_________________________________________________________________
London, Thursday, April 04, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
IWS Sponsor
National Center for Manufacturing Sciences
http://www.ncms.org
host of the
InfraGard Manufacturing Industry Association
http://trust.ncms.org
_________________________________________________________________
----------------------------------------------------
[UNIRAS (UK Government Cert)]
----------------------------------------------------
* Microsoft Security Operations Guide for Windows 2000 Server
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%208702.txt
* UNIRAS SQL Injection vulnerabilities
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%208602.txt
* Compaq Potential Security Vulnerabilities with Compaq Secure Web Server
(PHP and apache/mod_ssl) Compaq
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%208402.txt
* 3 Security Advisories concerning vulnerabilities in: IRIX TCP/IP, IRIX FTP
and IRIX rpc/HOSTALIASES
http://www.uniras.gov.uk/l1/l2/l3/brief2002/Briefing%20-%208302.txt
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] 2 NIST Computer Security DRAFT Publications - just released
[2] Tech Insider: Securing the cyber front
[3] Computer saboteur escapes conviction
[4] Aussie worm hits Europe
[5] Opening a can of worms
[6] Army official warns that hackers could infiltrate battlefield
[7] MS security patch fails on local files
[8] BA ditches MS servers after virus threat
[9] (AU) EFA: anti-terror laws weaken e-mail privacy
[10] Yahoo! Rips! Up! Privacy! Policy!
[11] Tech firms look for best places to pitch security products
[12] Basic flaws lead to big gaps in security
[13] EBay closes password option to plug hole
[14] Windows Messenger 'Trojan update'
[15] Spammers busted in Net fraud crackdown
[16] Legislation driving Bush administration e-gov efforts
[17] High-tech companies gear up to oppose contracting bill
_________________________________________________________________
News
_________________________________________________________________
[1] 2 NIST Computer Security DRAFT Publications - just released
NIST's Computer Security Division has just released 2 DRAFT security
special publications. Both of these publications can be found on the
Computer Security Resource Center (CSRC) at:
http://csrc.nist.gov/publications/drafts.html
The two drafts should be the first two bulleted items at the top of page.
Draft # 1. April 2, 2002 -- The draft Special Publication 800-45
Guidelines on Electronic Mail Security is available for public comment. The
document is intended primarily for a technical audience. It provides
detailed guidance on setting up and maintaining a secure email system, and
includes pointers to related material. NIST seeks your comments and
suggestions on the document. Please provide them directly to Wayne Jansen
([EMAIL PROTECTED]) by April 30, 2002.
Draft # 2. April 2, 2002 -- The draft NIST Special Publication 800-40,
Procedures for Handling Security Patches, is available for public comment.
This document describes and recommends the use of a systematic,
accountable, and documented process for handling security patches and
vulnerabilities. In addition, the document provides specific advice for
obtaining, testing, distributing, and installing security patches. Please
provide comments and suggestions to Peter Mell ([EMAIL PROTECTED]) by May
2, 2002.
Both DRAFT documents are available in .pdf format. The URL again for these
documents are http://csrc.nist.gov/publications/drafts.html
----------------------------------------------------
[2] Tech Insider: Securing the cyber front
By Shane Harris
Last year's spate of hacker attacks, viruses and worms shed light on the
nation's poor state of information security--and the government's inability
to shore it up. After Sept. 11, the state of the country's cyber security
seemed even more vulnerable to an even wider range of threats, and the White
House stepped forward with what seemed like a bright idea to secure the
cyber front.
To safeguard the government's vital interests and keep it running in a time
of crisis, Richard Clarke, President Bush's cybersecurity czar, told the
technology industry to build Uncle Sam an exclusive, super-secure,
government-only network that would be 100 percent impenetrable and safe from
online attacks. It's called Govnet, and despite Clarke's best effort to
articulate the administration's vision, few people really know what it is.
With a reported cost as high as $45 billion, Govnet is a coveted contract,
but technology executives are frustrated by what they see as the government'
s inability to define what exactly Govnet would be. Even though the General
Services Administration has issued a request for information (RFI) on a
system that is open-ended enough to allow for private sector creativity,
most private sector executives seem to be in the dark about what the
government wants.
http://www.govexec.com/dailyfed/0402/040202ti.htm
----------------------------------------------------
[3] Computer saboteur escapes conviction
By John Leyden
Posted: 03/04/2002 at 11:58 GMT
A computer technician saw his convictions for maliciously spreading a
computer virus struck out after a court decided his actions caused minimal
financial loss.
Last September, Herbert Pierre-Louis was found guilty by a jury of two
counts of deliberately infecting the computer systems of his former
employer, Purity Wholesale Grocers of Boca Raton, Florida. The prosecution
argued that Pierre-Louis was motivation for his crime was a reprimand by his
supervisor for work related problems ten days before the virus was
transmitted, in June 1998.
http://www.theregister.co.uk/content/55/24688.html
----------------------------------------------------
[4] Aussie worm hits Europe
By Chris Lee in Melbourne [03-04-2002]
Level 2 alert on mass-mailing virus
A new worm emerging from Australia has put antivirus companies and IT
managers on red alert.
'Mylife' is a mass-mailing virus with a destructive payload that sends
itself to everyone in the recipient's Windows address book. It was first
seen last month but began to spread in earnest on 1 April.
http://www.vnunet.com/News/1130579
----------------------------------------------------
[5] Opening a can of worms
Robert X Cringely
Amber is mad at her brother-in-law because she wants to plan a surprise
party for her twin sister, and he is not cooperating. "Amber, he is her
husband," I offered as devil's advocate. "Why do you always side with him,
anyway?" Amber attacked.
Not very nice
I guess I opened the proverbial can of worms when I wrote about some unhappy
spies doubling as VeriSign customers. More spies told me that even
VeriSign's partners are unhappy with the way it conducts business, and
VeriSign is getting a reputation after numerous attempts to go around
partners and sign up those partners' customers directly.
http://www.idgnet.co.nz/webhome.nsf/UNID/E17419B46E4F2CB2CC256B880070A28F!op
endocument
----------------------------------------------------
[6] Army official warns that hackers could infiltrate battlefield
By Molly M. Peterson, National Journal's Technology Daily
NEWPORT, R.I. -- Noting that a cyberterrorist attack could have grave
consequences on the battlefield, the Army's top information security officer
said Tuesday that the military must take a more proactive approach to
defending its critical information systems.
"It is conceivable, in theory, for a hacker sitting in his easy chair to get
inside a tank," Col. Thaddeus Dmuchowski, director of the Army's Information
Operations Assurance Office, said during a conference sponsored by the
National High Performance Computing & Communications Council.
"We can't wait for the next attack to happen," Dmuchowski said. "We have to
be proactive. And in order to be proactive, we have to have as much
imagination as those who would do us harm."
http://www.govexec.com/dailyfed/0402/040202td1.htm
----------------------------------------------------
[7] MS security patch fails on local files
By Thomas C Greene in Washington
Posted: 02/04/2002 at 12:14 GMT
The MS patch intended to fix a data binding flaw in IE, which enables a
script to call executables on your Windows machine using the object tag,
does not protect against malicious files launched from a local directory.
http://www.theregister.co.uk/content/55/24667.html
----------------------------------------------------
[8] BA ditches MS servers after virus threat
By Rene Millman [03-04-2002]
Airline removes 100 'unauthorised' web servers
British Airways has removed 100 "unauthorised" web servers running Microsoft
IIS from its network over fears that the software could be a target for
virus attacks.
The move came after the company found that the web servers had been
installed by its own staff "without the correct authorisation procedures".
BA was worried that the servers could be attacked by the Code Red virus. A
company spokesman said that the airline was not affected by the virus.
http://www.vnunet.com/News/1130615
----------------------------------------------------
[9] EFA: anti-terror laws weaken e-mail privacy
By Andrew Colley, ZDNet Australia
02 April 2002
Australian police will be able to exploit legal ambiguities in Federal
anti-terror legislation that could weaken e-mail privacy protection,
according to Electronic Frontiers Australia.
Civil liberties group Electronic Frontiers Australia (EFA) said that
"confusing" wording in proposed changes to telecommunications interception
laws, which are included in the Security Legislation Amendment (Terrorism)
Bill 2002, leaves the legal status of e-mails stored at ISPs in doubt.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20264357,00.htm
----------------------------------------------------
[10] Yahoo! Rips! Up! Privacy! Policy!
By Andrew Orlowski in San Francisco
Posted: 04/03/2002 at 05:31 EST
Yahoo! changed its privacy policy last week, contemptuously exposing all of
its registered users to third-party spam, marketing offers and cold calls
that they'd previously said they didn't want.
As from now, Yahoo! mail users are exposed to a dozen unwanted "Special
Offers and Marketing Communications", and users who've left their phone
numbers with the portal will discover that they've been "agreed" to cold
calling and junk snail mail, for good measure.
http://www.theregus.com/content/6/24520.html
----------------------------------------------------
[11] Tech firms look for best places to pitch security products
By William New, National Journal's Technology Daily
The opportunities are flourishing for the information technology industry to
help protect the United States from threats. But as thousands of American
tech companies answer the government's call for new ideas in the fight
against terrorism, how many are getting their message to the right place?
Many in industry, and some in government, think Tom Ridge's Office of
Homeland Security is the place. Others see the Defense Department as
Security Central, with increasingly deep pockets. And others believe the
best way to proceed is to piggyback on traditional government contractors.
To varying degrees, they are all right.
But despite popular perception, going to Ridge's office may be the least
effective, according to Phil Bond, undersecretary of Commerce for technology
administration and Secretary Donald Evans' chief of staff.
http://www.govexec.com/dailyfed/0402/040102td1.htm
----------------------------------------------------
[12] Basic flaws lead to big gaps in security
By Paul Allen [03-04-2002]
Specialist trining failing to keep pace with security investments
Commitment to specialist training is failing to keep up with security
hardware investment, leaving key devices improperly configured and
enterprises open to attack.
A report from consultant NTA Monitor, collated over four years of
penetration testing with blue-chip enterprise clients, showed that little
progress had been made in addressing basic issues, such as router
configuration, which accounted for the highest percentage of
vulnerabilities.
http://www.vnunet.com/News/1130599
----------------------------------------------------
[13] EBay closes password option to plug hole
10:56 Wednesday 3rd April 2002
Troy Wolverton, CNET News.com
A vulnerability on eBay that could allow hackers to gain control of a user's
account has been shut down
EBay disabled a password function on its site Tuesday to close a "very
serious" security hole that could allow hackers access to users' accounts, a
spokesman said.
EBay disabled the "Change Your Password" function in an effort to close the
vulnerability, eBay spokesman Kevin Pursglove said Tuesday. That feature
will remain disabled until eBay can put a fix in place, he said.
http://news.zdnet.co.uk/story/0,,t269-s2107658,00.html
----------------------------------------------------
[14] Windows Messenger 'Trojan update'
By Thomas C Greene in Washington
Posted: 02/04/2002 at 13:50 GMT
This is too cute. You can wipe Windows Messenger from XP with a simple hack,
and yet MS will defy you with a 'Critical Update'. That's how desperate they
are to force this little Trojan on you.
Following a tip from a Messenger-averse reader whose uninstall got thwarted,
I looked into it, starting with a clean install of Win-XP. Messenger was, of
course, lurking in the background and consuming RAM though I have no use for
it. And of course MS doesn't allow you to uninstall it.
http://www.theregister.co.uk/content/55/24668.html
----------------------------------------------------
[15] Spammers busted in Net fraud crackdown
10:01 Wednesday 3rd April 2002
Lisa M. Bowman, CNET News.com
The FTC says it has netted dozens of alleged Internet scammers in a major
anti-consumer fraud effort launched in conjunction with six US states and
Canada
Trumpeting its first major joint effort to crack down on illegal spam, the
Federal Trade Commission said Tuesday that it has busted dozens of alleged
Web scammers in conjunction with law enforcement from six US states and
Canada.
http://news.zdnet.co.uk/story/0,,t269-s2107647,00.html
----------------------------------------------------
[16] Legislation driving Bush administration e-gov efforts
By Liza Porteus, National Journal's Technology Daily
Federal legislation has helped spur agencies to integrate technology into
government services and has laid the groundwork for many of the Bush
administration's e-government and homeland security initiatives, officials
said Tuesday.
The 1998 Government Paperwork Elimination Act (GPEA) mandates that agencies
must give citizens the option to submit information and conduct transactions
electronically and gives legal weight to the use of electronic signatures.
Agencies have until Oct. 21, 2003 to comply. The 2000 Government Information
Security Reform Act (GISRA) mandated that all agencies conduct regular
reviews of their security and information practices.
These two measures "have helped us quite a bit ... It's defined security in
our daily lives," Mayi Canales, deputy chief information officer for the
Treasury Department, said during a Council for Excellence in Government
conference on e-government.
http://www.govexec.com/dailyfed/0402/040202td2.htm
----------------------------------------------------
[17] High-tech companies gear up to oppose contracting bill
By Bara Vaida, National Journal's Technology Daily
As more high-tech companies turn to the federal government for business
after the Sept. 11 attacks, many of them are joining with a broad business
coalition to oppose legislation that they say would slow down the
government's ability to outsource information technology projects.
Individual companies such as Computer Sciences Corp., Electronic Data
Systems, IBM, Keane Inc. and high-tech associations like the Electronic
Industries Alliance, the Government Electronics and Information Technology
Association, the Information Professional Services Council and the
Technology Association of America have joined to block any movement on the
Truthfulness, Responsibility and Accountability in Contracting (TRAC) Act,
H.R. 721, a bill that has substantial support from government employee
unions and the lawmakers that represent them.
"Our immediate focus is to bottle up this bill and educate members on the
shortcomings of TRAC-like efforts," said Booth Jameson, director of global
government affairs at EDS.
http://www.govexec.com/dailyfed/0402/040102td2.htm
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
