_________________________________________________________________
London, Wednesday, November 20, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] U.S. fails cybersecurity review--again
[2] Experts: Don't dismiss cyberattack warning
[3] Cyber center planned
[4] Senate approves Homeland bill
[5] Business Week Online Special - Enhancing Computer Security
[6] Caught in a BIND
[7] Navy restructuring CIO's office
[8] A case in point
[9] Internet Provisions in Security Bill
[10] Don't trust that spam: Ignore 'Nigerian scam'
[11] At a stroke, MS cuts critical vuln reports
[12] Bill's secrecy provisions stick
[13] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game
[14] Local officials give homeland bill mixed reviews
[15] CIA searching out technologies to boost national security
[16] Internet, E-Commerce Boom Despite Economic Woes
[17] Liberty Alliance Updates Specs
[18] Hill OKs security research
[19] Northcom orders C4ISR, info ops work
_________________________________________________________________
News
_________________________________________________________________
[1] U.S. fails cybersecurity review--again
By Reuters
November 19, 2002, 3:04 PM PT
The U.S. government flunked a computer-security review for the third
consecutive year on Tuesday, showing no improvement despite increased
attention from high-level officials.
Government agencies that oversee military forces, prosecute criminals,
coordinate emergency response efforts and set financial policy all
received failing grades from congressional investigators.
The Department of Transportation, whose computer systems guide
commercial aircraft and allocate millions of dollars in highway funding,
received the lowest score, 28 out of a possible 100.
Stung by a series of electronic break-ins and Internet-based attacks,
Congress has voted to triple spending on cybersecurity research efforts
while the Bush administration is pulling together a much-publicized set
of guidelines for businesses and individuals.
http://news.com.com/2100-1001-966444.html?tag=lh
See also:
http://www.mail-archive.com/infocon@infowarrior.org/msg00321.html
----------------------------------------------------
(There is quite a difference between developing an 'expertise in
computer science' and launch a strategic CNO campaign. Just ask some IO
people from Kelly AFB or Fort Mead and they will agree. AQ claims lots
of things and it certainly makes sense that they research this area, but
there is a major difference between 'looking into something' and
actually having the capability of doing something like that. It takes
quite a bit more than a mouse click to bring down an economy. So, I
would still say that at the moment any kinetic force is far more
powerful than any ping of death. WEN)
[2] Experts: Don't dismiss cyberattack warning
By DAN VERTON
NOVEMBER 18, 2002
Security experts and two former CIA officials said today that warnings
of cyberattacks by al-Qaeda against western economic targets should not
be taken lightly.
Vince Cannistraro, the former chief of counterterrorism at the CIA, said
that a number of Islamists, some of them close to al-Qaeda, have
developed expertise in computer science.
"And some are well schooled in how to carry out cyberattacks," he said.
"We know from material retrieved from [al-Qaeda] camps in Afghanistan
that this is true. But their expertise seems mostly dedicated to
communicating securely among al-Qaeda cells. Cyberattacks would probably
render them less secure by focusing attention on their location."
In an exclusive interview with Computerworld on Monday, Sheikh Omar
Bakri Muhammad, a London-based fundamentalist Islamic cleric with known
ties to Osama bin Laden, said al-Qaeda and various other fundamentalist
Muslim groups around the world are actively planning to use the Internet
as a weapon in their "defensive" jihad, or holy war, against the West.
http://computerworld.com/securitytopics/security/story/0,10801,76000,00.
html
Update: Omar Bakri Muhammad, bin Laden's man in London
http://computerworld.com/securitytopics/security/cybercrime/story/0,1080
1,76007,00.html
----------------------------------------------------
[3] Cyber center planned
BY Diane Frank
Nov. 18, 2002
The Bush administration last week proposed creating a national
cyberspace response center to help federal, state and local governments,
as well as the private sector, detect cyberattacks.
The proposal is included in five priorities that the President's
Critical Infrastructure Protection Board is considering as part of its
draft National Strategy to Secure Cyberspace, said Richard Clarke, board
chairman.
http://www.fcw.com/fcw/articles/2002/1118/news-cyber-11-18-02.asp
----------------------------------------------------
[4] Senate approves Homeland bill
Wednesday, November 20, 2002 Posted: 12:48 AM EST (0548 GMT)
WASHINGTON (CNN) -- Capping months of debate, the Senate on Tuesday
approved 90-9 a bill that would create a Department of Homeland Security
-- a massive reorganization of the federal government sparked by the
devastating September 11, 2001, terrorist attacks.
President Bush praised the Senate in a statement issued shortly after
the vote and said he looked "forward to signing this important
legislation."
