_________________________________________________________________ London, Friday, December 20, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Terrorists on the Net? Who Cares? [2] Sklyarov reflects on DMCA case [3] Student gets merit award for school computer hack [4] Welsh Web designer pleads guilty to virus creation [5] Report criticizes administration's e-gov efforts [6] Q&A: Does the U.S. government have an open-source security plan? [7] Air combat C2 made easier [8] Malaysian Police Hunt Internet Scaremonger [9] Computer crime center opens [10] Feds Delay Launch of Cyber-Security Plan [11] E-card virus warning for Christmas [12] Sounding the alarm on video game ratings [13] Security flaw threatens Cisco website [14] Microsoft Baseline Security Analyzer V1.1 [15] Computer glitch causes £7m insurance error [16] German ISPs must block US Nazi sites [17] Air Force personnel misused government cards [18] Audio files figure in latest Microsoft vulnerability [19] Allbaugh leaving FEMA in March _________________________________________________________________ CURRENT THREAT LEVELS _________________________________________________________________ Electricity Sector Physical: Elevated (Yellow) Electricity Sector Cyber: Elevated (Yellow) Homeland Security Elevated (Yellow) DOE Security Condition: 3, modified NRC Security Level: III (Yellow) (3 of 5) _________________________________________________________________ News _________________________________________________________________ (See next email for comments. WEN) [1] Terrorists on the Net? Who Cares? By Noah Shachtman | Also by this reporter Page 1 of 1 02:00 AM Dec. 20, 2002 PT To all those Chicken Littles clucking frantically about the imminent threat of a terrorist attack on U.S. computer networks, a new report says: Knock it off. Online attacks are merely "weapons of mass annoyance," no more harmful than the routine power failures, airplane delays and dropped phone calls that take place every day. "The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously," said Jim Lewis, a 16-year veteran of the State and Commerce Departments. He compiled the analysis for the Center for Strategic and International Studies. http://www.wired.com/news/infostructure/0,1377,56935,00.html ---------------------------------------------------- [2] Sklyarov reflects on DMCA case 14:24 Friday 20th December 2002 Lisa M. Bowman, CNET News.com The Russian software programmer talks about life after his arrest and how controversial copyright laws are affecting programmers Russian programmer Dmitry Sklyarov thinks it was unfair of prosecutors to play his videotaped deposition at the ElcomSoft trial rather than calling him to the stand. But after a legal saga that's included a surprise arrest outside his Las Vegas hotel room, three weeks in jail, and visa tangles that almost prevented him from coming back to the US for trial, Sklyarov has decided not to worry about situations over which he has no control. "During my life I'm trying not to spend too much time trying to find what means for me things I cannot change," Sklyarov, 27, said in his first interview since testifying in the criminal copyright case of ElcomSoft, his employer. http://news.zdnet.co.uk/story/0,,t269-s2127886,00.html ---------------------------------------------------- [3] Student gets merit award for school computer hack By John Leyden Posted: 20/12/2002 at 13:06 GMT High school student Reid Ellison did exactly the opposite of what most students would do when he hacked into his school computer records - he marked his grades down. The bright 15-year old changed his grades at Anzar High School in San Juan Bautista, California from a A to a D+. However, Reid didn't get into trouble for his actions. Far from it. The intrusion was sanctioned by his school as part of his coursework and his success in breaking into the school's systems earned him a perfect score in the unconventional project. Reid's task of hacking into the network was greatly simplified by the weak password the school used - Silvia, the name of the school's secretary. http://www.theregister.co.uk/content/55/28658.html ---------------------------------------------------- [4] Welsh Web designer pleads guilty to virus creation By John Leyden Posted: 20/12/2002 at 13:36 GMT A 21-old Welsh Web designer has pleaded guilty to creating and distributing three mass mailer viruses, in a hearing at Bow Street Magistrates Court this morning. Simon Vallor, of Llandudno, North Wales, admitted offences under section three of the Computer Misuse Act 1990 in creating the Gokar, Redesi and Admirer mass mailing viruses. http://www.theregister.co.uk/content/55/28659.html ---------------------------------------------------- [5] Report criticizes administration's e-gov efforts By Maureen Sirhal, National Journal's Technology Daily A governmental oversight agency on Thursday criticized the Bush administration for its initiatives designed to migrate government services online, saying that the Office of Management and Budget chose to implement various projects without establishing a clear strategy or business plan. The General Accounting Office said the 24 e-government projects lack key accountability measures to ensure that the programs are implemented efficiently. Senate Governmental Affairs Committee Chairman Joseph Lieberman, D-Conn., released the study (GAO-03-229). OMB embarked upon the 24 initiatives in August 2001 without developing comprehensive cost-benefit assessments for each project, the report said. GAO added that OMB lacked necessary information to adequately measure and monitor implementation of the projects. http://www.govexec.com/dailyfed/1202/121902td1.htm ---------------------------------------------------- [6] Q&A: Does the U.S. government have an open-source security plan? An interview with the White House Office of Cyberspace Security's Marc Sachs Dec 11, 2002 Summary Robert McMillan talks to Marc Sachs of the White House Cyberspace Security Office about the current and future role of open-source technologies in U.S. government departments. (2,200 words) By Robert McMillan LinuxWorld) — Is there room for open source in the U.S. government's forthcoming cybersecurity plan? A recent draft of the plan, which will eventually outline the government's computer-security strategy, mentioned open-source software only once. But in the last few months, Congressman Adam Smith (D-Wash.) has been lobbying to have the plan explicitly reject the use of the GPL, and he has circulated a letter around Washington calling for the authors of the plan to do just that on the grounds that the GPL license is bad for computer security. http://www.linuxworld.com/site-stories/2002/1211.sachs.html ---------------------------------------------------- [7] Air combat C2 made easier BY Dan Caterinicchia Dec. 20, 2002 The migration from a Unix server environment to one that is more PC- and Web-based is one of the main enhancements in the latest version of the military's main command and control (C2) system for air warfare. The Defense Department's Joint Configuration Management Board (JCMB) last month designated the Theater Battle Management Core Systems as the "system of record," said Darcy Norton, TBMCS program manager at the Air Force's Electronic Systems Center, Hanscom Air Force Base, Mass. That means TBMCS is now authorized as the official system to be used by all of the DOD's combatant commanders conducting air operations. In its latest point in the spiral development process, TBMCS Spiral 1.1.1 is easier for military personnel to use, thanks to a greater Web-enabling of the system, Norton said. Lockheed Martin Corp. is developing TBMCS under a six-year, $375 million contract. http://www.fcw.com/fcw/articles/2002/1216/web-airops-12-20-02.asp ---------------------------------------------------- [8] Malaysian Police Hunt Internet Scaremonger Thu December 19, 2002 03:38 AM ET KUALA LUMPUR (Reuters) - Malaysian police hunted for the author of an email on Thursday that claimed tourist spots, shopping malls and nightclubs were on a list of targets for terror bombings. Six women and one man were arrested and freed on bail in connection with the email, which claimed that Kuala Lumpur's famed Petronas Twin Towers, the world's tallest buildings, were on the target list. "We are determined to get to the origins of this email," Kuala Lumpur's Deputy Chief of Police Ahmad Bahrin Idrus told reporters. The email said the Philippine government was tipped off to the threats against Malaysian tourist destinations. Written by someone identified only as Jeremy, the message said Malaysia was covering up the security scare. http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=19330 86 ---------------------------------------------------- [9] Computer crime center opens FBI director Mueller on hand to open 'model' facility to fight cybercrime By CLIF LeBLANC Staff Writer The state's new computer- crime center signals greater cooperation between federal and state police, which is key to the future of the FBI, its director said Tuesday. Robert Mueller helped officially open the S.C. Computer Crime Center at a St. Andrews area office building. The $5.6 million center, where more than a dozen state and federal agents will use the latest technology, is the nation's first statewide cybercrime lab. It also will be used to fight terrorism. "I see this as a model here in South Carolina -- not only in the cyber arena but as a model for law enforcement across the country," Mueller said. "The future of the FBI will be successful only to the extent that we are successful in establishing close and abiding relationships with our law enforcement counterparts," Mueller said. "If we cannot work together, we will fail." http://www.thestate.com/mld/thestate/news/local/4763628.htm ---------------------------------------------------- [10] Feds Delay Launch of Cyber-Security Plan By Dennis Fisher The White House's cyber-security arm will not release the next draft of its National Strategy to Secure Cyberspace by the end of the year, as it had originally planned. The President's Critical Infrastructure Protection Board, which produced the strategy, is still going over the comments submitted this fall on the original draft. No specific date has been set for the release of the next version of the document. "We're hoping to get it out there soon," said Tiffany Olson, deputy chief of staff at the PCIPB in Washington. "There's no timetable, but it'll be early next year." The board released the first draft of the strategy in September, and the public comment period lasted until mid-November. A number of security vendors and other software and hardware vendors submitted comments. Olson said the board now is working to find a way to release all of the comments it received without identifying their authors. http://www.eweek.com/article2/0,3959,795411,00.asp ---------------------------------------------------- [11] E-card virus warning for Christmas By Lyndsey Steven CNN Thursday, December 19, 2002 Posted: 10:51 AM EST (1551 GMT) Safe surfing: A virus could ruin your Christmas LONDON (CNN) -- Sophisticated computer viruses are hiding behind some Christmas e-cards, wrecking the season of goodwill, analysts warn. Thousands of European companies fall prey to viruses every month, and this figure is rising as more employees send Christmas cards through cyberspace. A new virus called Yaha was identified by London-based watchdog Message Labs on December 13. Meanwhile new versions of the existing Trojan, Bride B and Happy 99 viruses are also spreading in the Christmas boom http://www.cnn.com/2002/TECH/12/17/ecard.virus/index.html ---------------------------------------------------- [12] Sounding the alarm on video game ratings By Brad Wright CNN Friday, December 20, 2002 Posted: 9:25 AM EST (1425 GMT) WASHINGTON (CNN) -- Members of Congress and watchdog groups are again sounding the alarm over the sexual and violent nature of some video games that are falling into the hands of children even though they are intended for adults. Although critics agree that the majority of video games have little or no objectionable violent or sexual content, those that do, they say, have gone far beyond the pale. http://www.cnn.com/2002/TECH/fun.games/12/19/games.ratings/index.html ---------------------------------------------------- [13] Security flaw threatens Cisco website Oops... By Patrick Gray A cross-site scripting (XSS) vulnerability has been discovered in the cisco.com website. Securiteam.com, an online security portal, issued an advisory which said: "The vulnerability would allow attackers to cause users to view third-party malicious JavaScript or HTML code as if it were the legitimate content offered by Cisco." XSS vulnerabilities are at their most serious when user log-ins are involved. They may in some circumstances make it possible for an attacker to "steal" a user's session information, potentially allowing them to login as the victim user. http://www.silicon.com/bin/bladerunner?30REQEVENT=&REQAUTH=21046&14001RE QSUB=REQINT1=56881 ---------------------------------------------------- [14] Microsoft Baseline Security Analyzer V1.1 by Mike Fahland and Eric Schultze last updated December 19, 2002 Earlier this month, Microsoft released version 1.1 of the Microsoft Baseline Security Analyzer (MBSA). MBSA is the first product deliverable from the recently formed Microsoft Security Business Unit (SBU), a key division within Microsoft's Trustworthy Computing Initiative. MBSA 1.0, originally released as a response to the Code Red and Nimda worms, is a multi-threaded security scanner that analyzes an individual computer or a group of computers for missing security patches and other common security misconfigurations. Craig Fiebig, General Manager of SBU Product Marketing, said that "MBSA v1.1 simplifies desktop and server security vulnerability assessment, delivering another step on the path to Trustworthy Computing." The 1.1 release of MBSA provides bug fixes and enhancements to the original scanner as well as replacing Microsoft's command line hotfix scanner, HFNetChk, by exposing full HFNetChk functionality via the MBSA command line interface. Below we will discuss some of the new features of the 1.1 release, highlighting some of the technical aspects that are not covered elsewhere. Microsoft documentation, including links to the product download, FAQ, and technical whitepaper, are available at the Microsoft MBSA Web site. It should be noted that MBSA was developed for Microsoft by Shavlik Technologies LLC by whom the authors of this paper are employed. http://online.securityfocus.com/infocus/1649 ---------------------------------------------------- [15] Computer glitch causes £7m insurance error By Andy McCue [17-12-2002] 100,000 Norwich Union policy holders affected An error caused partly by the computer systems of insurance company Norwich Union has left 100,000 of its customers owed £7m on their investments. During an upgrade of its unit-linked pricing systems in September this year, Norwich Union found that approximately three per cent of its three million policy holders were entitled to additional units to their funds. http://www.vnunet.com/News/1137637 ---------------------------------------------------- [16] German ISPs must block US Nazi sites By Nick Farrell [20-12-2002] North Rhine-Westphalia wins court ruling over offensive material A German state has ordered internet service providers (ISPs) to block two US neo-Nazi websites. According to Associated Press, the order follows months of legal wrangling between North Rhine-Westphalia government and 18 ISPs in the state, which claimed that they could not be held responsible for the sites' content. http://www.vnunet.com/News/1137718 ---------------------------------------------------- [17] Air Force personnel misused government cards LARRY MARGASAK Associated Press WASHINGTON - The Army and Navy have been pilloried for abuse of government credit cards. Now it's the Air Force's turn. Air Force plastic was used for cruises, gambling, adult clubs, Dallas Cowboys football games, a down payment on a sapphire ring and a general's Las Vegas casino party. And for a mounted deer head at the Air Force Academy. Officials there said the $375 charge for taxidermy services allowed the roadkill victim to be used in educational programs. The General Accounting Office, Congress' investigative agency, said in findings obtained Thursday that Air Force personnel who abused their credit cards often were not disciplined - although officials are now cracking down. http://www.macon.com/mld/macon/news/politics/4777832.htm ---------------------------------------------------- [18] Audio files figure in latest Microsoft vulnerability By Laura Rohde, IDG News Service DECEMBER 19, 2002 Content Type: Story Source: IDG News Service Two security alerts were issued yesterday concerning vulnerabilities in Nullsoft Inc.'s Winamp music player and Microsoft Corp.'s Windows XP operating system that can be exploited using corrupt audio files. The flaws allow MP3 or Windows Media Audio (WMA) files containing malicious code to be introduced into a user's PC, allowing an attacker to run damaging code on that machine, according to security company Foundstone Inc. in Mission Viejo, Calif. The corrupt files would sound identical to unmodified music files, the company said. http://www.computerworld.com/securitytopics/security/holes/story/0,10801 ,76935,00.html ---------------------------------------------------- [19] Allbaugh leaving FEMA in March BY Megan Lisagor Dec. 17, 2002 Joe Allbaugh, director of the Federal Emergency Management Agency, has announced he will leave FEMA March 1 -- after helping the agency make its transition to the new Homeland Security Department. A FEMA news release Dec. 14 said that Allbaugh plans to pursue opportunities in the private sector. The Associated Press further noted that Allbaugh likely would become a key adviser in President Bush's re-election effort. He served as Bush's national campaign manager in 2000, and was chief of staff for then-Gov. Bush in Texas from 1995 to 2000. http://www.fcw.com/fcw/articles/2002/1216/web-fema-12-17-02.asp ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ ------------------------------------------------------------------------ ‘Information is the currency of victory on the battlefield.’ GEN Gordon Sullivan, CSA (1993) ------------------------------------------------------------------------ Wanja Eric Naef Principal Researcher IWS - The Information Warfare Site http://www.iwar.org.uk ------------------------------------------------------------------------ Join the IWS Infocon Mailing List @ http://www.iwar.org.uk/general/mailinglist.htm ------------------------------------------------------------------------ To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk