_________________________________________________________________
London, Friday, September 27, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe
infocon" in the body
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] Shredding the Paper Tiger of Cyberterrorism
[2] 'T0rn' Arrest Alarms White Hats, Advocates
[3] NCS prepping 'gee-whiz' pilot
[4] VPN flaw exposes internal networks
[5] University bans "illegal" links
[6] SA Police contemplates e-crime outsourcing
[7] distributed.net completes rc5-64 project
[8] FrontPage Flaw Lets Hackers In
[9] Officials say VA computer systems better, but still vulnerable
[10] Software firms team to fight bug leaks
[11] US firms fear new privacy laws
[12] Taiwan plays down Chinese TV 'hijack'
[13] White House says all must play role in cybersecurity plan
[14] P2P foes defend hacking bill
[15] Senate may give up on homeland security bill
[16] States keep IT programs on track
[17] China implicated in Dalai Lama hack plot
_________________________________________________________________
News
_________________________________________________________________
[Rick wrote a nice anti FUD article. WEN]
'...People are afraid of cyber-attacks and cyberterrorism because they don't
understand them. Like voodoo, cyber-attacks are a mysterious and invisible
concept, and therefore must be more dangerous than something tangible like
dynamite or aviation fuel if used by an adversary. After all, how many people
really understand how their computers work? It's human nature to be afraid of
what we don't understand. In the case of our elderly Congress, I'd wager they're
plenty afraid. ...'
[1] Shredding the Paper Tiger of Cyberterrorism
Political posturing about cyberterrorism is a red herring that takes attention
away from the real issues of information security.
By Richard Forno Sep 25, 2002
Over the past several months we've seen a rise in the amount of media coverage
devoted to the concept of cyberterrorism - yet, despite the hype and hysteria,
nobody can describe exactly what constitutes an act of cyberterrorism even
though, according to a recent TechWeb article, college campuses in America are
breeding grounds for such people.
Part of the problem is that cyberterrorism has become a catch-all phrase for any
sort of illicit on-line activity; and its use (or misuse) by the media, vendors,
and government officials further muddies the waters. For example, a Google
search for the term "cyberterrorism" yields all sorts of cases in which it is
used to describe viruses, Trojans, and hacking. Security concerns to be sure,
but terrorism? Doubtful.
http://online.securityfocus.com/columnists/111
----------------------------------------------------
[It is was a bad decision to arrest creator of 'T0rn'. It will cost the
CPS (Crown Prosecution Service) a lot of money and I am virtually convinced
that they won't be able to sentence him as long as he has a good laywer.
I am waiting for the day when the police will turn up at large
InfoSec companies and arrest their staff who created vulnerability
scanners. WEN]
[2] 'T0rn' Arrest Alarms White Hats, Advocates
A raid on the alleged author of a well-known hacker toolkit is raising eyebrows
among electronic civil libertarians, and putting security researchers on guard.
By Kevin Poulsen, Sep 24 2002 1:58PM
It could almost pass as a routine computer crime case -- a year-long probe leads
Scotland Yard cybercops to a home in the upscale London suburb of Surbiton,
where they seize computer equipment and arrest a 21-year-old man under the UK's
1990 Computer Misuse Act.
But last Thursday's raid was anything but routine, because the unnamed suspect,
who has not yet been formally charged, isn't accused of cracking computers,
launching a denial of service attack or distributing a virus. Instead, the joint
Scotland Yard/FBI investigation is focused on his alleged authorship of the
"T0rnkit," a collection of custom programs that help an intruder hide their
presence on a hacked Linux machine. It's apparently the first time the UK's
national computer crime law has been used to crack down on a programmer for
writing a tool with malicious applications -- and it's a chilling development to
some security researchers and electronic civil libertarians.
http://online.securityfocus.com/news/813
----------------------------------------------------
[NCS.gov is a great agency which should serve as a model
for public private partnerships! WEN]
[3] NCS prepping 'gee-whiz' pilot
BY Dan Caterinicchia
Sept. 26, 2002 Printing? Use this version.
Email this to a friend.
The National Communications System is in the early stages of a Global Early
Warning Information System (GEWIS) pilot project in which government and
industry will examine the health and topology of the Internet.
The pilot project will assess how well critical areas of the Internet are
performing worldwide, and then use that data to notify government, industry or
U.S. allies of an impending cyberattack or possible disturbance, said Brenton
Greene, deputy manager of NCS.
http://www.fcw.com/fcw/articles/2002/0923/web-ncs-09-26-02.asp
----------------------------------------------------
[4] VPN flaw exposes internal networks
By Robert Lemos
init
September 27, 2002, 4:20 AM PT
A suspected vulnerability in Microsoft's popular virtual private networking
application discovered Thursday could, if confirmed, leave corporate intranets
open to attack, said security experts.
A security advisory posted by German security firm Phion Information
Technologies to Internet mailing lists and the company's Web site said that the
vulnerability affects the point-to-point tunneling protocol (PPTP) commonly used
in the VPN software bundled in Microsoft's Windows 2000 and XP operating systems
for servers and PCs.
http://zdnet.com.com/2100-1105-959659.html
----------------------------------------------------
[5] University bans "illegal" links
By Declan McCullagh
Special to ZDNet News
September 26, 2002, 4:00 AM PT
The University of California at San Diego has ordered a student organization to
delete hyperlinks to an alleged terrorist Web site, citing the recently enacted
USA Patriot Act.
School administrators have told the group, called the Che Cafe Collective, that
linking to a site supporting the Revolutionary Armed Forces of Colombia (FARC)
would not be permitted because it violated federal law.
http://zdnet.com.com/2100-1105-959544.html
----------------------------------------------------
[6] SA Police contemplates e-crime outsourcing
By Jeanne-Vida Douglas, ZDNet Australia
26 September 2002
The South Australian Police Department is contemplating outsourcing its
cybercrime investigations as part of a broad campaign to overcome a resource
drain in the fight against e-criminals.
Tony Rankine, Superintendent of the Serious Fraud Investigation Branch of the
South Australian Police said the move was being contemplated under the
Electronic Crime Strategy of the Police Commissioners' Conference Electronic
Crime Steering Committee.
"We are implementing a two year work plan focusing on e-crime prevention,
partnerships, education needs and present capabilities," Rankine says. "We are
looking at whether we need to outsource some of the investigation work."
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20268576,00.htm
----------------------------------------------------
[7] distributed.net completes rc5-64 project (list announcement)
september 25, 2002
RC5-64 HAS BEEN SOLVED!
On 14-Jul-2002, a relatively characterless PIII-450 in Tokyo returned the
winning key to the distributed.net keyservers. The key 0x63DE7DC154F4D03
produces the plaintext output:
The unknown message is: some things are better left unread
Unfortunately, due to breakage in scripts (dbaker's fault, naturally) on the
keymaster, this successful submission was not automatically detected. It sat
undiscovered until 12-Aug-2002. The key was immediately submitted to RSA Labs
and was verified as the winning key.
So, after 1,757 days and 58,747,597,657 work units tested the winning key was
found! While it's debatable that the duration of this project does much to
devalue the security of a 64-bit RC5 key by much, we can say with confidence
that RC5-64 is not an appropriate algorithm to use for data that will still be
sensitive in more than several years' time. On the distributed computing front,
however, the RC5-64 project clearly demonstrates the viability of long-term,
volunteer-driven, internet-based collaborative efforts. The next time someone
bemoans the public's short attention span or need for instant gratification you
should remind them what 331,252 people were able to accomplish by joining
together and working for nearly five years. distributed.net's RC5-64 project
clearly shows that even the most ambitious projects can be completed by
volunteers thanks to the combined power of the internet and distributed
computing.
http://www.distributed.net/pressroom/news-20020926.html
----------------------------------------------------
[8] FrontPage Flaw Lets Hackers In
By Dennis Fisher
A newly discovered flaw in Microsoft Corp.'s FrontPage Server Extensions gives
an attacker the ability to run any code of choice on some vulnerable Web
servers.
Microsoft issued an advisory and a patch for the problem Wednesday.
The vulnerability is in the SmartHTML Interpreter in FPSE 2000 and 2002 and
involves the way the interpreter handles requests for some Web files. The
interpreter is designed to provide support for Web forms and other dynamic Web
content.
http://www.eweek.com/article2/0,3959,558381,00.asp
----------------------------------------------------
[9] Officials say VA computer systems better, but still vulnerable
By Tanya N. Ballard
The Veterans Affairs Department continues to make incremental progress in its
effort to overhaul information technology systems, but computer security is
still a concern, government officials told House lawmakers Thursday.
An audit of VA's information technology program conducted over the last six
months found that the department has made some important strides, but has yet to
implement key information security initiatives or establish a comprehensive,
integrated agency-wide security program, according to VA Inspector General
Richard Griffin. Griffin testified before the House Veterans Affairs Committee's
Subcommittee on Oversight and Investigations.
"Our audit work continues to identify significant security vulnerabilities that
represent an unacceptable level of risk to VA operations and its mission of
providing health care and delivering benefits to the nation's veterans," Griffin
said.
http://www.govexec.com/dailyfed/0902/092602t1.htm
----------------------------------------------------
[10] Software firms team to fight bug leaks
By ComputerWire
Posted: 27/09/2002 at 09:45 GMT
A loose coalition of software developers and security companies has come
together with the aim of preventing vulnerability information being released
prematurely, Kevin Murphy writes. Yesterday, a body calling itself the
Organization for Internet Safety, announced its existence, and said it intends
to have draft guidelines published early next year.
Scott Blake, chair of OIS's communications committee, told ComputerWire the
guidelines will give security researchers and software developers
responsibilities for being discreet and taking warnings seriously respectively.
The key proposal is a 30-day waiting period between a patch release and details
of the bug being released.
http://www.theregister.co.uk/content/55/27312.html
----------------------------------------------------
[11] US firms fear new privacy laws
Thursday 26 September 2002
Privacy officers and legal experts have used this year's Privacy 2002 Conference
in Ohio, USA, to warn about how legislative actions by the US Congress, states
and local municipalities will affect systems and bottom lines.
Legislative battles are being predicted for next year in Congress and in the
states, triggered by the impending expiration of a provision of the Fair Credit
Reporting Act (FCRA) that blocks states from imposing their own data privacy
rules.
Once that exemption expires in early 2004, states will be free to set privacy
rules that exceed federal standards. The states, for instance, could limit
affiliate sharing of customer data - a serious threat to financial services
firms that often set different lines of businesses as affiliates, entities that
exist only on paper. Systems that now freely exchange information may need to be
significantly redesigned.
http://www.cw360.com/bin/bladerunner?REQSESS=gU13C600&2149REQEVENT=&CARTI=116124
&CARTT=14&CCAT=1&CCHAN=12&CFLAV=1
----------------------------------------------------
[12] Taiwan plays down Chinese TV 'hijack'
Beijing says Falun Gong uses Taiwan as a hacking base
Taiwan has cast doubt on China's allegation that members of the spiritual group
Falun Gong have hacked into the mainland's satellite television signals from the
island.
A government official, Lin Ching-chih, said the allegation that Falun Gong
members were hacking into Chinese state satellite signals from Taiwan was
"far-fetched".
http://news.bbc.co.uk/1/hi/world/asia-pacific/2280056.stm
----------------------------------------------------
[13] White House says all must play role in cybersecurity plan
By Rob Lever WASHINGTON
A White House plan unveiled Wednesday says that all Internet users have a
responsibility to secure their part of cyberspace in a long-awaited document
that drew a mixed response from experts.
The plan, created amid heightened concerns about terrorists using the Internet
to attack "critical" computer networks, notes that the US economy and national
security are "fully dependent upon information technology and the information
infrastructure."
http://www.metimes.com/2K2/issue2002-38/net/white_house_says.htm
----------------------------------------------------
[14] P2P foes defend hacking bill
11:59 Friday 27th September 2002
Declan McCullugh, CNET News.com
Supporters of a new bill set to thwart peer-to-peer piracy have hitback at
criticis, accusing them of using 'scare tactics'
Supporters of a proposed law that would permit copyright holders to assail
peer-to-peer networks angrily defended it on Thursday, saying it had been
mischaracterised by opponents.
During the first congressional hearing on the bill, repsresentive Howard Berman,
and Howard Coble, a South Carolina Republican, denounced critics' "scare
tactics" and said their proposal was a modest plan that had been carefully
crafted to reduce piracy on peer-to-peer networks.
http://news.zdnet.co.uk/story/0,,t269-s2122962,00.html
----------------------------------------------------
[15] Senate may give up on homeland security bill
By Brody Mullins, CongressDaily
With time running out before a scheduled pre-election adjournment, Majority
Leader Tom Daschle, D-S.D., hinted Thursday that he may halt debate on homeland
security legislation next week in order to move to other issues, including the
Iraq resolution and pension reform legislation.
Minutes later, Minority Whip Don Nickles, R-Okla., said Republicans would oppose
the move until GOP senators get a vote they are seeking on controversial
personnel rules for the proposed Homeland Security Department.
The Democratic and Republican procedural moves-combined with GOP plans to defeat
a pair of cloture motions Thursday and Friday-further jeopardizes the prospects
for the bill as the session draws to a close. "We are going to get a vote on our
amendment or we are not going to get a bill," Nickles threatened. Majority Whip
Harry Reid, D-Nev., responded that the Republican tactics are "only an effort to
stall" the legislation.
http://www.govexec.com/dailyfed/0902/092602cdpm2.htm
----------------------------------------------------
[16] States keep IT programs on track
BY Dibya Sarkar
Sept. 25, 2002
Rather than make across-the-board spending cuts in programs, state governments
are using alternative measures, such as dipping into "rainy day" funds and
raising taxes, to grapple with a collective $22 billion revenue shortfall.
As a consequence, many state capital investments and information technology
programs have not been impacted as greatly as expected, according to Input, a
Chantilly, Va.-based marketing and research firm that recently surveyed
officials in 50 states.
http://www.fcw.com/geb/articles/2002/0923/web-input-09-25-02.asp
----------------------------------------------------
[17] China implicated in Dalai Lama hack plot
By John Leyden
Posted: 25/09/2002 at 23:20 GMT
China has repeatedly attempted to crack into the Dalai Lama's computer network,
according to its administrators.
Over the last month there have been repeated attempts to infect systems used by
the exiled spiritual leader. This takes the form of a computer virus which
attempts to send information back to China, Jigme Tsering, manager of the
Tibetan Computer Resource Centre told AP.
The centre runs Internet services and administers the computer systems of the
spiritual leader's government-in-exile, located in Dharmsala, India.
http://www.theregister.co.uk/content/55/27291.html
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
