_________________________________________________________________ London, Tuesday, October 22, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] E-gov lays security net [2] Hundreds of Navy computers 'missing' [3] Army locks down wireless LAN [4] Lack of training your biggest threat [5] Guidelines for Reporting Security Incidents [6] Agency adds do-it-yourself security [7] Privacy Czar: Past Haunts Present [8] Comeback of the hacker king [9] E-card Sneakware Delivers Web Porn [10] Hackers, government join in fight for Internet freedom [11] VPNs? There must be better ways to wireless security [12] Professor's Case: Unlock Crypto [13] MS patches insecurity trio [14] Report says visa process improved after terrorist attacks [15] Busting Pop-up Spam [16] Security Concerns in Licensing Agreements, Part Two: Negotiating [17] Agencies' IT budgets on 'roller coaster,' group says [18] FTC forces spammer to refund domain fees [19] Government security experts urge Whitehall to adopt US cryptography [20] Why Dotcoms Failed (and What You Can Learn From Them) [21] An E-Mayor for Virtual L.A. City [22] A tough case to crack _________________________________________________________________ News _________________________________________________________________ [1] E-gov lays security net Efforts form homeland security foundation BY Dibya Sarkar Oct. 21, 2002 By most accounts, homeland security is the top concern among mayors and other local officials, who say they have no choice but to shift funds for overtime costs, preparation and training, and enhanced security measures at the expense of other programs. Those expenses, coupled with the troubled economy and promised federal dollars that haven't yet arrived, may force municipalities to scale back or even scrub some programs. http://www.fcw.com/fcw/articles/2002/1021/pol-egov-10-21-02.asp ---------------------------------------------------- [2] Hundreds of Navy computers 'missing' 11:25 Monday 21st October 2002 Reuters The US Navy has lost track of many computers that may have handled classified data, finds an audit. And this may be just the tip of the iceberg The US Pacific Fleet's warships and submarines were missing nearly 600 computers as of late July, including at least 14 known to have handled classified data, an internal Navy report obtained on Friday said. The fleet, based in Pearl Harbor, Hawaii, sought to prevent release of the Naval Audit Service report, even though it was not classified. http://news.zdnet.co.uk/story/0,,t269-s2124182,00.html http://www.cw360.com/bin/bladerunner?REQUNIQ=1035289799&REQSESS=Jc622399 &REQHOST=site1&2131REQEVENT=&CFLAV=1&CCAT=2&CCHAN=22&CSESS=6680898&CSEAR CH=&CTOPIC=&CPAGEN=Article%20Page&CPAGET=-99999&CARTI=116804&CARTT=14 ---------------------------------------------------- [3] Army locks down wireless LAN Texas base uses formula of strength through diversity BY Paul Korzeniowski Oct. 21 Fort Sam Houston is a prime candidate for wireless networks. The San Antonio installation is home to the commanders of the Army's medical systems and supports various military training services, including battle simulation. Because other tactical groups often conduct tests at the site, a network may be installed for a week, a few months or even a year. http://www.fcw.com/fcw/articles/2002/1021/spec-army-10-21-02.asp ---------------------------------------------------- [4] Lack of training your biggest threat By David Southgate TechRepublic October 17, 2002 Contrary to popular belief, corporate sabotage is among the least likely causes of computer security breaches. According to an April 2002 survey by the Computer Security Institute, sabotage accounted for just 8 percent of system attacks in 2002. Security breaches are more often due to errors by end users or administrators. The inadvertent gaffes are the main culprits for introducing viruses, allowing denial of service attacks, and opening entryways to supposedly secured data. http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2894933,00.h tml ---------------------------------------------------- [5] Guidelines for Reporting Security Incidents Published By: CIO Posted By: Adam Chalemian 10/21/2002 9:29 CIO magazine, in conjunction with the Secret Service and FBI, has put together a set of guidelines for businesses to follow when notifying law enforcement agencies and other authorities of security incidents. The report covers what kind of events should be reported, the data that should be collected, and who to send it to. A report form and contact information for all FBI and USSS field offices is included. http://www.linuxsecurity.com/articles/government_article-5966.html Guidelines: http://www.cio.com/research/security/incident_response.pdf ---------------------------------------------------- [6] Agency adds do-it-yourself security BY Dibya Sarkar Oct. 22, 2002 Instead of using the state government's virtual private network solution to serve its far-flung workforce, the Washington State Human Rights Commission opted for a private approach that was less expensive and easier for its employees to install. The commission went live this spring with a product - Imperito Networks Inc.'s SafeSecure Access - that enables people with little technical experience to install software for access to agency systems. http://www.fcw.com/geb/articles/2002/1021/web-vpn-10-22-02.asp ---------------------------------------------------- [7] Privacy Czar: Past Haunts Present By Steve Kettmann | 02:00 AM Oct. 19, 2002 PDT A former Clinton administration official in charge of privacy issues warned Friday that the Bush administration risked setting the country back decades on privacy policy if it did not heed the lessons of the past. Peter Swire, a law professor at Ohio State University, evoked the witch-hunt atmosphere of "anti-Communist excesses" to offer a sobering reminder of the dangers of repealing personal liberties in the name of the war on terrorism. http://www.wired.com/news/politics/0,1283,55900,00.html ---------------------------------------------------- [8] Comeback of the hacker king Kevin Mitnick was the subject of a huge FBI manhunt, before being jailed for computer fraud. But now his hacking days are over and, he tells Charles Arthur, the poacher has turned gamekeeper If you need a working definition of ironic, you could do worse than this. Last summer, Kevin Mitnick, the one-time hacker who was on the FBI's "10 Most Wanted" list of fugitives, was himself the victim of a scam just like he used to work on people. It's a technique Mitnick, 39, calls social engineering: getting access to information, including computer data, by talking to people rather than by accessing computers. "I practised it for 15 years. I would think I would be the most aware of when it was being done," he says. But in June he got a call on his mobile phone from a reporter from the Associated Press. The reporter knew that Mitnick had written a book about social engineering, and he was keen to talk about it. http://news.independent.co.uk/digital/features/story.jsp?story=344565 ---------------------------------------------------- [9] E-card Sneakware Delivers Web Porn A Trojan horse program created by an Internet adult entertainment company routes surfers to racy sites. By Kevin Poulsen, Oct 21 2002 12:08AM It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company. The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC)and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites. Users are lured into accepting the program through a wholesome e-mail from [EMAIL PROTECTED] -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters. http://online.securityfocus.com/news/1350 ---------------------------------------------------- '... "I think of hacktivism as a philosophy: taking the hacker ethic of understanding things by reverse engineering and applying that concept to traditional activism," he said. ...' [10] Hackers, government join in fight for Internet freedom Jennifer Lee New York Times Published Oct 21, 2002 HACK21 When the reports started trickling out in September, they were met with disbelief and then outrage among technophiles. The Chinese government had blocked its citizens from using the popular search engine Google by exercising its control of the nation's Net service providers. The move surprised Nart Villeneuve, a 28-year-old computer student at the University of Toronto who has been interested in Chinese technology issues. Blocking one of the most popular Web sites was a far cry from Beijing's practice of restricting access to the sites of dissident groups or Western news organizations. http://www.startribune.com/stories/535/3374698.html ---------------------------------------------------- [11] VPNs? There must be better ways to wireless security By David Berlind October 15, 2002 Here's a surprising trend: the promotion of virtual private networks (VPNs) as a solution to local wireless LAN security problems. Even more surprising is that normally forward-looking Gartner analysts are offering up this behind-the-times view of mobile security. During a mobile security session at Symposium/ITxpo earlier this month, Gartner analyst John Girard promoted the VPN solution while failing to mention the mobility problems that VPNs introduce--or the fact that VPNs will eventually give way to standard (and more interoperable) solutions that will do a better job of closing the holes left open by current wireless solutions. http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2894696,00.h tml ---------------------------------------------------- [12] Professor's Case: Unlock Crypto By Brad King | 02:00 AM Oct. 19, 2002 PDT Daniel Bernstein seems intent on striking the deathblow to U.S. government regulations on cryptography. The latest chapter in his decade-long battle began to unfold on Friday, when lawyers representing both the Department of Commerce and Bernstein, a University of Illinois associate professor of mathematics, statistics and computer science, prepared to ask federal district court judge Marilyn Hall Patel to grant a summary judgment. At stake: the last remnants of a system that once prevented U.S. citizens from releasing software code that creates secure, electronic communications. http://www.wired.com/news/technology/0,1282,55884,00.html ---------------------------------------------------- [13] MS patches insecurity trio By Thomas C Greene in Washington Posted: 19/10/2002 at 04:51 GMT Another bundle of three security issues in Microsoft products came out this week. Among them is a nasty bug in Windows-XP Help Center allowing the deletion of entire directories, as we reported a few weeks ago. A malicious file request, the syntax of which resembles a URL, can be embedded in a Web page or an HTML e-mail. MS rolled the fix silently into SP-1 without making a public announcement at the time. The hole was discovered by Shane Hird of Distributed Systems Technology Centre, who first reported it to MS on 25 June 2002. Now there is apparently a separate patch for the issue, and MS has come forward with the dirt. In typical fashion the company also treats the announcement with far-fetched, PR-driven stretchers and face savers, as we can see from their list of 'mitigating factors'. http://www.theregister.co.uk/content/55/27700.html ---------------------------------------------------- [14] Report says visa process improved after terrorist attacks >From National Journal's Technology Daily Large workloads and unchecked authority in State Department offices that issue visas may have created vulnerabilities in the system for letting visitors and immigrants into the United States, but the system has been improved, according to a report (GAO-03-132NI) released Monday. http://207.27.3.29/dailyfed/1002/102102td1.htm ---------------------------------------------------- [15] Busting Pop-up Spam Nuisance messaging demonstrates the boundless ingenuity of spammers. Here's how to nip it in the bud. By Tim Mullen Oct 20, 2002 I hate spam. I know "hate" is a strong word, but it is the truth. I think spammers should be strung up and beaten like a pinata on Cinco de Mayo and then set on fire. I hope that aliens are not monitoring spam in order to make a value judgment as to whether or not to vaporize the earth; clearly the universe does not need a race of creatures endowed with diminutive genitalia that must refinance their house in order to afford a mail order diploma or a new satellite dish. Of course, they would spare Nigeria, as it is clearly a country populated entirely of Ministers of Something, each with 28 million dollars in the bank just waiting to be dispersed to anyone willing to give them the assistance they so urgently need. http://online.securityfocus.com/columnists/117 ---------------------------------------------------- [16] Security Concerns in Licensing Agreements, Part Two: Negotiating Security Provisions by Steven Robinson last updated October 21, 2002 Introduction In the first article in this series, we looked at security concerns related to clickwrap and shrinkwrap agreements, used by vendors for mass-market licenses and service agreements. In these cases, no negotiations are involved. If you want what the vendor is selling, you are required to agree to "a one size fits all" agreement, including whatever provisions it contains, if any, that pertain to information security. This type of agreement is typical of the licensing agreements that individual users and small organizations enter into. This article looks at a situation that is more typical for commercial users, one in which negotiations between vendors and service providers and their users concerning licensing and services agreements are commonplace and expected, and discusses why it is helpful, and usually essential, to have information security professionals participate in those negotiations. http://online.securityfocus.com/infocus/1636 Part one: http://online.securityfocus.com/infocus/1602 ---------------------------------------------------- [17] Agencies' IT budgets on 'roller coaster,' group says By Molly M. Peterson, National Journal's Technology Daily The effort to create a Homeland Security Department has placed several federal agencies' information technology budgets on a "roller coaster," according to an analysis released last week by the Government Electronics and Information Technology Association (GEIA). The Defense Department and homeland security programs are likely to be the "real winners" in the battle for discretionary dollars in the coming years, according to GEIA, which released a summary of its findings to reporters as a preview of a conference it plans to hold later this month. The study found that since many civil agencies are becoming "bill payers" for the nation's homeland security requirements, their budgets barely will keep pace with inflation. http://207.27.3.29/dailyfed/1002/101802td1.htm ---------------------------------------------------- [18] FTC forces spammer to refund domain fees 21st October, 2002 The United States' Federal Trade Commission has forced a British entrepreneur who sold domain names that did not work to repay his proceeds to his victims. As reported by Demys news (see: OFT domain action "too little too late" - 30th August, 2002) domain name retailer Thomas Goolnick was found to have used an aggressive unsolicited commercial mailing campaign to sell $59 alternative generic top level domains such as .usa, .brit, and .scot. However, the domains were not approved by Internet authority ICANN (Internet Corporation of Assigned Names and Numbers) and would not work unless users downloaded special software to access them. This did not stop Goolnick selling 6,000 of his domains, netting him an estimated $350,000. http://www.demys.net/news/02_oct_21_ftc.htm ---------------------------------------------------- [19] Government security experts urge Whitehall to adopt US cryptography standards by Cliff Saran Monday 21 October 2002 The Government's leading IT security advisors are to recommend that Whitehall departments adopt a US cryptography standard that many commercially available security products fail to meet. The Communications Electronics Security Group (CESG) is expected to publish a policy document later this month recommending using the US FIPS-140 cryptography standard for non-classified government applications. http://www.cw360.com/bin/bladerunner?REQSESS=Jc622399&2149REQEVENT=&CART I=116786&CARTT=1&CCAT=2&CCHAN=22&CFLAV=1 ---------------------------------------------------- [20] Why Dotcoms Failed (and What You Can Learn From Them) by Jamie S. Walters Headlines are rife with the tally of dotcoms that have "dot-bombed" or are in a downward spiral, not to mention the associated financial losses and human costs. Fingers that once pointed gleefully at the stock-ticker to catch a glimpse of that day's market ascent now point in blame toward Wall Street analysts who, it seems, had conflicts of interest, weren't altogether honest in their activities and allegedly manipulated the market for personal interest (Gosh, there's a surprise!). What seems to be lacking, at least publicly, is a careful examination of why these companies failed. And yet, out of the smoke lifting from the rubble of the former "e-bubble" we can find some valuable lessons. Review this period in time as an opportunity to learn how to improve the success rate - however you measure success - of your business or department. http://www.refresher.com/!jswdotcom.html ---------------------------------------------------- [21] An E-Mayor for Virtual L.A. City By Patrick Di Justo | 02:00 AM Oct. 22, 2002 PDT When Angelenos vote Nov. 5, they'll be asked to decide whether or not to let the San Fernando Valley secede from the rest of Los Angeles. Secession would split L.A. in two, creating a new city of approximately 1.3 million people, with an annual budget over $1 billion. Internet consultant Marc Strassman, 54, wants to be mayor of that new city. http://www.wired.com/news/politics/0,1283,55911,00.html ---------------------------------------------------- [22] A tough case to crack How IT can -- and cannot -- aid law enforcement's search for a D.C.-area sniper BY William Matthews Oct. 21, 2002, 2002 Technology has received a prominent role in the hunt for a sniper who has killed nine and wounded two in a two-week spree in the Washington, D.C., metropolitan area, but even technology experts say the case is most likely to be cracked by cops, not computers. "This is a fairly low-tech kind of crime," said Jay Siegel, a forensic science professor at Michigan State University's School of Criminal Justice. "What's going to solve this crime is old-fashioned police work. It does not require a lot of technology." http://www.fcw.com/fcw/articles/2002/1021/news-sniper-10-21-02.asp ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk