Sniffing the Internet: The Recent Rash of Breakins 9:00 a.m. Thursday, March 31, 1994 Plenary Presentation o Rash of breakins o February 3 CERT advisory and press release o Boucher subcommittee hearing o Barbara Fraser, CERT o John Curran, NEARNET o Steve Crocker, IETF Security Area Director House Science Subcommittee o Rick Boucher (D-VA) chair o Oversight of budget for NIST, etc. o Inquiry into recent Internet breakins o Consequences for National Information Infrastructure March 22, 1994 Hearing o Dain Gary, CERT Director o Tom Kubic, FBI Financial Crimes o Vint Cerf, ISOC President o Lyn McNulty, NIST o Steve Crocker, IETF Security Area Director The Hearing o Congressional opening statements - Four congressmen present o Opening statements from witnesses - Prepared written statements for the record - Prepared oral statements limited to 5 minutes o Questions and answers - First round is from prepared set of questions - A little bit of excitement after the first couple of rounds of questions o Not clear what will follow Highlights o Boucher wants to give more money to CERT - $2.4M (14 people) now; double next year? o McNulty quizzed on status of Digital Signature Standard (DSS) - Technical work done. "In the hands of lawyers" - Crocker: Wrong. Unneeded. Give up. Use RSA. - McNulty: Designed for signatures and not encryption. - Cerf: Sought camel; got camel. o Clipper? o Ehlers: Technical security unlikely. Increase the likelihood of detection. Primary Conclusions (mine) o Cleartext passwords must die out - Our (IETF) job is to move as quickly as possible to get past this problem. - Doesn't solve all problems, but will dramatically reduce breakins. o Understand CERT's role and procedures - Timely distribution of information - Role in creating and distributing fixes to security bugs - WG in formation in OPS area w/co-chairs from incident handling and network operators o If we feel strongly about use of cryptography, we should move briskly.