[INFOCON] - News 10/29/02
_ London, Tuesday, October 29, 2002 _ INFOCON News _ IWS - The Information Warfare Site http://www.iwar.org.uk _ - To subscribe - send an email to [EMAIL PROTECTED] with subscribe infocon in the body To unsubscribe - send an email to [EMAIL PROTECTED] with unsubscribe infocon in the body - _ [News Index] [1] Of mad snipers and cyber- terrorists [2] Government, industry debate international IT security center [3] 'We are the worst security risk' - sys admins confess [4] RPT-Pro-Islamic hackers gear up for cyber war-experts [5] Reuters accused of hack attack [6] Pentagon computers tougher for hackers [7] Talking security [8] Universities asked to avert student file sharing [9] E-Commerce Patent Disputes Erupt [10] Kournikova virus writer loses appeal and faces 150 hours' community service [11] Report: Market forces not enough to improve security [12] Mexico summit urges anti-piracy action [13] Perspective: Privacy advocates lose an ally [14] Australian team patents new firewall technology [15] Hackers claim to have cracked new secure Xbox [16] Army vendor team advances FCS [17] Attack of the Mod Squads _ News _ [1] Of mad snipers and cyber- terrorists By Thomas C Greene in Washington Posted: 29/10/2002 at 01:34 GMT Last Monday the Internet was attacked in what one Washington official described as the most sophisticated and largest assault in its history. Eight of thirteen root DNS servers got whacked simultaneously with a distributed denial of service attack. Had the assault not been shut down in an hour, the constant interchange of e-mail spam and viruses might have been slowed; the ability of millions to BS idly with strangers in IRC might have been impeded; e-commerce orders of bulk dog food might have gone unfulfilled; and millions of teenagers might have been denied their daily downloads of porn and warez and MP3s. None of this happened, of course. Somehow, the Internet survived. It survived against the dire warnings of White House alarm divas Richard Clarke and Howard Schmidt. It survived against the patently faked predictions of Gartner Experts who recently conducted devastating cyber 'war games' but sleazily neglected to involve a blue team and sleazily neglected to emphasize this curious fact. Had there been people working against the Gartner pseudo attack squads, as there would be in the real world, their pseudo results would have been vastly different. http://www.theregister.co.uk/content/55/27819.html See also Mock cyberwar fails to end mock civilization http://theregister.co.uk/content/archive/26675.html [2] Government, industry debate international IT security center By William New, National Journal's Technology Daily BRUSSELS, BELGIUM - U.S. and European officials and businesses on Monday debated the merits of a proposal to establish a global center for information technology security based on the center that united them in their fight against the much-anticipated Y2K computer bug. Harris Miller, president of the Information Technology Association of America, raised the issue here at the U.S.-EU IT Security Forum. There is still no mechanism globally that allows governments on an instantaneous basis, and industry on an instantaneous basis across industries, to communicate regularly or in the case of a crisis about cyber security, he said in an interview. Miller said that like the Y2K center, the proposed International Information Security Coordination Center could be a small and inexpensive operation. The players are in place, but the coordination center is necessary to get all the players on the same page, to get the communications network established, he said. http://www.govexec.com/dailyfed/1002/102802tdpm2.htm [3] 'We are the worst security risk' - sys admins confess By John Leyden Posted: 28/10/2002 at 12:04 GMT More than half of all senior IT managers (58 per cent) think that their own IT departments offer the largest
[INFOCON] - The Economist: Survey - digital security
(This week's Economist has a special section on Information Security which is well worth a read as it is well researched (in comparison to the usual cybergeddon article). P.S. I have been contacted by a Pentagon Reporter who is looking for a PsyOps expert. He is 'writing a story about possible PSYOPS should the U.S. decide to invade Iraq. The story would look at past operations, particularly Panama, and the challenge of carrying out such an operation in the teeming city of Baghdad. Would like to talk to either operators or experts in the field.' If any list member is interested please let me know. WEN) On digital terrorism: '... It is true that utility companies and other operators of critical infrastructure are increasingly connected to the Internet. But just because an electricity company's customers can pay their bills online, it does not necessarily follow that the company's critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with Internet technology anyhow. Even authorised users require specialist knowledge to operate them. And telecoms firms, hospitals and businesses usually have contingency plans to deal with power failures or flooding. ...' '... Like eco-warriors, he observes, those in the security industry-be they vendors trying to boost sales, academics chasing grants, or politicians looking for bigger budgets-have a built-in incentive to overstate the risks. ...' (Nice quote which is so true. WEN) Senior Management Support for InfoSec '...A second, related misperception is that security can be left to the specialists in the systems department. It cannot. It requires the co-operation and support of senior management. Deciding which assets need the most protection, and determining the appropriate balance between cost and risk, are strategic decisions that only senior management should make. ... ... Senior executives do not understand the threats or the technologies. It seems magical to them, says Mr Charney. Worse, it's a moving target, making budgeting difficult. ... Threats/Risk: '... Even senior managers who are aware of the problem tend to worry about the wrong things, such as virus outbreaks and malicious hackers. They overlook the bigger problems associated with internal security, disgruntled ex-employees, network links to supposedly trustworthy customers and suppliers, theft of laptop or handheld computers and insecure wireless access points set up by employees. ...' '... One of the biggest threats to security, however, may be technological progress itself, as organisations embrace new technologies without taking the associated risks into account. ...' Virus: '... Viruses are a nuisance, but the coverage they receive is disproportionate to the danger they pose. ...' Firewalls: '... Firewalls are no panacea, however, and may give users a false sense of security. To be effective, they must be properly configured, and must be regularly updated as new threats and vulnerabilities are discovered. ...' IDS: '... Compared with anti-virus software and firewalls, detection is a relatively immature technology, and many people believe it is more trouble than it is worth. The difficulty is tuning an IDS correctly, so that it spots mischievous behaviour reliably without sounding too many false alarms. ...' MS: '... Microsoft's policy of tight integration between its products, which both enhances ease of use and discourages the use of rival software makers' products, also conflicts with the need for security. ...' '... The Windows operating system is the largest piece of software ever written, so implementing security retrospectively is a daunting task. ...' Human Element of Security: '... If correctly handled, a management-based, rather than a solely technology-based, approach to security can be highly cost-effective. ...' '... But there are other, more subtle ways in which management and security interact. More than anything else, information security is about work flow, says Ross Anderson of Cambridge University's Computer Laboratory. The way to improve security, he says, is to think about people and processes rather than to buy a shiny new box. ...' Biometrics: '...The first is that the technology is not as secure as its proponents claim. ...' '... The second and more important problem is that biometric technology, even when it works, strengthens only one link in the security chain. ...' '... In short, biometrics are no panacea. The additional security they provide rarely justifies the cost. ...' Bottom Line: '... Security, in sum, depends on balancing cost and risk through the appropriate use of both technology and policy. The tricky part is defining what appropriate means in a particular context. It will always be a balancing act. Too little can be dangerous and costly-but so can too much. ...'
[INFOCON] - OCIPEP DAILY BRIEF Number: DOB02-175 Date: 29 October2002
OCIPEP DAILY BRIEF Number: DOB02-175 Date: 29 October 2002 http://www.ocipep.gc.ca/DOB/DOB02-175_e.html NEWS New act to make Ontario's drinking water safe New legislation aimed at ensuring Ontario has cleaner, safer drinking water will be unveiled by Ontario Premier Ernie Eves today. The Safe Drinking Water Act will look to impose rigorous standards for operators dealing with treatment, testing and distribution of Ontario's drinking water. Justice Dennis O'Connor recommended the creation of the new act following his inquiry into the Walkerton E. coli tragedy that killed seven and sickened 2,300 people in the spring of 2000. (Source: the star.com, 29 October 2002) Click here for the source article OCIPEP Comment: As reported in OCIPEP Daily Brief DOB02-154, released 27 September 2002, a report released by the Environmental Commissioner of Ontario (ECO) was critical of Ontario's response to water treatment and security. Proposal for global IT security centre On Monday, members of the U.S. - E.U. Information Technology Security Forum discussed the establishment of the International Security Coordination Center, a global centre for IT security, which would be based on the centre that was created to deal with Y2K-related events. The centre would allow industry and governments to communicate regularly on issues pertaining to cyber security and to react quickly during a crisis. (Source: GovExec.com, 28 October 2002) Click here for the source article OCIPEP Comment: As part of their eEurope 2005 program, the European Commission is expected to announce a European cybersecurity task force that will function as a response centre. The centre is to be operational by the end of 2003. Other potential actions concerning strengthening IT security include enhancing the widespread use of smartcards by the end of 2004 and developing a European Virus Alert System by the end of 2003. To see the European Commission recommendations on eSecurity, go to: http://europa.eu.int/information_society/newsroom/documents/catalogue_en .pdf. The eEurope 2005 actions can be found on page 16 of the PDF file. IT security a corporate priority: Report META Group, Inc., an IT consulting service, recently announced its findings pertaining to IT security spending in the year ahead. These findings were extracted from its 2003 Worldwide IT Benchmark Report, an annual survey of technology trends and economics. According to the study, despite META Group's predicted near 5 percent decrease in overall corporate IT spending in 2003, Chief Information Officers (CIO) have incrementally increased investments in security, a trend set in motion even before 11 September 2001. The report forecasts that spending on IT security and business continuity will be almost evenly split [among] infrastructure, business continuity, and information security. It goes on to state that, despite current economic conditions and smaller budgets, developing a comprehensive security and privacy architecture has become the focus for virtually all public-sector CIOs, even though most of their non-IT colleagues do not share the same sense of urgency. (Source: itWorldCanada.com, 28 October 2002) Click here for the source article OCIPEP Comment: To obtain a copy of the report, go to: http://www.metagroup.com/cgi-bin/inetcgi/commerce/productDetails.jsp?oid =33569 IN BRIEF Australia's foreign minister warns Canada about terrorism After meeting with Foreign Affairs Minister Bill Graham on Monday, Australia's foreign minister, Alexander Downer, warned that Canada should remain vigilant at all times against terrorist attacks. He voiced that no country is safe from terrorism and that the recent deadly attacks in Bali, Indonesia, should be a lesson to all countries, including Canada. (Source: the star.com, 28 October 2002) Click here for the source article Reuters accused of hacking Reports indicate that Swedish software company Intentia will file criminal charges against the Reuters news agency for allegedly hacking into the company's computer system to retrieve financial data that had not yet been publicly released. Reuters reportedly published information on Intentia's third quarter profits just minutes before it was issued by the company. (Source: ZD Net Australia, 29 October 2002) Click here for the source article Pro-Islamic hackers ready for cyber war: Experts The number of politically motivated computer attacks have risen sharply this month, according to British security firm mi2g. Hacking groups sympathetic to Islamic interests have increased their activities, which are primarily directed at computer systems in the U.S., U.K., India and Israel. (Source: REUTERS.com, 29 October 2002) Click here for the source article CYBER UPDATES See: What's New for the latest Alerts, Advisories and Information Products Threats Central Command reports on VBS/WhyHoPo, which is a Visual Basic Script that copies itself to multiple directory locations when it is run.
