_________________________________________________________________ London, Friday, September 27, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Shredding the Paper Tiger of Cyberterrorism [2] 'T0rn' Arrest Alarms White Hats, Advocates [3] NCS prepping 'gee-whiz' pilot [4] VPN flaw exposes internal networks [5] University bans "illegal" links [6] SA Police contemplates e-crime outsourcing [7] distributed.net completes rc5-64 project [8] FrontPage Flaw Lets Hackers In [9] Officials say VA computer systems better, but still vulnerable [10] Software firms team to fight bug leaks [11] US firms fear new privacy laws [12] Taiwan plays down Chinese TV 'hijack' [13] White House says all must play role in cybersecurity plan [14] P2P foes defend hacking bill [15] Senate may give up on homeland security bill [16] States keep IT programs on track [17] China implicated in Dalai Lama hack plot _________________________________________________________________ News _________________________________________________________________ [Rick wrote a nice anti FUD article. WEN] '...People are afraid of cyber-attacks and cyberterrorism because they don't understand them. Like voodoo, cyber-attacks are a mysterious and invisible concept, and therefore must be more dangerous than something tangible like dynamite or aviation fuel if used by an adversary. After all, how many people really understand how their computers work? It's human nature to be afraid of what we don't understand. In the case of our elderly Congress, I'd wager they're plenty afraid. ...' [1] Shredding the Paper Tiger of Cyberterrorism Political posturing about cyberterrorism is a red herring that takes attention away from the real issues of information security. By Richard Forno Sep 25, 2002 Over the past several months we've seen a rise in the amount of media coverage devoted to the concept of cyberterrorism - yet, despite the hype and hysteria, nobody can describe exactly what constitutes an act of cyberterrorism even though, according to a recent TechWeb article, college campuses in America are breeding grounds for such people. Part of the problem is that cyberterrorism has become a catch-all phrase for any sort of illicit on-line activity; and its use (or misuse) by the media, vendors, and government officials further muddies the waters. For example, a Google search for the term "cyberterrorism" yields all sorts of cases in which it is used to describe viruses, Trojans, and hacking. Security concerns to be sure, but terrorism? Doubtful. http://online.securityfocus.com/columnists/111 ---------------------------------------------------- [It is was a bad decision to arrest creator of 'T0rn'. It will cost the CPS (Crown Prosecution Service) a lot of money and I am virtually convinced that they won't be able to sentence him as long as he has a good laywer. I am waiting for the day when the police will turn up at large InfoSec companies and arrest their staff who created vulnerability scanners. WEN] [2] 'T0rn' Arrest Alarms White Hats, Advocates A raid on the alleged author of a well-known hacker toolkit is raising eyebrows among electronic civil libertarians, and putting security researchers on guard. By Kevin Poulsen, Sep 24 2002 1:58PM It could almost pass as a routine computer crime case -- a year-long probe leads Scotland Yard cybercops to a home in the upscale London suburb of Surbiton, where they seize computer equipment and arrest a 21-year-old man under the UK's 1990 Computer Misuse Act. But last Thursday's raid was anything but routine, because the unnamed suspect, who has not yet been formally charged, isn't accused of cracking computers, launching a denial of service attack or distributing a virus. Instead, the joint Scotland Yard/FBI investigation is focused on his alleged authorship of the "T0rnkit," a collection of custom programs that help an intruder hide their presence on a hacked Linux machine. It's apparently the first time the UK's national computer crime law has been used to crack down on a programmer for writing a tool with malicious applications -- and it's a chilling development to some security researchers and electronic civil libertarians. http://online.securityfocus.com/news/813 ---------------------------------------------------- [NCS.gov is a great agency which should serve as a model for public private partnerships! WEN] [3] NCS prepping 'gee-whiz' pilot BY Dan Caterinicchia Sept. 26, 2002 Printing? Use this version. Email this to a friend. The National Communications System is in the early stages of a Global Early Warning Information System (GEWIS) pilot project in which government and industry will examine the health and topology of the Internet. The pilot project will assess how well critical areas of the Internet are performing worldwide, and then use that data to notify government, industry or U.S. allies of an impending cyberattack or possible disturbance, said Brenton Greene, deputy manager of NCS. http://www.fcw.com/fcw/articles/2002/0923/web-ncs-09-26-02.asp ---------------------------------------------------- [4] VPN flaw exposes internal networks By Robert Lemos init September 27, 2002, 4:20 AM PT A suspected vulnerability in Microsoft's popular virtual private networking application discovered Thursday could, if confirmed, leave corporate intranets open to attack, said security experts. A security advisory posted by German security firm Phion Information Technologies to Internet mailing lists and the company's Web site said that the vulnerability affects the point-to-point tunneling protocol (PPTP) commonly used in the VPN software bundled in Microsoft's Windows 2000 and XP operating systems for servers and PCs. http://zdnet.com.com/2100-1105-959659.html ---------------------------------------------------- [5] University bans "illegal" links By Declan McCullagh Special to ZDNet News September 26, 2002, 4:00 AM PT The University of California at San Diego has ordered a student organization to delete hyperlinks to an alleged terrorist Web site, citing the recently enacted USA Patriot Act. School administrators have told the group, called the Che Cafe Collective, that linking to a site supporting the Revolutionary Armed Forces of Colombia (FARC) would not be permitted because it violated federal law. http://zdnet.com.com/2100-1105-959544.html ---------------------------------------------------- [6] SA Police contemplates e-crime outsourcing By Jeanne-Vida Douglas, ZDNet Australia 26 September 2002 The South Australian Police Department is contemplating outsourcing its cybercrime investigations as part of a broad campaign to overcome a resource drain in the fight against e-criminals. Tony Rankine, Superintendent of the Serious Fraud Investigation Branch of the South Australian Police said the move was being contemplated under the Electronic Crime Strategy of the Police Commissioners' Conference Electronic Crime Steering Committee. "We are implementing a two year work plan focusing on e-crime prevention, partnerships, education needs and present capabilities," Rankine says. "We are looking at whether we need to outsource some of the investigation work." http://www.zdnet.com.au/newstech/security/story/0,2000024985,20268576,00.htm ---------------------------------------------------- [7] distributed.net completes rc5-64 project (list announcement) september 25, 2002 RC5-64 HAS BEEN SOLVED! On 14-Jul-2002, a relatively characterless PIII-450 in Tokyo returned the winning key to the distributed.net keyservers. The key 0x63DE7DC154F4D03 produces the plaintext output: The unknown message is: some things are better left unread Unfortunately, due to breakage in scripts (dbaker's fault, naturally) on the keymaster, this successful submission was not automatically detected. It sat undiscovered until 12-Aug-2002. The key was immediately submitted to RSA Labs and was verified as the winning key. So, after 1,757 days and 58,747,597,657 work units tested the winning key was found! While it's debatable that the duration of this project does much to devalue the security of a 64-bit RC5 key by much, we can say with confidence that RC5-64 is not an appropriate algorithm to use for data that will still be sensitive in more than several years' time. On the distributed computing front, however, the RC5-64 project clearly demonstrates the viability of long-term, volunteer-driven, internet-based collaborative efforts. The next time someone bemoans the public's short attention span or need for instant gratification you should remind them what 331,252 people were able to accomplish by joining together and working for nearly five years. distributed.net's RC5-64 project clearly shows that even the most ambitious projects can be completed by volunteers thanks to the combined power of the internet and distributed computing. http://www.distributed.net/pressroom/news-20020926.html ---------------------------------------------------- [8] FrontPage Flaw Lets Hackers In By Dennis Fisher A newly discovered flaw in Microsoft Corp.'s FrontPage Server Extensions gives an attacker the ability to run any code of choice on some vulnerable Web servers. Microsoft issued an advisory and a patch for the problem Wednesday. The vulnerability is in the SmartHTML Interpreter in FPSE 2000 and 2002 and involves the way the interpreter handles requests for some Web files. The interpreter is designed to provide support for Web forms and other dynamic Web content. http://www.eweek.com/article2/0,3959,558381,00.asp ---------------------------------------------------- [9] Officials say VA computer systems better, but still vulnerable By Tanya N. Ballard The Veterans Affairs Department continues to make incremental progress in its effort to overhaul information technology systems, but computer security is still a concern, government officials told House lawmakers Thursday. An audit of VA's information technology program conducted over the last six months found that the department has made some important strides, but has yet to implement key information security initiatives or establish a comprehensive, integrated agency-wide security program, according to VA Inspector General Richard Griffin. Griffin testified before the House Veterans Affairs Committee's Subcommittee on Oversight and Investigations. "Our audit work continues to identify significant security vulnerabilities that represent an unacceptable level of risk to VA operations and its mission of providing health care and delivering benefits to the nation's veterans," Griffin said. http://www.govexec.com/dailyfed/0902/092602t1.htm ---------------------------------------------------- [10] Software firms team to fight bug leaks By ComputerWire Posted: 27/09/2002 at 09:45 GMT A loose coalition of software developers and security companies has come together with the aim of preventing vulnerability information being released prematurely, Kevin Murphy writes. Yesterday, a body calling itself the Organization for Internet Safety, announced its existence, and said it intends to have draft guidelines published early next year. Scott Blake, chair of OIS's communications committee, told ComputerWire the guidelines will give security researchers and software developers responsibilities for being discreet and taking warnings seriously respectively. The key proposal is a 30-day waiting period between a patch release and details of the bug being