_________________________________________________________________ London, Thursday, August 22, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ InfowarCon 2002: Homeland Defense and Cyber-Terrorism, Washington, DC September 4-5, 2002, optional workshops September 3 & 6. Presented by MIS Training Institute and Interpact, Inc. Proven strategies for protecting against threats to critical infrastructures and government systems. Go to: http://www.misti.com/08/iw02nl27inf.html _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] White House Officials Debating Rules for Cyberwarfare [2] Defense agency makes progress on homeland technologies [3] Congressman: 9-11 attacks could have been detected, stopped [4] 9/11 fails to influence disaster recovery strategies - survey [5] 'Stupid' linking policies come under fire [6] Big-media Axis of Evil on the march [7] How Much Info Is Too Much Info? [8] UK e-commerce rules catch e-tailers unprepared [9] Computer Security: Hack attack [10] Alberta hackers gear up for International War Driving Day [11] CIA must collaborate more, strengthen weaknesses [12] Massive pirate CD haul seized [13] A Web-only Primer on Public-key Encryption [14] Web tracking firm, drug companies prevail in privacy lawsuit [15] Federal Web sites need to be more user-friendly [16] T-Mobile to go global with WLAN hotspots [17] Introduction to Autorooters: Crackers Working Smarter, not Harder _________________________________________________________________ News _________________________________________________________________ [Finally, they focus more on the real threat. WEN] Richard A. Clarke, head of the Office of Cyberspace Security, said the government has begun to regard nation-states rather than terrorist groups as the most dangerous threat to this country's computer security after several suspicious break-ins involving federal networks. [1] White House Officials Debating Rules for Cyberwarfare White House cybersecurity czar Richard Clarke is leading the government's efforts to create a national strategy for protecting America's critical IT infrastructure. (File Photo - The Washington Post) By Ariana Eunjung Cha and Jonathan Krim Washington Post Staff Writers Thursday, August 22, 2002; Page A02 The Bush administration is stepping up an internal debate on the rules of engagement for cyberwarfare as evidence mounts that foreign governments are surreptitiously exploring our digital infrastructure, a top official said yesterday. Richard A. Clarke, head of the Office of Cyberspace Security, said the government has begun to regard nation-states rather than terrorist groups as the most dangerous threat to this country's computer security after several suspicious break-ins involving federal networks. "There are terrorist groups that are interested. We now know that al Qaeda was interested. But the real major threat is from the information-warfare brigade or squadron of five or six countries," Clarke said in an interview with Washington Post editors and reporters. http://www.washingtonpost.com/wp-dyn/articles/A46967-2002Aug21.html ---------------------------------------------------- [2] Defense agency makes progress on homeland technologies By Molly M. Peterson, National Journal's Technology Daily PHILADELPHIA - Seven months after its launch in response to the Sept. 11 attacks, the Defense Advanced Research Project Agency's counterterrorism division has made significant progress on a wide range of unconventional homeland security technologies, a top DARPA official said Wednesday during a conference sponsored here by the Government Emerging Technologies Alliance. Those tools include bio-surveillance programs that could help spot unusual outbreaks by tracking over-the-counter medication sales, and multi-modal biometric tools that could identify terrorist suspects from a distance by focusing on "face and gait." "Gait is the way people walk, and the signature it creates," Robert Popp, deputy director of DARPA's Information Awareness Office (IAO) told high-tech professionals from the government and private sector during a panel discussion on emerging counterterrorism technologies. http://www.govexec.com/dailyfed/0802/082102td1.htm ---------------------------------------------------- [It is always easy to say that something could have been prevented once it happened. WEN] [3] Congressman: 9-11 attacks could have been detected, stopped Congressman Curt Weldon (R-PA) has stated that implementation of an interagency data mining capability and intelligence integration could have helped prevent the September 11, 2001 terrorist attacks. Developing and deploying the technology that was proposed and introduced before Congress years prior to the attack may have allowed agencies to detect the threat. The raw data of the 33 classified agency systems could be combined and provide data-fusion capabilities. The National Operations and Analysis Hub (NOAH) was proposed by Weldon two years ago and was intended to be a data mining agency to provide the intelligence community with threat profiles of terrorists, but was never established. Weldon advocates the establishment of a centralized data mining capability. http://www.computerworld.com/databasetopics/data/datamining/story/0,10801,73633, 00.html ---------------------------------------------------- [For more info on BCP see this month's NCMS InfraGard Manufacturing Industry Association Corner.Office http://trust.ncms.org/CornerOfc0702.htm WEN] [4] 9/11 fails to influence disaster recovery strategies - survey By John Leyden Posted: 20/08/2002 at 12:57 GMT Contrary to the marketing push of many security and storage firms, few users believe the events of September 11 should play a part in developing their business continuity strategies. That's the main conclusion of a survey of IT managers responsible for business continuity, which found more than half (52 per cent) believed brand and customer service should be the most important factors in developing business continuity strategies. http://www.theregister.co.uk/content/7/26753.html ---------------------------------------------------- [5] 'Stupid' linking policies come under fire 15:33 Wednesday 