[INFOCON] - (MIL) USAF Transforming Our Air and SpaceCapabilities
(Interesting speech by the secretary of the USAF. It looks at how the USAF is changing and stresses the importance of Space Dominance'. WEN) '... While the war on terror presents unprecedented challenges, the future has never been brighter for airmen. We are entering a new age of air and space power. There is now a growing consensus as a result of our successes in Iraq, the Balkans and Afghanistan that air and space capabilities can dramatically assist our joint forces to achieve victory swiftly and decisively regardless of distance or of terrain or of adversary. While we've been very successful in the past decade, our potential adversaries have come to accept our overwhelming military strength and as a result have grown increasingly less willing to engage our forces directly. We face a new reality. One in which our traditional defenses - deterrence and the protective barriers afforded by friendly neighbors and two large oceans may be of limited effect. This new reality highlights the absolute necessity of transforming our air and space capabilities. ...' '... Today's force in many ways is a transition force. Our legacy aircraft systems were built with specialized roles and they were very good. We have limited networking, limited all-weather delivery and limited stand off and our sensors are only partially integrated. ...' '... We are developing a range of systems that fulfill these objectives, from multi-mission command-and-control aircraft, smart tankers, an entire generation of unmanned vehicles, including Global Hawks, UCAVs (unmanned combat aerial vehicles) , armed scout Predators and shortly, hunter-killer UAVs (unmanned aerial vehicles). We are also developing a small diameter bomb and the airborne laser, to name just a few. ...' '... We are developing a range of systems that fulfill these objectives, from multi-mission command-and-control aircraft, smart tankers, an entire generation of unmanned vehicles, including Global Hawks, UCAVs (unmanned combat aerial vehicles) , armed scout Predators and shortly, hunter-killer UAVs (unmanned aerial vehicles). ...' * Space Dominance: '... We also realize that soon will come a time when space systems will grow beyond their traditional role as force enhancers and then will play a more active role in preventing, fighting and winning wars. Our adversaries have noted the advantages we have gained from space, and given the total interdependence we see in air and space power, we cannot risk the loss of space superiority. We must and will continue our efforts to protect our space assets and prepare ourselves to counter any enemy's space assets. ...' '... While space capabilities have been an essential contributor in recent operations, we must modernize to maintain our war fighting advantage. In the early stages of space age, most capabilities were used by a limited group of users and they were highly classified. The current space regime is decidedly different. The forms and distinctions between black programs, white space, military, civil and commercial are growing increasingly blurred and we must ensure our space architectures remain capable of supporting our military missions as well as our civil users who rely on them for the swift flow of information and commercial applications. ...' - Transforming Our Air and Space Capabilities Dr. James G. Roche, Secretary of the Air Force Remarks to the Air Force Association National Convention luncheon, Washington, D.C., Sept, 18, 2002 First, let me say hello. I recognize that between the end of this whole thing and you only stand me, so I will try to make this mercifully brief. I would like to say thank you to some of my predecessors, Secretary (Robert C.) Seamans (Jr.), Secretary (John L.) McLucas, Secretary Whit Peters and Secretary Pete Aldridge. Thank you for being here. You make me feel like the PhD student who has to defend his thesis in front of people who know what they are talking about, which is usually what I don't have to do. You make it very tough. Thank you, Tom, for that gracious if incomplete introduction. For those of you who don't know, Tom only told you what I do as a sideline. My real job, as many of you AFA aficionados realize is the holder of the Thomas McKee Chair of Pro Bono Public Speaking. I do believe that I am the only person he's talked into speaking at more AFA events. There is only one person he's done it more to, and that is the individual who is currently occupying the Air Force Association Chair in Oratorical Arts and Aircraft Designation, Gen. John Jumper. I want to salute you and your great team at the Air Force Association for putting together a wonderful program this week. You've had a chance to discuss many of the issues we are working on in the Air Force today, to celebrate the achievements of our best and brightest and to admire the great rhetorical skills and taxonomic creativity of our chief of