_________________________________________________________________
London, Tuesday, October 22, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] E-gov lays security net
[2] Hundreds of Navy computers 'missing'
[3] Army locks down wireless LAN
[4] Lack of training your biggest threat
[5] Guidelines for Reporting Security Incidents
[6] Agency adds do-it-yourself security
[7] Privacy Czar: Past Haunts Present
[8] Comeback of the hacker king
[9] E-card Sneakware Delivers Web Porn
[10] Hackers, government join in fight for Internet freedom
[11] VPNs? There must be better ways to wireless security
[12] Professor's Case: Unlock Crypto
[13] MS patches insecurity trio
[14] Report says visa process improved after terrorist attacks
[15] Busting Pop-up Spam
[16] Security Concerns in Licensing Agreements, Part Two: Negotiating
[17] Agencies' IT budgets on 'roller coaster,' group says
[18] FTC forces spammer to refund domain fees
[19] Government security experts urge Whitehall to adopt US cryptography
[20] Why Dotcoms Failed (and What You Can Learn From Them)
[21] An E-Mayor for Virtual L.A. City
[22] A tough case to crack
_________________________________________________________________
News
_________________________________________________________________
[1] E-gov lays security net
Efforts form homeland security foundation
BY Dibya Sarkar
Oct. 21, 2002
By most accounts, homeland security is the top concern among mayors and
other local officials, who say they have no choice but to shift funds
for overtime costs, preparation and training, and enhanced security
measures at the expense of other programs. Those expenses, coupled with
the troubled economy and promised federal dollars that haven't yet
arrived, may force municipalities to scale back or even scrub some
programs.
http://www.fcw.com/fcw/articles/2002/1021/pol-egov-10-21-02.asp
----------------------------------------------------
[2] Hundreds of Navy computers 'missing'
11:25 Monday 21st October 2002
Reuters
The US Navy has lost track of many computers that may have handled
classified data, finds an audit. And this may be just the tip of the
iceberg
The US Pacific Fleet's warships and submarines were missing nearly 600
computers as of late July, including at least 14 known to have handled
classified data, an internal Navy report obtained on Friday said.
The fleet, based in Pearl Harbor, Hawaii, sought to prevent release of
the Naval Audit Service report, even though it was not classified.
http://news.zdnet.co.uk/story/0,,t269-s2124182,00.html
http://www.cw360.com/bin/bladerunner?REQUNIQ=1035289799&REQSESS=Jc622399
&REQHOST=site1&2131REQEVENT=&CFLAV=1&CCAT=2&CCHAN=22&CSESS=6680898&CSEAR
CH=&CTOPIC=&CPAGEN=Article%20Page&CPAGET=-99999&CARTI=116804&CARTT=14
----------------------------------------------------
[3] Army locks down wireless LAN
Texas base uses formula of strength through diversity
BY Paul Korzeniowski
Oct. 21
Fort Sam Houston is a prime candidate for wireless networks. The San
Antonio installation is home to the commanders of the Army's medical
systems and supports various military training services, including
battle simulation. Because other tactical groups often conduct tests at
the site, a network may be installed for a week, a few months or even a
year.
http://www.fcw.com/fcw/articles/2002/1021/spec-army-10-21-02.asp
----------------------------------------------------
[4] Lack of training your biggest threat
By David Southgate
TechRepublic
October 17, 2002
Contrary to popular belief, corporate sabotage is among the least likely
causes of computer security breaches.
According to an April 2002 survey by the Computer Security Institute,
sabotage accounted for just 8 percent of system attacks in 2002.
Security breaches are more often due to errors by end users or
administrators. The inadvertent gaffes are the main culprits for
introducing viruses, allowing denial of service attacks, and opening
entryways to supposedly secured data.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2894933,00.h
tml
----------------------------------------------------
[5] Guidelines for Reporting Security Incidents
Published By: CIO
Posted By: Adam Chalemian
10/21/2002 9:29
CIO magazine, in conjunction with the Secret Service and FBI, has put
together a set of guidelines for businesses to follow when notifying law
enforcement agencies and other authorities of security incidents. The
report covers what kind of events should be reported, the data that
should be collected, and who to send it to. A report form and contact
information for all FBI and USSS field offices is included.
http://www.linuxsecurity.com/articles/government_article-5966.html
Guidelines:
http://www.cio.com/research/security/incident_response.pdf
----------------------------------------------------
[6] Agency adds do-it-yourself security
BY Dibya Sarkar
Oct. 22, 2002
Instead of using the state government's virtual private network solution
to serve its far-flung workforce, the Washington State Human Rights
Commission opted for a private approach that was less expensive and
easier for its employees to install.
The commission went live this spring with a product - Imperito Networks
Inc.'s SafeSecure Access - that enables people with little technical
experience to install software for access to agency systems.
http://www.fcw.com/geb/articles/2002/1021/web-vpn-10-22-02.asp
----------------------------------------------------
[7] Privacy Czar: Past Haunts Present
By Steve Kettmann | 02:00 AM Oct. 19, 2002 PDT
A former Clinton administration official in charge of privacy issues
warned Friday that the Bush administration risked setting the country
back decades on privacy policy if it did not heed the lessons of the
past.
Peter Swire, a law professor at Ohio State University, evoked the
witch-hunt atmosphere of "anti-Communist excesses" to offer a sobering
reminder of the dangers of repealing personal liberties in the name of
the war on terrorism.
http://www.wired.com/news/politics/0,1283,55900,00.html
----------------------------------------------------
[8] Comeback of the hacker king
Kevin Mitnick was the subject of a huge FBI manhunt, before being jailed
for computer fraud. But now his hacking days are over and, he tells
Charles Arthur, the poacher has turned gamekeeper
If you need a working definition of ironic, you could do worse than
this. Last summer, Kevin Mitnick, the one-time hacker who was on the
FBI's "10 Most Wanted" list of fugitives, was himself the victim of a
scam just like he used to work on people. It's a technique Mitnick, 39,
calls social engineering: getting access to information, including
computer data, by talking to people rather than by accessing computers.
"I practised it for 15 years. I would think I would be the most aware of
when it was being done," he says.
But in June he got a call on his mobile phone from a reporter from the
Associated Press. The reporter knew that Mitnick had written a book
about social engineering, and he was keen to talk about it.
http://news.independent.co.uk/digital/features/story.jsp?story=344565
----------------------------------------------------
[9] E-card Sneakware Delivers Web Porn
A Trojan horse program created by an Internet adult entertainment
company routes surfers to racy sites.
By Kevin Poulsen, Oct 21 2002 12:08AM
It's no coincidence that one of the most recent Trojan horse programs to
enter the FBI's bi-weekly rogues gallery of malicious code is named
after an Internet porn company.
The program, dubbed "Cytron" by the bureau's National Infrastructure
Protection Center (NIPC)and some anti-virus vendors, is a covert browser
plug-in that gives Internet Explorer users something they probably don't
want: more pop-up ads, promoting a slew of adult websites.
Users are lured into accepting the program through a wholesome e-mail
from [EMAIL PROTECTED] -- a forged return address. The mail looks
convincingly like an electronic greeting card notification, with a cute
smiley face background and the text "You have received an e-card" in
squiggly block letters.
http://online.securityfocus.com/news/1350
----------------------------------------------------
'... "I think of hacktivism as a philosophy: taking the hacker ethic of
understanding things by reverse engineering and applying that concept to
traditional activism," he said. ...'
[10] Hackers, government join in fight for Internet freedom
Jennifer Lee
New York Times
Published Oct 21, 2002 HACK21
When the reports started trickling out in September, they were met with
disbelief and then outrage among technophiles. The Chinese government
had blocked its citizens from using the popular search engine Google by
exercising its control of the nation's Net service providers.
The move surprised Nart Villeneuve, a 28-year-old computer student at
the University of Toronto who has been interested in Chinese technology
issues. Blocking one of the most popular Web sites was a far cry from
Beijing's practice of restricting access to the sites of dissident
groups or Western news organizations.
http://www.startribune.com/stories/535/3374698.html
----------------------------------------------------
[11] VPNs? There must be better ways to wireless security
By David Berlind
October 15, 2002
Here's a surprising trend: the promotion of virtual private networks
(VPNs) as a solution to local wireless LAN security problems. Even more
surprising is that normally forward-looking Gartner analysts are
offering up this behind-the-times view of mobile security.
During a mobile security session at Symposium/ITxpo earlier this month,
Gartner analyst John Girard promoted the VPN solution while failing to
mention the mobility problems that VPNs introduce--or the fact that VPNs
will eventually give way to standard (and more interoperable) solutions
that will do a better job of closing the holes left open by current
wireless solutions.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2894696,00.h
tml
----------------------------------------------------
[12] Professor's Case: Unlock Crypto
By Brad King |
02:00 AM Oct. 19, 2002 PDT
Daniel Bernstein seems intent on striking the deathblow to U.S.
government regulations on cryptography.
The latest chapter in his decade-long battle began to unfold on Friday,
when lawyers representing both the Department of Commerce and Bernstein,
a University of Illinois associate professor of mathematics, statistics
and computer science, prepared to ask federal district court judge
Marilyn Hall Patel to grant a summary judgment. At stake: the last
remnants of a system that once prevented U.S. citizens from releasing
software code that creates secure, electronic communications.
http://www.wired.com/news/technology/0,1282,55884,00.html
----------------------------------------------------
[13] MS patches insecurity trio
By Thomas C Greene in Washington
Posted: 19/10/2002 at 04:51 GMT
Another bundle of three security issues in Microsoft products came out
this week. Among them is a nasty bug in Windows-XP Help Center allowing
the deletion of entire directories, as we reported a few weeks ago.
A malicious file request, the syntax of which resembles a URL, can be
embedded in a Web page or an HTML e-mail. MS rolled the fix silently
into SP-1 without making a public announcement at the time. The hole was
discovered by Shane Hird of Distributed Systems Technology Centre, who
first reported it to MS on 25 June 2002. Now there is apparently a
separate patch for the issue, and MS has come forward with the dirt. In
typical fashion the company also treats the announcement with
far-fetched, PR-driven stretchers and face savers, as we can see from
their list of 'mitigating factors'.
http://www.theregister.co.uk/content/55/27700.html
----------------------------------------------------
[14] Report says visa process improved after terrorist attacks
>From National Journal's Technology Daily
Large workloads and unchecked authority in State Department offices that
issue visas may have created vulnerabilities in the system for letting
visitors and immigrants into the United States, but the system has been
improved, according to a report (GAO-03-132NI) released Monday.
http://207.27.3.29/dailyfed/1002/102102td1.htm
----------------------------------------------------
[15] Busting Pop-up Spam
Nuisance messaging demonstrates the boundless ingenuity of spammers.
Here's how to nip it in the bud.
By Tim Mullen Oct 20, 2002
I hate spam. I know "hate" is a strong word, but it is the truth. I
think spammers should be strung up and beaten like a pinata on Cinco de
Mayo and then set on fire.
I hope that aliens are not monitoring spam in order to make a value
judgment as to whether or not to vaporize the earth; clearly the
universe does not need a race of creatures endowed with diminutive
genitalia that must refinance their house in order to afford a mail
order diploma or a new satellite dish. Of course, they would spare
Nigeria, as it is clearly a country populated entirely of Ministers of
Something, each with 28 million dollars in the bank just waiting to be
dispersed to anyone willing to give them the assistance they so urgently
need.
http://online.securityfocus.com/columnists/117
----------------------------------------------------
[16] Security Concerns in Licensing Agreements, Part Two: Negotiating
Security Provisions
by Steven Robinson last updated October 21, 2002
Introduction
In the first article in this series, we looked at security concerns
related to clickwrap and shrinkwrap agreements, used by vendors for
mass-market licenses and service agreements. In these cases, no
negotiations are involved. If you want what the vendor is selling, you
are required to agree to "a one size fits all" agreement, including
whatever provisions it contains, if any, that pertain to information
security. This type of agreement is typical of the licensing agreements
that individual users and small organizations enter into.
This article looks at a situation that is more typical for commercial
users, one in which negotiations between vendors and service providers
and their users concerning licensing and services agreements are
commonplace and expected, and discusses why it is helpful, and usually
essential, to have information security professionals participate in
those negotiations.
http://online.securityfocus.com/infocus/1636
Part one:
http://online.securityfocus.com/infocus/1602
----------------------------------------------------
[17] Agencies' IT budgets on 'roller coaster,' group says
By Molly M. Peterson, National Journal's Technology Daily
The effort to create a Homeland Security Department has placed several
federal agencies' information technology budgets on a "roller coaster,"
according to an analysis released last week by the Government
Electronics and Information Technology Association (GEIA).
The Defense Department and homeland security programs are likely to be
the "real winners" in the battle for discretionary dollars in the coming
years, according to GEIA, which released a summary of its findings to
reporters as a preview of a conference it plans to hold later this
month.
The study found that since many civil agencies are becoming "bill
payers" for the nation's homeland security requirements, their budgets
barely will keep pace with inflation.
http://207.27.3.29/dailyfed/1002/101802td1.htm
----------------------------------------------------
[18] FTC forces spammer to refund domain fees
21st October, 2002
The United States' Federal Trade Commission has forced a British
entrepreneur who sold domain names that did not work to repay his
proceeds to his victims.
As reported by Demys news (see: OFT domain action "too little too late"
- 30th August, 2002) domain name retailer Thomas Goolnick was found to
have used an aggressive unsolicited commercial mailing campaign to sell
$59 alternative generic top level domains such as .usa, .brit, and
.scot. However, the domains were not approved by Internet authority
ICANN (Internet Corporation of Assigned Names and Numbers) and would not
work unless users downloaded special software to access them. This did
not stop Goolnick selling 6,000 of his domains, netting him an estimated
$350,000.
http://www.demys.net/news/02_oct_21_ftc.htm
----------------------------------------------------
[19] Government security experts urge Whitehall to adopt US cryptography
standards
by Cliff Saran
Monday 21 October 2002
The Government's leading IT security advisors are to recommend that
Whitehall departments adopt a US cryptography standard that many
commercially available security products fail to meet.
The Communications Electronics Security Group (CESG) is expected to
publish a policy document later this month recommending using the US
FIPS-140 cryptography standard for non-classified government
applications.
http://www.cw360.com/bin/bladerunner?REQSESS=Jc622399&2149REQEVENT=&CART
I=116786&CARTT=1&CCAT=2&CCHAN=22&CFLAV=1
----------------------------------------------------
[20] Why Dotcoms Failed (and What You Can Learn From Them)
by Jamie S. Walters
Headlines are rife with the tally of dotcoms that have "dot-bombed" or
are in a downward spiral, not to mention the associated financial losses
and human costs. Fingers that once pointed gleefully at the stock-ticker
to catch a glimpse of that day's market ascent now point in blame toward
Wall Street analysts who, it seems, had conflicts of interest, weren't
altogether honest in their activities and allegedly manipulated the
market for personal interest (Gosh, there's a surprise!). What seems to
be lacking, at least publicly, is a careful examination of why these
companies failed. And yet, out of the smoke lifting from the rubble of
the former "e-bubble" we can find some valuable lessons.
Review this period in time as an opportunity to learn how to improve the
success rate - however you measure success - of your business or
department.
http://www.refresher.com/!jswdotcom.html
----------------------------------------------------
[21] An E-Mayor for Virtual L.A. City
By Patrick Di Justo | 02:00 AM Oct. 22, 2002 PDT
When Angelenos vote Nov. 5, they'll be asked to decide whether or not to
let the San Fernando Valley secede from the rest of Los Angeles.
Secession would split L.A. in two, creating a new city of approximately
1.3 million people, with an annual budget over $1 billion.
Internet consultant Marc Strassman, 54, wants to be mayor of that new
city.
http://www.wired.com/news/politics/0,1283,55911,00.html
----------------------------------------------------
[22] A tough case to crack
How IT can -- and cannot -- aid law enforcement's search for a D.C.-area
sniper
BY William Matthews
Oct. 21, 2002, 2002
Technology has received a prominent role in the hunt for a sniper who
has killed nine and wounded two in a two-week spree in the Washington,
D.C., metropolitan area, but even technology experts say the case is
most likely to be cracked by cops, not computers.
"This is a fairly low-tech kind of crime," said Jay Siegel, a forensic
science professor at Michigan State University's School of Criminal
Justice. "What's going to solve this crime is old-fashioned police work.
It does not require a lot of technology."
http://www.fcw.com/fcw/articles/2002/1021/news-sniper-10-21-02.asp
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