21st August 2002 Paul Festa, CNET News.com Web sites with policies outlawing other sites from linking to pages other than the home page are the targets of the 'Don't Link to Us' campaign Want David Sorkin to link to your Web site? Just ask him not to. Sorkin, associate professor of law at The John Marshall Law School in Chicago, Ill., is the man behind Don't Link to Us, a Web site that exists merely to flout what it terms "stupid linking policies." http://news.zdnet.co.uk/story/0,,t269-s2121149,00.html ---------------------------------------------------- [6] Big-media Axis of Evil on the march By Thomas C Greene in Washington Posted: 08/22/2002 at 06:39 EST The Recording Industry Ass. of America (RIAA) may have temporarily abandoned plans to censor Web sites available to American surfers, but they've still got their shock troops on heightened alert. Recently they've attempted to force Verizon.net to identify a customer they claim is making music files available for download. Verizon has refused, out of concern that it might expose itself to liability on privacy grounds. The RIAA has filed a second demand with the courts in Washington, DC, claiming that the customer's privacy rights are nullified by its superior copyright concerns. Apparently the presumption of innocence will be another casualty of that glorious crusade. http://www.theregus.com/content/6/26072.html ---------------------------------------------------- [7] How Much Info Is Too Much Info? Associated Press 2:05 p.m. Aug. 21, 2002 PDT WASHINGTON -- States have made significant progress in putting their court records online, allowing the public to examine criminal cases, lawsuits and divorces. However, all are struggling to develop privacy standards that keep pace with the technology, says a report released Wednesday. The Washington-based Center for Democracy and Technology said states are trying to figure out how to balance the right to access public records with the risks of putting a battered wife's address on the Internet or posting uncorroborated child abuse allegations for all to see. http://www.wired.com/news/privacy/0,1848,54683,00.html ---------------------------------------------------- [8] UK e-commerce rules catch e-tailers unprepared By Grant Hayday Special to ZDNet August 21, 2002, 7:40 AM PT UK businesses which have failed to act on new e-commerce regulations that come into force on Wednesday could find themselves open to prosecution unless they take urgent steps to change their online operations. The regulations set strict rules for UK businesses who advertise or sell goods via a Web site, mobile phone or through email. Under the new law, a Web site must (among other things): . Acknowledge receipt of an order electronically and without undue delay. . Allow simple means that allow the customer to correct errors prior to placing the order. . Highlight the languages offered for inclusion in the contract. . Explain the different technical steps required to conclude the contract. . Confirm whether the contract will be filed and how it will be accessible. http://zdnet.com.com/2100-1106-954668.html ---------------------------------------------------- [9] Computer Security: Hack attack By Tom McCann The perils of having your pc hacked.EXPERIENCE shows networking of systems helps your business become more efficient. Such increased connectivity, however, leaves you and your organisation vulnerable to security breaches. The very benefits of faster internal processes, streamlined communications and internet presence are precisely what makes your systems susceptible to attack. In today's environment no organisation which makes a commitment to using the internet as a commercial or communication tool is safe from attack, particularly with an increasingly mobile workforce. Despite today's security systems becoming ever more sophisticated it is actually getting easier for the tech-savvy to figure out a way into your internal networks. The US Computer Emergency Response Team (CERT) has reported that during the past ten years the sophistication of security attacks on systems has increased exponentially, but the required knowledge to launch an attack has, in fact, actually decreased. http://www.belfasttelegraph.co.uk/business_telegraph/access_internet/story.jsp?s tory=323963 ---------------------------------------------------- [10] Alberta hackers gear up for International War Driving Day By JACK KAPICA Globe and Mail Update Information technology managers may want to pay close attention to Red Deer, Alberta, on Aug. 31, which has been targeted by hackers for a "wardriving" day. In what is being billed as the first Alberta International Wardriving Day, hackers armed with laptop computers outfitted with wireless networking gear and global positioning systems will drive around Red Deer looking for unprotected wireless computer networks. The aim of the game - organizers are calling it a "hobby" - is to see which hacker can find the most wireless networks in one day. Also called "net stumbling," the game grew out of an earlier activity called "war dialing," popularized by the 1983 movie War Games. That involved dialing software, which was used to dial many phone numbers automatically, looking for lines that are answered by modems. http://rtnews.globetechnology.com/servlet/ArticleNews/tech/RTGAM/20020821/gtwar/ Technology/techBN ---------------------------------------------------- [11] CIA must collaborate more, strengthen weaknesses By Shane Harris PHILADELPHIA - The CIA and other intelligence agencies have little experience identifying potential terrorist targets in the United States and dealing with the threat posed by those vulnerabilities, according to Winston Wiley, the CIA's associate director of central intelligence for homeland security, who spoke Monday at a homeland security conference here. Wiley said the ability of intelligence agencies to perform "vulnerability assessments" of the country's infrastructure is the key talent missing from the proposed Homeland Security Department. While President Bush's proposal would set up a division charged with making those assessments, Wiley said that if it is going to succeed, the Homeland Security Department, the FBI and the CIA must draw more on the expertise of other agencies in this area. The Energy Department is one agency that has the experience in making these assessments, and works with other agencies and state and local governments to find threats posed to power plants, transit systems and other critical elements of the infrastructure. The FBI's National Infrastructure Protection Center and the Commerce Department's Critical Infrastructure Assurance Office also fulfill similar roles. http://www.govexec.com/dailyfed/0802/082102h1.htm ---------------------------------------------------- [12] Massive pirate CD haul seized Malaysia is also a piracy hot-spot Pirated music CDs and copying equipment worth almost $20m (?12.5m) have been seized in the Philippines in the country's latest blow against counterfeiters. The police raid on a factory, in the north of the country, also resulted in seven Indonesian and five Chinese workers being arrested. http://news.bbc.co.uk/1/hi/entertainment/music/2208380.stm ---------------------------------------------------- [13] A Web-only Primer on Public-key Encryption Public-key encryption, as noted in the profile of cryptographer Bruce Schneier, is complicated in detail but simple in outline. The article below is an outline of the principles of the most common variant of public-key cryptography, which is known as RSA, after the initials of its three inventors; a mathematically detailed explanation of RSA by the programmer Brian Raiter, understandable to anyone willing to spend a little time with paper and pencil, is available here. http://www.theatlantic.com/issues/2002/09/mann_g.htm ---------------------------------------------------- [14] Web tracking firm, drug companies prevail in privacy lawsuit Last Updated: 2002-08-21 14:24:38 -0400 (Reuters Health) By Karen Pallarito NEW YORK (Reuters Health) - A now-defunct company that tracked visits to pharmaceutical company Internet sites using "cookies" and "Web bugs" did not violate federal wiretap, computer hacking or privacy statutes, a federal court has ruled. The August 13 ruling by Judge Joseph L. Tauro of the US District Court for Massachusetts finds in favor of the Web tracking firm Pharmatrak Inc. and its pharmaceutical clients, including Pfizer Inc., Pharmacia Corp. and American Home Products. Pharmatrak went out of business shortly after the first individuals filed lawsuits against the company in Massachusetts in August 2000, said Seymour Glanzer, a senior partner with Dickstein, Shapiro & Morin in Washington, DC. Other plaintiffs filed complaints in New York, and the suits were consolidated in the Massachusetts district in June 2001. Two of the defendants in the case -- SmithKline Beecham Corp. and Glaxo Wellcome Inc. (now GlaxoSmithKline Plc) -- previously settled the charges to avoid litigation, Glanzer added. http://www.reutershealth.com/archive/2002/08/21/business/links/20020821legl002.h tml ---------------------------------------------------- [15] Federal Web sites need to be more user-friendly >From National Journal's Technology Daily In order to maximize the efficiency of electronic government, federal Web sites must tailor their design and content toward average citizens, a new report suggested Wednesday. In its review of 148 federal Web sites, the PricewaterhouseCoopers Endowment for the Business of Government-a non-profit entity funded by the consulting firm-rated the content and online services of the sites, including aspects such as user help guides, navigation aides, privacy or security policies and links to other Web pages. The report found that only 12.8 percent of federal agencies provide consumer-focused e-commerce applications on the Web; and 8.8 percent offered direct links to e-government services. The study ranked the U.S. Patent and Trademark Office No. 1 for its Web site design and content offerings. The Health and Human Services, Education and Treasury Departments, along with the Navy, rounded out the category of top ranked sites for similar reasons. http://www.govexec.com/dailyfed/0802/082102td2.htm ---------------------------------------------------- [16] T-Mobile to go global with WLAN hotspots By ComputerWire Posted: 08/22/2002 at 02:17 EST T-Mobile, the Deutsche Telekom AG wireless unit which picked up the former Mobilestar Networks Inc's US wireless hotspot network when it bought VoiceStream Wireless last year, yesterday dusted off its windfall investment, and announced plans to go global with its partners Starbucks Coffee Co and Hewlett-Packard Co. Shortly before T-Mobile paid $50.7bn to acquire VoiceStream last June, the US GSM network operator had itself paid an undisclosed sum for MobileStar, one of the pioneers of the US hotspot scene whose disappointed ambitions had driven it into receivership. http://www.theregus.com/content/5/26066.html ---------------------------------------------------- [17] Introduction to Autorooters: Crackers Working Smarter, not Harder by Matt Tanase last updated August 21, 2002 Introduction Efficiency and automation: one can argue that they are two of the most valuable by-products of any technology. There is little doubt that the electronic tools of today allow us to get more done in less time. We use software to eliminate tedious work, reduce man-hours, and sift through mounds of data in seconds. Crackers, as we know, are smart... and lazy. It should come as no surprise then that they too, have employed technology to reduce their workload. The result? A type of malicious code known as autorooters, programs designed to automatically scan and attack target computers at blistering speeds. A successful autorooter will give crackers what they want: complete control of a target machine with little effort, fast. Scanning networks for vulnerable machines, gaining unauthorized administrative access, installing backdoors, all the tricks of the trade, can all be achieved at the click of a button. In this article we'll explore the concepts behind autorooters and what can be done to defend against them. http://online.securityfocus.com/infocus/1619 ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk