_________________________________________________________________
London, Monday, 07 October 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] Q&A: Security expert says cyberterrorism is exaggerated
[2] Facing facts
[3] Life after dotcom death
[4] Security patch award due soon
[5] Busboy admits stealing personal data of rich and famous
[6] Defense agency launches back into space research arena
[7] FBI sting snares top Russian crackers
[8] Security Tools Go Mobile
[9] Run-Up to Sydney WTO Meet Sparks Internet Clash
[10] Commerzbank may sue Merrill over email
[11] Internet creaks after huge network crash
[12] Ex-Coast Guard commander sees 'dangerously unprotected' ports
[13] Hackware Author Arrested -- Maybe
[14] Experts fear that computers are terrorism's next target
[15] Opasoft worm threatens Windows systems
[16] Army awards secure phones BPA
[17] Assessing Internet Security Risk, Part Four: Custom Web
Applications
_________________________________________________________________
News
_________________________________________________________________
(A must read as it is a really good interview and at least Schneier
knows his stuff. Whilst some scaremonger companies mention the
Australian sewage
attack as an example of a critical infrastructure attack, reality looks
quite different (pity Schneier did not expand on this). Vitek Boden, the
culprit, worked for Hunter Watertech, a company which 'specialises in
the design, manufacture and installation of SCADA, telemetry and
communications systems for process control and monitoring applications'.
Hunter Watertech installed Scada systems for the Maroochy Shire Council
Council's sewage systems. After 'leaving' Watertech, Boden applied for a
position with the council and he got rejected. He wanted to 'pay them
back'. So he stole some radio equipment and drove around opening waste
dumps (at least 46 times). Bottom line: the attack was launched by an
insider, the Internet was not involved, and the impact of the attacks
was not great as more waste gets spilled by error ... Nevertheless some
FUD Infosec companies want to make you believe that it was a
Cyberterrorist attack in order to sell their products & services. WEN)
Bruce Schneier:
... I don't think we have seen cyberterrorism and I don't think we are
going to see it for a couple of decades. It is still more complicated to
use technology for (terrorist gain). The closest thing that we have had
is in Australia where someone hacked into a system and dumped sewage out
into a bay. If you look at what he did, it took him dozens of attempts,
he barely made it work, and it didn't do that much damage. That is not
terrorism. ...
.... A network going down is not terrorism ...
... This whole electronic Pearl Harbor, where people might die, I think
it is really overblown. ...
... We can invent hypothetical scenarios but they are not realistic.
There is a lot of bad stuff going on, but I don't see terrorism on
computers. I just don't. ...
... Microsoft certainly produces lousy software but everyone else does
also. ...
[1] Q&A: Security expert says cyberterrorism is exaggerated
By By Chris Conrath, ComputerWorld Canada
OCTOBER 02, 2002
Bruce Schneier, designer of the popular Blowfish encryption algorithm,
CTO of Counterpane Internet Security Inc. and renowned security expert,
spoke with Computerworld Canada during his recent visit to Toronto.
What follows are some excerpts from those discussions:
Q: Do companies care more about computer security since 9/11?
A: We have not learned from the attacks, but do not be too surprised. It
is true for all of society. Why should IT be different? Companies should
not care any more now than they did before. They should have cared
before and they should care now. But are they caring enough? No, of
course not.
http://www.computerworld.com/securitytopics/security/story/0,10801,74791
,00.html
More:
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on Internet Security before the Subcommittee on Science,
Technology, and Space of the Committee on Commerce, Science and
Transportation
United States Senate, July 16, 2001, 253 Russell Senate Office Building
http://www.iwar.org.uk/comsec/resources/schneier/commerce-testimony.htm
----------------------------------------------------
[2] Facing facts
Biometrics, seen as a future cornerstone of security, proves more
difficult than feds anticipated
BY William Matthews
Oct. 7, 2002
A facial-recognition system tested at a Palm Beach, Fla., airport last
spring failed to match airport employees with their digital photos 53
percent of the time. Legislation to require the states to adopt
standardized driver's licenses with biometric identifiers has stalled.
As of now, there are no biometric "trusted traveler" cards to whisk
registered travelers through airports.
The Defense Department is issuing 4 million new smart identification
cards - all without digital fingerprints, iris scans or other biometric
identifiers. The State Department's new high-tech ID cards being
distributed this month also lack biometrics.
http://www.fcw.com/fcw/articles/2002/1007/cov-bio-10-07-02.asp
Not ready for prime time?
http://www.fcw.com/fcw/articles/2002/1007/fcw-edit-10-07-02.asp
Hands-on lawmaking
http://www.fcw.com/fcw/articles/2002/1007/cov-bio1-10-07-02.asp
----------------------------------------------------
[3] Life after dotcom death
Oct 3rd 2002 | SAN FRANCISCO
>From The Economist print edition
If you think B2B marketplaces are dead, read on
REMEMBER Chemdex, the Silicon Valley start-up that led the craze
surrounding business-to-business (B2B) marketplaces? After gaining
almost 70% in its first day of public trading and reaching a market
capitalisation of $11 billion early in 2000, within a year it had shut
down its exchanges and started a second life as a B2B software company.
In August 2001, it bought NexPrise, a software start-up, whose identity
it has now assumed.
Most of the hundreds of B2B marketplaces that sprang up in the late
1990s failed to raise enough capital for a makeover and so simply
closed. But contrary to conventional wisdom, not all of these exchanges
are doomed. One of them, DoveBid, had even hoped to become the first
initial public offering in America since July, though this week it
pulled its plans indefinitely. Although the firm is losing money
($265,000 on revenues of $27.5m in the quarter ending in June), it may
yet revive its planned sale and even prove, at least in the long term, a
good investment. That is primarily because, unlike most dotcoms, it runs
on a healthy mix of old and new economy.
http://www.economist.com/business/displayStory.cfm?story_id=1367820
----------------------------------------------------
[4] Security patch award due soon
BY Diane Frank
Oct. 3, 2002
Government agencies soon should be able to tap a free service that will
ensure that they get the right security patches to plug holes in their
software.
The General Services Administration's Federal Computer Incident Response
Center this week expects to award its patch dissemination service, said
Sallie McDonald, assistant commissioner for information assurance and
critical infrastructure protection at GSA's Federal Technology Service.
http://www.fcw.com/fcw/articles/2002/0930/web-patch-10-03-02.asp
----------------------------------------------------
[5] Busboy admits stealing personal data of rich and famous
NEW YORK (Reuters) - A 32-year-old restaurant busboy pleaded guilty
Thursday to pilfering personal and financial data belonging to America's
rich and famous - including billionaire investor Warren Buffett - in
what authorities believe is the largest identity theft in Internet
history.
Abraham Abdallah, a high-school dropout, entered his guilty plea in
response to a 12-count indictment charging him with wire, mail and
credit card fraud, identity theft and conspiracy.
http://www.usatoday.com/tech/news/2002-10-03-net-heist_x.htm
----------------------------------------------------
[6] Defense agency launches back into space research arena
By Molly M. Peterson, National Journal's Technology Daily
The Pentagon's Defense Advanced Research Projects Agency (DARPA) is
using its growing budget to shift its focus back to long-term, high-risk
projects, many of which are based in space, DARPA Director Anthony
Tether said Friday.
Speaking to reporters at a breakfast sponsored by New Technology Week,
Tether said the Bush administration has instructed him to transform
DARPA, which played a central role in creating the Internet, "back to
the way it was when it was a swashbuckling agency, constantly getting
the director in trouble, and almost getting him fired."
"I almost got fired yesterday," Tether said with a chuckle. He declined
to elaborate.
http://www.govexec.com/dailyfed/1002/100402td1.htm
----------------------------------------------------
[7] FBI sting snares top Russian crackers
By John Leyden
Posted: 07/10/2002 at 11:05 GMT
A Russian cracker, tricked by the FBI into visiting the US on the
pretext of a job interview, has been sentenced to three years in jail.
Vasiliy Gorshkov, 27, was also ordered to pay $690,000 in compensation
for his crimes by Federal District Court Judge John Coughenour, who took
his family's medical and financial problems into account in sentencing
the Russian to serve far less time than the 16 years demanded by
prosecutors.
Last October, Gorshkov was convicted of 20 counts of conspiracy, various
computer crimes, and fraud against online banks and e-commerce
operations. His co-accused, Alexey Ivanov, 20, pleaded guilty in August
to similar charges along with five counts of extortion, Reuters reports.
He is currently in custody, awaiting sentencing.
http://www.theregister.co.uk/content/55/27463.html
Russian hacker sentenced to 3 years in prison
http://www.modbee.com/24hour/technology/story/562860p-4430289c.html
Russian hacker gets 3-year sentence
http://news.zdnet.co.uk/story/0,,t278-s2123414,00.html
FBI tricks hacker into jail
http://www.vnunet.com/News/1135691
----------------------------------------------------
[8] Security Tools Go Mobile
Software companies are developing new ways to keep handheld devices
secure--without burdening the users.
Paul Roberts, IDG News Service
Friday, October 04, 2002
Recognizing the growing popularity of mobile computing devices such as
handhelds, personal digital assistants, and smart phones, companies are
rolling out a host of new products to secure data and communications on
portable devices.
>From disposable soft tokens to virtual private network software for PDAs
to security management software for mobile devices, security companies
are catching up to and cracking down on mobile users. In September
alone, Trust Digital, RSA Security, and ION Networks announced security
products targeted at users of cell phones, PDAs, and other mobile
devices.
"Companies have more mobile workers than ever, and they want to give
[those workers] all the tools they need to do their job effectively,"
says Laura Koetzle, an analyst at Forrester Research in Cambridge,
Massachusetts.
http://www.pcworld.com/news/article/0,aid,105642,00.asp
----------------------------------------------------
[9] Run-Up to Sydney WTO Meet Sparks Internet Clash
Last Updated: October 04, 2002 04:44 AM ET
Print This Article
By Michael Christie
SYDNEY (Reuters) - Battle lines between police and protesters are
already being drawn ahead of a world trade meeting in Sydney in
November, after state officials applied for anti-WTO Web Sites to be
banned for allegedly promoting violence.
New South Wales police commissioner Michael Costa asked federal
authorities to take the message boards offline because they carried
suggestions for activists to bring baseball bats and marbles to protests
during the November 14-15 mini-summit.
http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1533
988
----------------------------------------------------
[10] Commerzbank may sue Merrill over email
Jill Treanor
Monday October 7, 2002
The Guardian
Germany's Commerzbank may take legal action against Merrill Lynch after
the Wall Street firm questioned its financial health.
The query made to the
ADVERTISEMENT
Standard & Poor's ratings agency by Merrill Lynch's credit department
was blamed for a 6% fall in the bank's share price on Friday in markets
already very concerned about the strength of financial firms.
The falls in share prices and the general deterioration in the economic
backdrop have led to fears - so far unfounded - that European financial
firms are facing severe difficulties.
http://www.guardian.co.uk/business/story/0,3604,805776,00.html
----------------------------------------------------
[11] Internet creaks after huge network crash
14:91 04 October 02
NewScientist.com news service
Millions of people who use services powered by UUNet were left with poor
or dead net connections on Thursday after the company suffered a huge
network failure. UUNet is owned by the troubled communications
corporation WorldCom.
According to WorldCom, the problem has now been traced to a faulty route
table, software that directs traffic around the internet.
"WorldCom experienced an issue on its internet network, affecting
approximately 20 per cent of our US internet customer base. A
preliminary investigation indicates there was a route table issue," said
spokeswoman Jennifer Baker.
http://www.newscientist.com/news/news.jsp?id=ns99992883
----------------------------------------------------
[12] Ex-Coast Guard commander sees 'dangerously unprotected' ports
By Molly M. Peterson, National Journal's Technology Daily
The United States is more vulnerable to terrorist threats now than
before Sept. 11, 2001, a leading port security expert said Thursday at a
National Academy of Sciences conference.
"America, a year later, is dangerously unprotected and dangerously
unprepared for a catastrophic terrorist attack," said Stephen Flynn, a
retired Coast Guard commander and senior fellow at the Council on
Foreign Relations.
Flynn said the Sept. 11 attacks have highlighted the nation's
vulnerabilities, giving terrorists ideas for asymmetric, "David and
Goliath"-style attack plans that probably could be developed more
quickly than government and private-sector officials can secure the
nation's potential targets.
http://www.govexec.com/dailyfed/1002/100402td2.htm
----------------------------------------------------
[13] Hackware Author Arrested -- Maybe
By Brian McWilliams
2:00 a.m. Oct. 4, 2002 PDT
When Scotland Yard jubilantly announced the arrest of a London-based
malware author nicknamed Torner last month, most Internet users probably
drew a blank.
After all, Torner's Linux-based Tornkit hacking program was hardly in
the same league as Melissa or Love Bug, the mainstream Windows worms
created by David Smith and Onel de Guzman, respectively.
http://www.wired.com/news/technology/0,1282,55515,00.html
----------------------------------------------------
[14] Experts fear that computers are terrorism's next target
Pamela Griner Leavy Courier Contributor
Riad Sleit called his Tampa and Sarasota, Fla., staffs together after
Sept. 11, 2001, and urged the 58 digital imaging systems and technical
consulting employees to get back to business.
"If we sit here and feel sorry for ourselves, we play into the hands of
the people who did this," Sleit, branch general manager for Savin Corp.,
a Ricoh Co. Ltd. firm, recalled telling the staff. "We have to go out
there and drive business as usual. That's the least we owe this
country."
http://www.bizjournals.com/cincinnati/stories/2002/10/07/focus1.html
----------------------------------------------------
[15] Opasoft worm threatens Windows systems
Monday 7 October 2002
A worm that targets machines running Microsoft's Windows 95, 98, and ME
operating systems is spreading across networks by infecting computers
that share access to hard drives.
Leading antivirus software makers have warned that the "Opasoft",
"W32/Opasoft" or "Opaserv" virus, which emerged last week, takes
advantage of a common Windows application program interface (API) and
loose security practices to spread over local and wide-area networks.
The worm's file name, Scrsvr.exe, misleads users into clicking on it
because they think it is a screensaver.
http://www.cw360.com/bin/bladerunner?REQSESS=L453825I&2149REQEVENT=&CART
I=116369&CARTT=1&CCAT=1&CCHAN=13&CFLAV=1
----------------------------------------------------
[16] Army awards secure phones BPA
BY Dan Caterinicchia
Oct. 4, 2002
Defense Department officials will be able to exchange sensitive and
classified information securely over a commercial network thanks to
specially equipped wireless phones included in a blanket purchase
agreement the Army awarded to T-Mobile USA Inc.
http://www.fcw.com/fcw/articles/2002/0930/web-phones-10-04-02.asp
----------------------------------------------------
[17] Assessing Internet Security Risk, Part Four: Custom Web
Applications
by Charl van der Walt
last updated October 3, 2002
This article is the fourth in a series that is designed to help readers
to assess the risk that their Internet-connected systems are exposed to.
In the first installment, we established the reasons for doing a
technical risk assessment. In the second article, we started to discuss
the methodology that we follow in performing this kind of assessment.
The third part discussed methodology in more detail, focussing on
visibility and vulnerability scanning. This installment will discuss a
relatively unexplored aspect of Internet security, custom Web
applications.
http://online.securityfocus.com/infocus/1631
Assessing Internet Security Risk, Part One
Charl Van der Walt, SecurityFocus
http://online.securityfocus.com/infocus/1591
Assessing Internet Security Risk, Part Two
Charl Van der Walt, SecurityFocus
http://online.securityfocus.com/infocus/1607
Assessing Internet Security Risk, Part Three
Charl Van der Walt, SecurityFocus
http://online.securityfocus.com/infocus/1612
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