released. http://www.theregister.co.uk/content/55/27312.html ---------------------------------------------------- [11] US firms fear new privacy laws Thursday 26 September 2002 Privacy officers and legal experts have used this year's Privacy 2002 Conference in Ohio, USA, to warn about how legislative actions by the US Congress, states and local municipalities will affect systems and bottom lines. Legislative battles are being predicted for next year in Congress and in the states, triggered by the impending expiration of a provision of the Fair Credit Reporting Act (FCRA) that blocks states from imposing their own data privacy rules. Once that exemption expires in early 2004, states will be free to set privacy rules that exceed federal standards. The states, for instance, could limit affiliate sharing of customer data - a serious threat to financial services firms that often set different lines of businesses as affiliates, entities that exist only on paper. Systems that now freely exchange information may need to be significantly redesigned. http://www.cw360.com/bin/bladerunner?REQSESS=gU13C600&2149REQEVENT=&CARTI=116124 &CARTT=14&CCAT=1&CCHAN=12&CFLAV=1 ---------------------------------------------------- [12] Taiwan plays down Chinese TV 'hijack' Beijing says Falun Gong uses Taiwan as a hacking base Taiwan has cast doubt on China's allegation that members of the spiritual group Falun Gong have hacked into the mainland's satellite television signals from the island. A government official, Lin Ching-chih, said the allegation that Falun Gong members were hacking into Chinese state satellite signals from Taiwan was "far-fetched". http://news.bbc.co.uk/1/hi/world/asia-pacific/2280056.stm ---------------------------------------------------- [13] White House says all must play role in cybersecurity plan By Rob Lever WASHINGTON A White House plan unveiled Wednesday says that all Internet users have a responsibility to secure their part of cyberspace in a long-awaited document that drew a mixed response from experts. The plan, created amid heightened concerns about terrorists using the Internet to attack "critical" computer networks, notes that the US economy and national security are "fully dependent upon information technology and the information infrastructure." http://www.metimes.com/2K2/issue2002-38/net/white_house_says.htm ---------------------------------------------------- [14] P2P foes defend hacking bill 11:59 Friday 27th September 2002 Declan McCullugh, CNET News.com Supporters of a new bill set to thwart peer-to-peer piracy have hitback at criticis, accusing them of using 'scare tactics' Supporters of a proposed law that would permit copyright holders to assail peer-to-peer networks angrily defended it on Thursday, saying it had been mischaracterised by opponents. During the first congressional hearing on the bill, repsresentive Howard Berman, and Howard Coble, a South Carolina Republican, denounced critics' "scare tactics" and said their proposal was a modest plan that had been carefully crafted to reduce piracy on peer-to-peer networks. http://news.zdnet.co.uk/story/0,,t269-s2122962,00.html ---------------------------------------------------- [15] Senate may give up on homeland security bill By Brody Mullins, CongressDaily With time running out before a scheduled pre-election adjournment, Majority Leader Tom Daschle, D-S.D., hinted Thursday that he may halt debate on homeland security legislation next week in order to move to other issues, including the Iraq resolution and pension reform legislation. Minutes later, Minority Whip Don Nickles, R-Okla., said Republicans would oppose the move until GOP senators get a vote they are seeking on controversial personnel rules for the proposed Homeland Security Department. The Democratic and Republican procedural moves-combined with GOP plans to defeat a pair of cloture motions Thursday and Friday-further jeopardizes the prospects for the bill as the session draws to a close. "We are going to get a vote on our amendment or we are not going to get a bill," Nickles threatened. Majority Whip Harry Reid, D-Nev., responded that the Republican tactics are "only an effort to stall" the legislation. http://www.govexec.com/dailyfed/0902/092602cdpm2.htm ---------------------------------------------------- [16] States keep IT programs on track BY Dibya Sarkar Sept. 25, 2002 Rather than make across-the-board spending cuts in programs, state governments are using alternative measures, such as dipping into "rainy day" funds and raising taxes, to grapple with a collective $22 billion revenue shortfall. As a consequence, many state capital investments and information technology programs have not been impacted as greatly as expected, according to Input, a Chantilly, Va.-based marketing and research firm that recently surveyed officials in 50 states. http://www.fcw.com/geb/articles/2002/0923/web-input-09-25-02.asp ---------------------------------------------------- [17] China implicated in Dalai Lama hack plot By John Leyden Posted: 25/09/2002 at 23:20 GMT China has repeatedly attempted to crack into the Dalai Lama's computer network, according to its administrators. Over the last month there have been repeated attempts to infect systems used by the exiled spiritual leader. This takes the form of a computer virus which attempts to send information back to China, Jigme Tsering, manager of the Tibetan Computer Resource Centre told AP. The centre runs Internet services and administers the computer systems of the spiritual leader's government-in-exile, located in Dharmsala, India. http://www.theregister.co.uk/content/55/27291.html ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk