-30、TRTL-30、TRTL-15/6、TRTL-30/6、TXTL-60),还有德国标准(a、B、C1、C2、D 10、D20、E 10)和斯堪的纳维亚标准(60-80、80-100、100-120、120-140、140-160、160-180、180-200、200-240、240-280、280-320、320-360)。三者都基于时间和工具。时间和工具是在加密等领域评估计算机安全组件的一组优秀标准。在美国,不同的保险机构决定了他们需要什么等级才能保证一定数量的保险存储在保险箱或保险库中。在欧洲,荷兰国家外汇管理局(Safe)评级委员会发布了一个类似的标准,为三个系统中的每一个评级指定一系列财务价值。然而,这并不能解决诸如信用评级、社会保险号码、银行结余、上网偏好、政治派别等信息存储的责任,这些信息不仅会被窃取,而且会被篡改,甚至只是秘密访问。在存储敏感信息时,政府是一个更合适的地方寻找例子。机密信息与公众甚至商业利益的敏感信息在存储方面有许多相同的要求。为了满足美国政府在这一领域的需求,总务管理局(GSA)已经发布了标准(1-8级,黑色、红色、绿色和蓝色标签),对每件物品的存储容器进行评级从武器到信息处理系统再到文件柜。此外,他们还发布关于在GSA批准(或非GSA批准)的容器中存储机密、机密和绝密材料的信息。这些信息包括对报警系统、受限建筑通道、警卫检查站等的附加要求。。。GSA类和标签的细节似乎很难获得。然而,基于我在LoC.NFSEC.NavyML/DooptTyLabyAc/Gub的文档库中发现的信息,GSA所制定的许多信息可能作为开发类似信息标准的基础,用于存储公众信息。美国商务部已委托国家标准与技术研究所(NIST)维护FIPS PUB 140-1《密码模块的安全要求》。该文件规定了保护非机密信息的基于密码的安全系统规范标准。它提供了从1到4的产品评级,1是跛脚的,4是k-rad。这一范围旨在涵盖广泛的数据敏感度,从“低价值管理数据”到“百万美元资金转账”再到“生命保护数据”。该标准通常用于保护令牌或加密数据(如加密盒)的设备。虽然这个系统在现实生活中可能成功,也可能不成功,但它无疑值得更仔细的研究,因为它代表了美国政府在计算机安全产品方面与UL最接近的东西。在FIPS 140-1测试和验证模型下,供应商选择一个经认可的FIPS 140-1测试实验室,提交他们的“模块”进行测试,并支付测试费用。然后,实验室测试产品是否符合FIPS 140-1,并将“模块”报告提交NIST/CSE验证。在整个过程中,实验室可以向NIST/CSE提交问题以供指导和澄清。如果报告是有利的,则由NIST/CSE为“模块”颁发验证证书。证书通过实验室提交给供应商,并将“模块”添加到已发布的经验证的FIPS 140-1模块列表中。这个问题可能源于UL的根与ICSA和CISSP的根之间的差异。事实上,UL是唯一一家提供无偏见产品检验以及对现场安装质量负责的公司。使用“上市”入侵检测系统、加密机制和公司的要求,如果上市真的意味着什么的话,可能会对自身产生影响。在GSA模式中,可能需要使用严格的程序和具体的物理安全级别,这也有助于私营部门。然而,这并不是迄今为止采取的策略。第二个问题是,物理安全设备的制造商受到客户的压力,要求他们有一个UL列表。这是因为保险公司迫使客户使用符合UL规范的产品。在网络空间,企业目前认为,公众信任的尴尬和丧失比黑客造成的实际损害更为昂贵。花旗银行(Citibank)已经成为最著名的例子,说明当计算机入侵被公之于众时会发生什么。通过采取值得称赞的行动,不掩盖入侵,花旗银行现在被称为被黑客攻击的银行,而不是处理得当的银行。既然沉默似乎是最好的政策,网商选择“吃掉”他们的损失,而不是冒着负面宣传的风险。在这些损失变得不可容忍并且需要保险之前,可能没有动机促使UL或任何类似组织对产品进行认证、批准或上市。保险公司花了UL大约30年的时间从保险机构的补贴到制造商支付的测试费用的自给自足。美林是第一个全职员工的结果,这一变化。保险商和消费品安全委员会好未来获得公众对UL工作的认可。公众的安全才是人们关心的问题,责任驱使公司去投保。保险公司发现,他们当时背负着这个问题,并与保险商实验室有效地解决了这个问题。也许在某个时候,公众信息的收集和存储会带来某种责任。一个没有行动要求的行动要求,我只是一个抱怨者。在这一点上,读者可以用很少的努力帮助你。无论您是供应商、保险公司、最终用户还是黑客,请告诉我您对行业状况、UL状况和/或本文结论的看法。作为一个黑客,你会对热门安全破解程序和UL之间的关系感兴趣吗?安装的UL列表过程是否足够?它会遇到本文无法预见的问题吗?作为一个保险公司,我是否遗漏了其中的一部分;公司是否真的为他们的计算机系统和数据投保以减轻损失或责任?作为一个制造商,您是否预见到UL模型在计算机安全产品上的问题?作为最终用户,你觉得计算机安全性很重要吗?你觉得现在的制度真的足够了吗?你有没有想要更好的东西,或者你觉得我暗示你不完全理解你购买的产品,你被我轻视了?对于本文的任何和所有反馈,无论来自何处,我们都将不胜感激(尽管制造商的评论将被视为小菜一碟)。将这些评论转发至tan@l0pht.com。如果有足够的反馈,我可以写一篇关于这个主题的后续文章。我正在考虑详细介绍每一个评级系统UL,德国,斯堪的纳维亚,GSA和FIPS 140-1,突出显示与计算机安全光盘线重叠。感谢保险商实验室提供保险商实验室历史的文件,并指导我去纽约梅尔维尔办事处的彼得·塔尔曼。感谢Peter Tallman澄清了保险箱和报警系统列表中的一些问题,并将我引向Beverly Borowski,我希望他能帮助我进行未来的研究。迄今为止还使用了联邦标准FED-STD-809,该标准是GSA批准的集装箱中和和修理的联邦标准,也是荷兰安全评级委员会的年度出版物,名为“保险箱和保险箱保险资金的建议”。GSA的网站(www.GSA.gov)提供了联邦标准的可搜索索引,包括FED-STD-809。荷兰安全评级委员会,地址:Stichting Kwalitetsbeoordeling Brandkasten(SKB),邮政信箱:85764,2508 CL,The Hague,The Netherlands-电话:070-3912008。另外还要感谢L0pht的研究人员的帮助,特别是Brian Oblivion提供了关于FIPS 140-1的大量文档。cyberul.html,

Cyber UL – “Paper discussing the way computer security systems are rated and how out of whack these ratings are from reality. Maybe a system based on the ratings the UL uses for alarm systems and safes makes more sense.”

,<PRE>
Cyberspace Underwriters Laboratories
[2]tan@l0pht.com

Cyberspace Underwriters Laboratories - 01/11/1999
Underwriters Laboratory

Underwriters Laboratories was founded in 1894 by an electrical
inspector from Boston, William Henry Merrill. In 1893, Chicago
authorities grew concerned over the public safety due to the
proliferation of untamed DC circuits and the new, even more dangerous
technology of AC circuits. These new and little-understood
technologies threatened our society with frequent fires which caused
critics to question if the technology could ever be harnessed safely.
Merrill was called in and setup a one-room laboratory with $350.00 in
electrical test equipment and published his first report on March 24,
1894.

Back in Boston, insurance underwriters rejected Merrill's plans for a
non-biased testing facility for certification of electrical devices.
Chicago however, embraced the idea. Merrill took advantage of the
situation in Chicago to get up and running and within months had
support at the national level.

Today, UL has tested over 12,500 products world-wide and is a
internationally recognized authority on safety and technology. The UL
mark of approval has come to provide an earned level of trust between
customers and manufacturers and safely allowed our society to leverage
hundreds of inventions that would have otherwise been unfit for public
use.

While originally targeting inventions which could potentially cause
physical harm to the user, the UL has expanded into the listing of
alarm system products as well as alarm system installers. Individual
products are listed as meeting UL standards and the companies that
install those products are also listed as qualified to install the
product as intended. Insurance companies have leveraged the UL's
scrutiny to properly ascertain their risks.

Cyberspace

Today, technology continues to grow at a rapid pace, perhaps even out
of control. The commercialization of the Internet has led many
businesses to offer services out there in what has been called the
Wild Wild West (WWW). As a result, the public safety is at risk.
Utilities are bridging control systems to Internet attached
back-office systems. Banks are offering 'cyber-banking' and merchants
are collecting information about consumers as they transact their
business over the Web. Individual privacy and the fiduciary trust
banks and merchants have established over hundreds of years are open
to new threats as these activities become more and more prevalent.

Similarly to early electrical inventions, today's computer security
products may introduce more harm than good when implemented by end
users. While some of these products do what they claim, most do not.
The lack of standards and meaningful certification has allowed the
sale of products that are either intentionally or unintentionally
snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as
advertised at all. For instance, some products have been marketed as
utilizing the latest and greatest encryption mechanisms when in fact,
the version they are selling does not utilize any encryption at all.

Just as in the late 1800's, the consumers have little understanding of
the inventions they are purchasing. They are presented with claims by
the product's marketers and have no way of proving those claims to be
true or false. Just as it was back then, this has not stopped the
large-scale application of these inventions, regardless of public
safety. In the late 1900's, nobody has stepped up to the plate to
expand the UL's role into computer security products or to take that
role as their own. To some extent, groups like Nomad Mobile Research
Center and L0pht Heavy Industries have acted as modern day Merrill's,
publishing non-biased findings to this affect.

This is not to say that certification of computer security products
has not been attempted in the past. ICSA for instance, operates a
certification program for products. CISSP and other organizations also
offer certification of information security professionals. These
organizations however, have failed drastically at providing what the
UL has provided on a more general 'technology' level. These failures
could be examined in detail but such an excersise is outside the scope
of this article.

The bottom line for ICSA is that it does not have the rigorous
standards that the UL has and its credibility has suffered as a
result. ICSA fails to see the certification process as ongoing or
cyclical allowing for products to inherit their 'certification'. As a
result, it is believed by some that there is a problem in that there
is a lack of non-biased inspection of software and that money buys
more certifications than good product design and implementation.

CISSP certifies individuals in the computer security industry. While
sorting out those who are fluent in the industry jargin and concept,
the work of CISSP's still lacks accountability in that their
certification is tied to a test rather than what the UL referrs to as
a 'field counter-check'. Like most computer certifications however,
this is simply a test of test-taking skills rather than a test of
experience and understanding.

Cyber-UL

Product certification needs to be performed on every version of a
product. Small changes that could ripple through traditional
technologies causing safety problems are at least ten fold when
applied to computer software. Many similarities may be drawn between
the certification of computer security products and the listing of
alarm systems and components that UL performs today.

UL has a stringent set of tests which are performed on physical
security systems which seek UL listing. For instance, safes and vaults
have a number of different labels which indicate their adherence to
different standards. UL utilizes 'young hotshot' safe-crackers wishing
to make a name for themselves, to do the actual testing. This way,
specialists are motivated (by not only fame but by financial
compensation as well) to validate the claims that the vendors'
marketing people want to make. The entire safe and vault business
operates around these ratings to communicate to the customer what it
is that the product was designed to do. Based on value and risk, a
customer may choose to spend more or less on higher or lower rated
labels.

The two major factors which influence the level of rating are time and
tools. The 'hotshot' safe-crackers are given samples of the product
and guidelines for their attempts to defeat its security. For
instance, a TL-30 rating means that the cracker is limited to tools
not including torches or explosives and is given 30 minutes of actual
working time to defeat the security. If X6 is appended to the rating,
the rating applies to not only the door, but the container (the rest
of the safe). This aligns the vendor's claims to the actual
performance of the product. Also, if a new version of the safe comes
out, it does not inherit the old version's listing, it must be
re-listed.

This addresses a big problem that was sure to arise with safe vendors
and has definitely risen in the computer security arena. Customers,
due to human nature, want products to be certified as 'secure'. Just
as customers like to hear promises of security, vendors love to make
them. In 1913, UL tested the first 'security devices'. With this
expansion into security devices, they recognized the need to replace
the word 'Approved' with the words 'Inspected' or 'Listed'. Due to
what UL has established with security devices, customers are not
lulled into a false sense of security and vendors do not make
outrageous claims. Customers are presented with 'product x is rated at
rating y' rather than 'its ICSA certified'. Vendors claim to be
resistant to certain toolsets for certain amounts of time. This is not
what the computer security field looks like today, but is where it
needs to go. The manufacturer and consumer must realize that testing
'security' is not the same as testing 'functionality' and because of
that, claims need to be adjusted to fit reality. If a door-knob opens
a door, the door works. If a safe-lock opens when you dial the
combination, it does not mean the safe works. You can however, perform
tests on the safe to assure that it operates as advertised within
certain heat and force constraints.

While listing individual devices as meeting UL standards is useful to
a security professional or consumer, it is only a small part of the
picture. Installation and configuration of components is critical to
the actual effectiveness of the security solution. For this reason,
installation of alarm systems is another area of influence for the UL.
This may seem like a daunting task since the number of implementations
is exponential to the number of products. UL has, with only about
4,000 employees, listed more than 12,500 products in over 40 countries
and developed over 600 standards for product safety. The tact taken to
assure the correct installation of alarm systems has been to list
alarm installation companies. Systems installed by UL listed companies
may qualify for a UL issued certificate. The certificate registers the
customer's alarm system becomes an eligible candidate for 'field
counter-checks' (spot-audits) which are performed to assure that
listed installers are not cutting corners. If a system which has
received a certificate fails the field counter-check, the installer
could potentially loose their UL listing. The UL has maintained a
quality program by scaling the number of field counter-checks as
needed.

Problems with the model

While the UL model for security devices seems to address many of the
same issues that surround Cyberspace, there are a number of problems
with deploying the model for computer security devices as it stands.

The first problem is that if a security system is defeated in the
physical world, it is typically very obvious to those who come into
work on Monday and see that the money is gone and the safe is in
pieces. Detection of a cyber intrusion is typically NOT very obvious
to those who come into work on Monday. Because of this fact,
safe-crackers have very limited time to crack a vault. Hackers on the
other hand, have unlimited time to crack a system. Once they get in,
safe crackers typically REMOVE items which then become 'missing'.
Hackers typically COPY items unless their motives are political rather
than financial, leaving the originals and the system intact. For cyber
intrusions to become less surreptitious, intrusion detection needs to
mature and become more widely deployed if 'time' is to be a meaningful
factor in the process.

The commercial model is based around the storage of valuables,
particularly jewelry and cash. In addition to the (American) UL
standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60),
there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a
Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160,
160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are
based on time and tools. Time and tools is an excellent set of
criteria for rating computer security components in areas such as
encryption. In America, the various insurance agencies determine what
rating is required for them to insure a given amount to be stored in
the safe or vault. In Europe, the Dutch Safe Rating Committee
publishes a similar standard assigning a range of financial value to
each rating in each of the three systems.

This does not, however, address liability for storage of information
such as credit ratings, social security numbers, bank balances, web
surfing preferences, political affiliations, which is subject not only
to theft but to alteration or even just surreptitious access. When
storing sensitive information, a more appropriate place to look for
examples is to the government. Classified information presents many of
the same requirements for storage that sensitive information on the
public or even commercial interests.

To meet the U.S. Government's needs in this area, General Services
Administration (GSA) has published standards (classes 1-8, black, red,
green and blue labels) which rate storage containers for everything
from weapons to information processing systems to filing cabinets.
They additionally publish information on storage of confidential,
secret, and top-secret materials in GSA Approved (or Non-GSA Approved)
containers. This information includes additional requirements for
alarm systems, restricted building access, guard check points, etc...
Specifics on GSA classes and labels are seemingly difficult to come
by. Based on the information I have found in the document library of
locks.nfsec.navy.mil/document_library/guides however, much of what has
been worked out by the GSA could potentially serve as a foundation for
developing similar standards for the storage of information on the
public.

The U.S. Department of Commerce has commissioned the National
Institute of Standards and Technology (NIST) to maintain FIPS PUB
140-1, Security Requirements For Cryptographic Modules. The document
sets forth a standard for specification of cryptographic-based
security systems protecting unclassified information. It provides for
product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This
range is designed to cover a wide range of data sensitivity, from 'low
value administrative data' to 'million dollar funds transfers' to
'life protecting data'. The standard is typically utilized for devices
which protect tokens or encrypt data such as crypto boxes.

While this system may or may not be successful in real life, it
certainly deserves closer examination in that it represents what may
be the closest thing that the U.S. Government has to UL for computer
security products. Under the FIPS 140-1 Testing and Validation model,
vendors select an accredited FIPS 140-1 testing lab, submit their
'module' for testing and pay the testing fee. The lab then tests the
product for conformance to FIPS 140-1 and passes a report on the
'module' to NIST/CSE for validation. Throughout this process, the lab
may submit questions for guidance and clarification to NIST/CSE. If
the report is favorable, a validation certificate is issued by
NIST/CSE for the 'module'. The certificate is presented to the vendor
through the lab and the 'module' is added to the published list of
Validated FIPS 140-1 Modules.

The problem may stem from the difference between UL's roots and those
of ICSA and CISSP. It certainly manifested itself in the fact that the
UL is the only one providing non-biased product inspections as well as
accountability for the quality of the installations out there in the
field. Requirements for the use of 'listed' intrusion detection
systems, encryption mechanisms, and companies could on its own make an
impact if that listing actually meant something. The use of strict
procedures and specific levels of physical security could be required
as in the GSA model and this too could help the private sector. This
has not been the tact taken to date, however.

The second problem is that manufacturers of physical security devices
are pressured by customers to have a UL listing. This is because
customers are pressured by insurance underwriters to use products that
meet UL specifications. In Cyberspace, businesses currently feel that
the embarrassment and loss of public trust are more costly than the
actual damage caused by hackers. Citibank has become the most
well-known example of what happens when computer intrusions are made
public knowledge. By taking commendable actions and not covering up
the intrusion, Citibank is now known as the bank that got hacked
instead of the bank that handled the situation appropriately. Since
silence seems to be the best policy, cyber merchants choose to 'eat'
their losses rather than risk the negative publicity. Until these
losses become intolerable and insurance is necessary, there may be no
motivation to drive the certification, approval or listing of products
by UL or any similar organization.

It took UL about 30 years from being subsidized by the insurance
agencies to being self-supporting off fees paid by manufacturers for
testing. Merrill was the first full-time employee as a result of this
change. Insurance underwriters and Consumer Product Safety Commission
were instrumental in gaining public acceptance of UL work. It was the
public's safety that was of concern and liability drove companies to
insure. Insurance underwriters found they were then saddled with the
problem and addressed it effectively with the UL. Perhaps at some
point the collection and storage of information on the public will
carry some sort of liability with it.

A Call for Action

Without a call for action, I would simply be a whiner. At this point,
you the reader can assist with very little effort. Whether you are a
vendor, insurance company, end user, or hacker, let me know your
thoughts on the state of the industry, the state of the UL and/or this
article's conclusions. As a hacker, is the relationship between the
hot-shot safe crackers and the UL an attractive one you would be
interested in? Is the UL listing process for installations sufficient?
Will it encounter problems unforeseen by this article? As an insurer,
am I missing part of the picture; are companies actually insuring
their computer systems and data to mitigate loss or liability? As a
manufacturer do you foresee problems with the UL model being imposed
on computer security products? As an end user do you feel that
computer security is important? Do you feel that the current system
actually is sufficient? Have you been wanting something better or do
you feel that you are being slighted by my insinuation that you do not
fully understand the products you purchase? Any and all feedback on
this article would be appreciated no matter where it comes from
(although manufacturer comments will be taken with a grain of salt).
Forward those comments to tan@l0pht.com. If there is enough feedback,
I may write a follow up article on this topic. I am considering going
into detail on each rating system UL, German, Scandinavian, GSA and
FIPS 140-1, highlighting overlaps with the computer security
discepline.

Thanks to the UL for providing documentation on the history of the UL
and directing me to Peter Tallman of the Melville, N.Y. office. Thanks
to Peter Tallman for clarifying some of the issues surrounding the
listing of safes and alarm systems and directing me to Beverly
Borowski whom I hope can assist me in my future research. Also of use
to date was FED-STD-809, the federal standard for neutralization and
repair of GSA approved containers as well as a yearly publication by
the Dutch Safe Rating Committee called 'Recommendations for Insuring
Money in Safes and Strongrooms'. GSA's web site (www.gsa.gov) provides
a searchable index of federal standards including FED-STD-809. The
Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling
Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands
- Tel. 070-3912008. Additional thanks to the researchers at the L0pht
for their assistance, particularly to Brian Oblivion for providing
extensive documentation on FIPS 140-1.

</PRE>

人已赞赏
安全工具

<p>欺骗.<p>工具包.<p>常见问题解答.</p><p>980311.</p>

2020-2-6 3:17:00

安全工具

<p>计算机安全Windows安全常见问题解答.</p>

2020-2-6 3:17:02

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索