General Information About Cybersecurity
If your experience is at all like mine, you will find that
you need to both educate and convince people —
from the "on-the-front-lines" users to management.
Here's some help.
Tell them about telecommunications outages,
cyberwar, COMSEC, and more.
In the following list:
AWST = Aviation Week and Space Technology
WSJ = Wall Street Journal
DOD = U.S. Department of Defense
The 2012 NTP Outage
On November 19, 2012, the two stratum 1 NTP servers tick.usno.navy.mil and tock.usno.navy.mil went back in time by about 12 years. This caused outages in a wide range of PBXs, routers, and Active Directory servers. See NTP Issues Today at the NANOG mailing list, and Did Your Active Directory Domain Time Just Jump To The Year 2000? and Has your Windows Server 2003 Domain Controller time gone back to year 2000 (like Y2K)? at Microsoft's Technet.
Electromagnetic Pulse Myths: EMP and HERF Guns
There are constant dire warnings about electromagnetic
pulse (or EMP) weapons.
Here is an excellent collection of rebuttals and disproofs:
EMP Weapons: Keeping us fearful
This has been over-hyped with fictional stories at least since the mid 1990s. Back then there was a persistent claim that a London banking organization paid millions of pounds to stop a two-year series of attacks mixing logic bombs with electromagnetic pulse weapons. This was supposedly reported in the London Sunday Times, 2 June 1996, pg 1, and 9 June 1996, pg 1, but good luck finding the report. This story is now widely thought to be overly hyped and possibly a complete fabrication, especially the part about the electromagnetic pulse weapons. But self-proclaimed "infowar specialists" still carry on endlessly about "HERF guns" (or high-energy radio frequency weapons) and EMP devices.
Reports of GPS spoofing by Russia became common in 2017. Also see the academic paper "Hostile Control of Ships via False GPS Signals: Demonstration and Detection", Jahshan Bhatti and Todd E. Humphreys, Navigation, doi://10.1002/navi.183.
The Truth About Cars, 30 Jan 2017
Digital watermarking, related to steganography (hiding messages in data), has been around a long time:
- It was used by Demaratus, a Greek, to send a message to the Spartans in the war between the Greeks and the Persians in 480 B.C. [see "The Histories" by Herodotus, "The Code Book" by Simon Singh, and "The Codebreakers" by David Kahn]
- Much later than that (in 1500!), it was described by the Benedictine monk Johannes Trithemius in Steganographia. He described a method of hiding text in a prayer book.
- Playboy used it to watermark imagery sold in electronic form since 1997. See the Digimarc press release or Secure Computing, Aug 1997, pg 15.
It's been discussed in non-specialist
publications since the mid-1990s:
- Nature, 12 Dec 1996, pg 514
- AWST, 20 Oct 1997, pg 13, and 3 Nov 1997, pg 17
- Business Week, 1 Sep 97, pg 35
- New York Times, 17 Feb 1999.
For huge losses most people willingly ignore, see Scientific American, July 1997, pp 82-89, for a great article, "Taking Computers to Task" by W. W. Gibbs. For example, Sun Microsystems prohibited fancy presentations, as they found that people can quickly assemble quality technical information but they will waste lots of time trying to make slides look pretty.
DNS (Domain Name System) Security Issues
DNS should work as follows:
The human user types
www.cromwell-intl.cominto a browser. The browser recognizes that this is not an IP address, and it makes a library call to the resolver. That creates a DNS query packet asking for an A record for the fully-qualified domain name (FQDN). This is a relatively simple UDP datagram.
- That DNS query is sent to the client's nameserver. If you are reading this at home, that means the DNS server specified by your ISP when your system used DHCP to get its IP configuration. If you are at work, then it would be your corporate DNS server. Either way, the DNS server is willing to do some work on behalf of the client and answer its questions because it's a client.
That nameserver (labeled "ISP nameserver" below)
doesn't know and it doesn't know who to ask.
So it asks a server authoritative for the entire
.comdomain, "Where is the nameserver for the cromwell-intl.com domain?", asking for an NS record. The root servers are authoritative for
.comand so its IP address is coded into the DNS server software.
.comserver answers the direct question and also passes along the answer to the obvious next question, "What are their IP addresses?". As it turns out, there are four. One question was asked, there were four answers and four additional pieces of useful information.
Your nameserver now picks one of those servers
and asks the original question,
"What is the IP address for
That nameserver responds that
www.cromwell-intl.comis really an alias. The canonical name is
cromwell-intl.comand its IP address is 188.8.131.52. This information should be good for a while, feel free to cache it for 3,600 seconds.
- Your ISP returns that information to your client, which receives it and passes the information along to the browser application. It makes a connection to TCP port 80 on that IP address, and this page loads.
- Meanwhile your nameserver is caching that information in case some client asks the question within the Time To Live value.
Below you see those numbered steps as ASCII art:
[1,2] client -------> ISP nameserver DNS query: www.cromwell-intl.com A record  ISP nameserver ------------> .com name server DNS query: cromwell-intl.com NS  ISP nameserver <------------ .com name server ;; ANSWER SECTION: cromwell-intl.com. 18418 IN NS ns-cloud-c2.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c4.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c1.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c3.googledomains.com. ;; ADDITIONAL SECTION: ns-cloud-c1.googledomains.com. 18418 IN AAAA 2001:4860:4802:32::6c ns-cloud-c2.googledomains.com. 18418 IN AAAA 2001:4860:4802:34::6c ns-cloud-c3.googledomains.com. 18418 IN AAAA 2001:4860:4802:36::6c ns-cloud-c4.googledomains.com. 18418 IN AAAA 2001:4860:4802:38::6c ns-cloud-c1.googledomains.com. 18418 IN A 184.108.40.206 ns-cloud-c2.googledomains.com. 18418 IN A 220.127.116.11 ns-cloud-c3.googledomains.com. 18418 IN A 18.104.22.168 ns-cloud-c4.googledomains.com. 18418 IN A 22.214.171.124  ISP nameserver ------------------------> ns-cloud-c1.googledomains.com DNS query: www.cromwell-intl.com A  ISP nameserver <------------------------ ns-cloud-c1.googledomains.com ;; ANSWER SECTION: www.cromwell-intl.com. 3600 IN CNAME cromwell-intl.com. cromwell-intl.com. 3600 IN A 126.96.36.199 [7,8] client <------- ISP nameserver <---> cache DNS answer: www.cromwell-intl.com CNAME = cromwell-intl.com Additional resource record: cromwell-intl.com A = 188.8.131.52 TTL = 3600 seconds
What the attacker wants to do:
The attacker wants to fool many people into looking at the wrong web site. They build a bogus web site on some server. It looks like something people would trust, for example, a clone of the
citibank.com web site.
Of course, it is just going to steal information if
anyone visits it and believes it's really Citibank!
They will then try to fool as many DNS servers as possible
into beliving that the IP address for
citibank.com is whatever IP address they have
for their bogus site.
So how do the bad guys fool the world-wide DNS infrastructure?
Problem #1 — Stateless DNS
Early versions of the BIND DNS server did not keep track of which questions they had asked. If they got an answer, they assumed it was relevant and put it in the cache. So the bad guy does this:
Someone should run the reverse service,
providing PTR (or "pointer") records saying,
for example, that
184.108.40.206 corresponds to
cromwell-intl.com.Really this is done as a DNS PTR record:
220.127.116.11.in-addr.arpa IN PTR cromwell-intl.com
The bad guy takes responsibility for providing this service for his small block of IP addresses. Let's say he's at 18.104.22.168. That IP address belongs to a Romanian ISP from which I see a bunch of probes. Our theorized hacker has a DNS server responsible for at least this part of the reverse space under
22.214.171.124.in-addr.arpa IN PTR hackerpc.romtelecom.ro
or something like that....
The bad guy does some surveillance
to find name servers running old and vulnerable
- Find the IP addresses for a bunch of Internet Service providers.
For each of those IP addresses, run this
$ dig @IP version.bind chaos txt
That should just fail, but sloppily configured servers will answer. Some of those will report old versions, effectively announcing, "I am vulnerable!"
- For each vulnerable DNS server, each one of which represents an entire domain or organization about to be misled, the bad guy intentionally attempts a connection that will fail. A good example would be to connect to TCP port 23, the TELNET service, on the nameserver itself.
- That target nameserver may try to resolve the attacker's IP address back to a hostname, meaning that it will send a DNS query for the PTR record to the nameserver under the bad guys contol.
That nameserver responds with the requested answer:
126.96.36.199.in-addr.arpa IN PTR hackerpc.romtelecom.ro TTL=3600
However, it also sends some additional resource records in that DNS reply packet. These are unsolicited responses, answers to questions that were not asked:
www.citibank.com IN A 188.8.131.52 TTL=31536000
citibank.com IN A 184.108.40.206 TTL=31536000
www.bankofamerica.com IN A 220.127.116.11 TTL=31536000
bankofamerica.com IN A 18.104.22.168 TTL=31536000
and so on, trying to inject bogus information about the IP addresses of banking sites with a time to live of one year.
Now when any client of that vulnerable nameserver
resolves any of those hostnames to an IP
address, they are given the bogus answer
corresponding to the hacker's hostile site.
This was the technology behind the September 1997
"CIA web page hack" and many more attacks
This is called a cache poisoning attack.
Problem #2 — The Kaminsky DNS Vulnerability
Dan Kaminsky discovered a very serious problem in DNS and publicized it in the summer of 2008. Left out of the above explanation was the detail that DNS packets contain a field called the Query ID. This allows a DNS server to match answers to questions, and it allows newer DNS implementations with some sense of state to tell if a given answer corresponds to a question that they had asked.
The problem is that the Query ID is reasonably easy to guess in many DNS server implementations. The bad guy now:
Builds a DNS server claiming to be authoritative
for a sensitive domain like
citibank.com.However, it will always give the bad guy's IP address as the answer to any address queries!
- Surveils Internet DNS servers to find ones probably vulnerable to this attack.
- For each one, make some legitimate queries to estimate the state of the Query ID field.
Ask a question that will require the target
server to send a query to the
citibank.comnameserver. Ask for the IP address of a hostname known not to exist,
"What is the IP address of
Since the nameserver very likely will not answer questions for clients not within its domain, the bad guy simply forges the source IP address on the DNS query datagram. It will get to the server just fine as long as the bad guy's ISP does not do sanity checking, and the bad guy will have selected an ISP that does not do sanity checking in order to support this and many other attacks.
Using a network of compromised PCs under his control,
the bad guy launches a blizzard of bogus DNS
responses with various Query ID values.
His hope is that one of them will be correct.
Depending on the predicability of the Query ID field
and the number of compromised hosts under his control,
this may be very likely indeed.
Each of those packets uses Authority records to
delegate further questions about the
citibank.comdomain to the bad guy's bogus server.
"I don't know the answer, but you can find the answer by asking the nameserver
ns1.citibank.comand its IP address is 22.214.171.124."
However, that is the bad guy's hostile DNS server. Now every question about the
citibank.comdomain will be sent to the bad guy's DNS server — he effectively owns the
citibank.comdomain as far as that victim nameserver's domain is concerned.
This is also a cache poisoning attack, but it is far more powerful.
So, how do you avoid being a victim?
Update your DNS server.
Make sure your server is running up-to-date DNS server software! Patched DNS server software will randomize both the UDP port used for its queries and the Query ID field itself. Unfortunately, six or so months after Kaminsky's discovery was announced to great fanfare, mention in newspapers and so on, over 25% of the DNS servers on the Internet were found to still be running out of date and vulnerable software!
Configure your DNS server correctly.
Use the Team Cymru Secure BIND Template.
Open DNS Resolver Project.
You can query CIDR blocks of IP addresses to see if you have any open DNS resolvers.
The Measurement Factory.
It's similar to the Open DNS Resolver Project.
This is another web-based tool for testing DNS servers.
The djbdns DNS server by Daniel J Bernstein has correctly randomized both the source UDP port and Query ID since the beginning. Many people find his djbdns easier to configure than the much more commonly used BIND software from ISC.
"Security through obscurity"
"Security through obscurity" has known to be ineffectual
for well over a century.
Auguste Kerckhoffs (1835-1903) stated
that the security of a cryptosystem must not depend on
keeping its algorithm secret.
See his article "La cryptographie militaire",
in Journal des sciences militaries,
vol IX, pp 5-38, Jan 1883.
Overview The original paper (PDF)
U.S. Government fear-mongering about electrical power grid hacking
The U.S. Department of Homeland Security released a very contrived video in September 2007 showing catastrophic failure of an electrical power generator. This got notoriety as the "Aurora Generator Test", conducted in March 2007. But it was largely interpreted as little more than an intentional scare story by DHS.
Then "CIA senior analyst Tom Donahue" seems to have gone on a one-man fright crusade:
- "A CIA analyst told attendees at a SANS Institute conference that hackers infiltrated an overseas power grid to knock out power. Senior analyst Tom Donahue did not say which cities were affected, or for how long power was cut. The warning came in the wake of a U.S. Department of Homeland Security video demonstrating a hacker taking over a power grid." SC Magazine, March 2008, pg 14
- "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," Donohue said at the SCADA 2008 Control System Security Summit in New Orleans [16 Jan 2008]. "We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge," he said. "We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." See a description in Government Executive, 18 Jan 2008.
June 2008 — "Last month the National Journal cited two computer security professionals, who in turn cited unnamed U.S. intelligence officials, in reporting that China's People's Liberation Army may have cracked the computers controlling the U.S. power grid to trigger the cascading blackout that cut off electricity to 50 million people in eight states and a Canadian province [in August, 2003]" But cyber security consultant Paul Kurtz, who worked at the White House at the time of the blackout, said they're no truth to the claim and many others have backed him up.
April 2009 — This same story appeared, again, in the Wall Street Journal this time (4 April 2009, article by Siobhan Gorman). The article is based on anonymous sources and "former national-security officials". It goes on to re-hash "CIA senior analyst Tom Donahue", making this just yet another cycle of the same old scare story.
April 15, 2009 — Time magazine observes that there have been no instances of cyberattacks taking down national power grids.
It has been observed in a Wired article that these scary stories are suspiciously correlated with US Government announcements of the need for increased surveillance.
A more prominent threat is physical attacks. Some have taken place, see stories at the Los Angeles Times, Reuters, and the Wall Street Journal for reports on an April 2013 attack on the PG&E Metcalf substation near San Jose, California, when rifle shots damaged 17 transformers.
See the following section about attacks on infrastructure for things that really did happen.
Russian Business Network (RBN) cyber-crime organization
A 13 Oct 2007 Washington Post article "Shadowy Russian Firm Seen as Conduit for Cybercrime" reported, "An Internet business based in Saint Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company. The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" VeriSign said that the Rock Group phishers used RBN to steal about US$ 150 million over the preceding year. Symantec said that RBN was "responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering." RBN does not have its own web site, you must contact its operators via instant-messaging or obscure Russian-language online forums. You must also prove that you are not a law enforcement investigator by demonstrating active involvement in theft of consumers' financial and personal data.
Russky Newsweek described "the world of Russian hackers" in December 2009. It mentions the apparently connections between international conflict on the Internet between Russia and Estonia and Georgia, attacks against Citigroup, and massive identity theft and spamming. But it's still uncertain if RBN was really one criminal vast organization or if it was a host to multiple Internet based gangs. Interesting anecdotes in that article include:
- "Aleksandr Gostev, director of Kaspersky Labs, a global research and threat analysis center, believes that RBN's servers are located in Panama."
- "According to one study, the network comprised 406 addresses and 2090 domain names by the end of 2007."
- "The original RBN was behind the cyberattack on Estonia, Paget says, and, according to a study by the U.S. Cyber Consequences Unit (US-CCU), one of its successors was behind the virtual assault on Georgia."
- "One of RBN's most prosperous businesses is Internet pharmacies, with the international organization Spamhaus naming Canadian Pharmacy as the main propagator of criminal cyberschemes." The bootleg medications are produced in India, and several dozen virtual pharmacies makes sales mostly to the U.S.
- "According to Dmitry Golubov, who describes himself as the leader of the Internet Party of Ukraine, a group of 20 to 25 people account for 70 percent of the world's spam. 'A database of active e-mails costs money,' says Golubov. 'For example, a million addresses of purchasers of access to porn resources costs $25,000 to $30,000.'"
U.S. military use of commercial telecommunication links
Early 1990s — "About 20% of satcom support for Operation Desert Storm came from commercial [satellite] fleets." AWST 19 Nov 2007 pp 52-53.
1995-1996 — 95% of military communication at least touches the public switched networks. DOD is primarily reactive with no uniform policy for assessing risks, protecting systems, responding to incidents, or assessing damage. Military and Aerospace Electronics, January 1997, pg 17; AWST, 13 Jul 1998, pp 67-70 (quoting Maj. Gen. John Casciano, USAF director of intelligence); Lt Gen Kenneth A Minihan, "Intelligence and Information System Security", Defense Intelligence Journal, vol 5 n 1 (Spring 1996), pg 20.
2007 — "Now about 80% of all satellite communications in Iraq and Afghanistan come from commercial spacecraft, which may in some cases simultaneously provide services to friendly forces, as well as adverseries. AWST 19 Nov 2007 pp 52-53.
2008 — "Roughly 85% of [U.S.] military satellite communications are processed by commercial entities, but those services are purchased in an ad hoc fashion." AWST Oct 13, 2008, pg 34.
A 19 Nov 2007 AWST article (pp 52-53) described the USAF 16th Space Control Squadron (SPCS), dedicated to "defensive counterspace" and detecting and locating jamming to satellite links. It says that the 16th SPCS, based at Peterson AFB in Colorado, operates the new Rapid Attack Identification Reporting System (Raidrs), alerting its operators of interference to satellite communications links at UHF and the microwave C, Ku and X bands. It's designed and manufactured by Integral Systems of Lanham, Maryland. Each Raidrs site includes up to six 2.4-meter dish antennas to monitor signals, and a 3.7-meter antenna connected to a Blackbird system, said to operate like a spectrum analyzer. Two more 4.5-meter antennas are said to locate the distant ground-based jamming or interference source. The article made it sound as if the location is done by precise measurement of uplink signals reflected from the satellite bodies of the intended relay satellite and another satellite in a nearby orbit — an impressive achievement if correct.
USB storage devices and issues for the military
"Colombia's struggling guerrila movement appears to have suffered yet another defeat because of technology. The names of more than 9,000 rebels have fallen into government hands. Two government officials said this week [26 Sep 2008] that soldiers raiding a rebel camp in February  found a memory stick that held the names, aliases and identity numbers of 9,387 rebels — and even included the photos of some of them." The group was FARC, the Revolutionary Armed Forces of Columbia. New York Times 26 Sep 2008, pg A8.
USB storage devices have been stolen from U.S. military bases in Afghanistan by local cleaning staff and sold in the local bazaars through the 2000s. Stories were carried by the BBC and the Los Angeles Times.
Attacks against infrastructure, many mentioned in the article found here. Meanwhile, do not be frightened by apparently weak claims of hacker attacks on the U.S. power network, debunked in elsewhere on this page.
And pipelines and sewers and ...
The classic story is Agent Farewell and the Siberian Pipeline Explosion, in which an explosion around the end of October 1982 in the middle of Siberia "vaporized a large segment of the newly-build trans-Siberian pipeline". Thomas Reed's At the Abyss: An Insider's History of the Cold War describes the U.S. CIA working with a Canadian supplier to compromise the system's SCADA software with a logic bomb. The resulting explosion is enthusiastically described as "visible from space" and "1/7 the magnitudes of the nuclear weapons dropped on Japan during WWII". (combined? each?) See the National Security Archive report for a fairly calm description, and also see the CIA's Center for the Study of Intelligence report. Despite the American enthusiasm for the supposed cataclysm, there were no known physical casualities and seems to have gone unknown to the Soviet public.
1999 — Malicious hackers took control of a Gazprom gas pipeline in Russia for around 24 hours.
2000 — A disgruntled ex-employee accessed the
industrial control systems of a
sewage treatment plant in Maroochy Shire,
and released at least a million liters of raw sewage
into a river and onto the grounds of a hotel.
"Located in a tourist area on the east coast, the sewage system has 142 pumping stations connected by radio to monitoring computers.
The troubles began when the installation company, Hunter Watertech, finished installing the control system in December 1999 and the site supervisor for HWT, Vitek Boden, resigned 'under circumstances that are not exactly explained'. He applied to MSC for a position, but was rejected.
The following month, January 2000, strange things started to happen. Pumps were not running when needed, alarms were not being reported to the control centre, and there was a loss of communications between the control centre and the pumping stations.
The evidence began to point to outside agents interfering with the system. With data logging this became more apparent when engineers noticed a spoofed pump station ID. The system was receiving signals from a pumping station ID that wasn't where it should have been — and it wasn't sending the right sort of signals. After inspecting one particular pump station site and re-coding its ID, it became clear that they were receiving signals coming in from a station that didn't exist. Radio monitoring was also starting to detect these transmissions. After nearly two months of baffling problems, on 16 March they began to get some hard evidence of what was going on. They spotted radio transmissions controlling various pump stations from the fake ID.
By this time, in the middle of March, a lot of faults were occurring and it was obvious that the hacker wasn't just playing around with the control system. There were sewage leaks, caused by overflowing tanks when pumps were turned off. The golf course next to the Hyatt Hotel was flooded with a million litres of sewage. A major overflow into a residential area and tidal canal polluted an estuary; in the surrounding area on Australia's Sunshine Coast, creeks turned black and cost the government Au$100,000 to set up an environmental monitoring programme."
Also see "Malicious Control System Cyber Security Attack Case Study — Maroochy Water Services, Australia".
2003 — The "Slammer" worm disabled a safety monitoring system at Davis-Basse nuclear power plant in Ohio, USA. Of course, this was not the original intent of the attack.
2007 — A former employee for a federally-owned canal system in California was charged with installing software that damaged a computer used to divert water out of a local river, as described in The Register. The Tehama Colusa Canal Authority operates two canals that move water out of the Sacramento River for use in irrigation and agriculture in Northern California. The perpetrator worked for the TCCA for more than 17 years before being fired on August 15, the date he is alleged to have installed the unauthorized software.
2007 — Lonnie Charles Denison was a SAIC
contractor working as a UNIX systems administrator
at the California Independent System Operator's data
center controlling California's power grid.
He had a dispute with his boss at SAIC and learned on
15 April that he had lost computer access privileges.
Minutes later he broke a glass cover and hit the
emergency power "off" button,
shutting down the facility.
This cut California off from the wholesale electricity
market (although it did not cut off power
to the state!).
Allegedly he e-mailed a bomb threat the next day
to a California ISO employee.
In December he pled guilty, and faced up to five years
in prison and $250,000 in fines.
The Register, 20 Apr 2007; Computerworld, 1 Jan 2008, pg 6; PC World and several other sources]
2010 — The Stuxnet worm was detected in June, 2010. This eventually led to many more discoveries of malicious software, eventually attributed to the U.S., see the cyberwar page for the details.
Read this good article about "The Great Firewall of China", the national firewall in People's Republic of China from The Atlantic Monthly.
In May 1998 an internal review of DOE facilities found serious security problems (classified info on open systems, anonymous ftp write permission, readable password files, etc) on 1,400 of 64,000 systems. Los Alamos had detected 15 security breaches in the preceding 6 months. Brock Meeks, MSNBC, 29 May 1998, Stark Abstracting.
Hardware cryptographic attacks — The Electronic Frontier Foundation developed and built a dedicated platform in 1998 for under US$ 250,000 that breaks DES-encrypted messages in 72 hours, an order of magnitude faster than the best distributed network attack at the time. Much of the cost was design and development — the next one with the same performance would cost $50,000 or less. Speed to break DES on this architecture drops linearly with dollars spent on hardware, so forget all the U.S. government claims about hardware solutions being impossible. Also remember that this is cost for today's hardware, and cost per performance falls fast over time. Click here for the EFF article.
Threats are under-reported, and that's no recent development:
- DISA estimates only 0.2% of attacks are reported. AWST, 27 Apr 1998, pg 27.
- Only one of 150 attacks against DOD computer systems is detected. AWST, 20 January 1997, pp 60-61.
ARPA/NSA/DISA/DSS Memorandum of Agreement for coordinating Infosec research programs
For current research and development, see Purdue's CERIAS group.
The classic Unix security paper is UNIX Operating System Security, in AT&T Bell Labs Technical Journal, October 1984.
See the Trusted Product Evaluation Program frequently-asked-question list on computer security.
Disaster recovery is a whole field in itself. Check out the Disaster Recovery Journal. For a light introduction, see IEEE Spectrum, December 1996, pg 49.
A very scholarly treatment of Internet congestion models is in Science,, vol 277, 25 July 1997, pp 477, 535-537.
Keep looking — here are some more web sites to check out.