"This landmark legislation, the most extensive reorganization of the
federal government since the 1940s, will help our nation meet the
emerging threats of terrorism in the 21st century," Bush said.
Bush may sign the bill early next week, according to a spokesman for the
White House Office of Homeland Security.
http://www.cnn.com/2002/ALLPOLITICS/11/19/homeland.security/index.html
----------------------------------------------------
[5] Business Week Online Special - Enhancing Computer Security
A Tech Sector That's Set to Soar
While overall IT spending is likely to slide next year, companies plan
to buy plenty of security products -- especially from the market's top
names
Is Microsoft Muscling In on the Market?
Separate products and services would be a logical outgrowth of Gates &
Co.'s increased emphasis on security in its current lineup
Open-Source Security Is Opening Eyes
>From out of nowhere in just two years, this once unimaginable segment is
gaining credibility, venture-capital backing, and sales
Safety Is Elusive for Security Stocks
After a market pummeling, the sector is poised for consolidation, with
the likely winners being big players that set industry standards.
http://www.businessweek.com/technology/tc_special/02security2.htm
----------------------------------------------------
[6] Caught in a BIND
How did one of the Internet's most ubiquitous software packages grow up
to be chronically insecure? History offers a lesson.
By Jon Lasser Nov 19, 2002
Weinberg's second law, a decades-old programmers' joke, states, "If
builders built buildings the way programmers wrote programs, then the
first woodpecker that came along would destroy civilization."
There may be no better example of that principal in action than the BIND
name server software.
The most recent misadventure to befall the ubiquitous program came to
light last week -- when a new exploitable vulnerability in BIND 4 and
BIND 8 was announced.
http://online.securityfocus.com/columnists/125
----------------------------------------------------
[7] Navy restructuring CIO's office
BY Dan Caterinicchia
Nov. 18, 2002
As part of Navy Secretary Gordon England's plan to minimize the
secretariat staff, the Navy Department's Office of the Chief Information
Officer will be cut in half during the next few months.
The CIO office has been reviewing its job functions for the past six
weeks and found that its combined military and civilian staff of 50
people could be reduced to 25 by April 2003, said Ron Turner, the Navy's
deputy CIO for infrastructure, systems and technology.
http://www.fcw.com/fcw/articles/2002/1118/web-navy-11-18-02.asp
Navy cuts CIO staff
http://www.fcw.com/fcw/articles/2002/1118/news-navy-11-18-02.asp
----------------------------------------------------
[8] A case in point
Interagency criminal justice system provides model for information
sharing
BY Dibya Sarkar
Nov. 18, 2002
Strengthening a unique intergovernmental collaboration, Washington,
D.C., and several federal criminal justice agencies recently expanded
and enhanced a secure Web portal used to quickly and efficiently share
justice information online.
The portal, officials maintain, has become one of the leading examples
of an integrated criminal justice system. It demonstrates how agencies
with different procedures and information needs can jointly develop a
system that benefits them all, without compromising any individual
agency's security or data management requirements.
http://www.fcw.com/fcw/articles/2002/1118/cov-justice-11-18-02.asp
----------------------------------------------------
[9] Internet Provisions in Security Bill
By THE ASSOCIATED PRESS
Filed at 6:05 p.m. ET
WASHINGTON (AP) -- Internet providers such as America Online could give
the government more information about subscribers and police would gain
new Internet wiretap powers under legislation creating the new
Department of Homeland Security.
Provisions of the bill tucked into a section about ``cyber-security
enhancements'' received scant attention during debate.
http://www.nytimes.com/aponline/technology/AP-Homeland-Security-Police.h
tml?ex=1038459600&en=bb2fc1dafcd52b05&ei=5040&partner=MOREOVER
----------------------------------------------------
[10] Don't trust that spam: Ignore 'Nigerian scam'
The so-called "Nigerian scam" has recently become the spam of choice for
people who don't want to work for a living, with average users receiving
several daily chances to enhance their lot in life by helping themselves
and their fellow man.
Most of us pass up this e-mail, but there are enough people who believe
the promises to keep the scam moving. Said cybercrime expert Jayne
Hitchcock, "If it wasn't working on someone, you wouldn't get so many of
these."
These letters differ in the details - supposed country of origin,
relationship to a rich person, amount of money involved - but the idea
is the same. There is a large amount of money languishing away in a
foreign bank, and the correspondent needs your help to move the cash to
safety. For your trouble you will get a small percentage, which is
actually more than what many people will see in a lifetime. They make
contact, you reply and they ask you to open a bank account, or ask for a
small amount of cash to get things started. Pretty soon they ask for
more, for bribes or expenses. Soon after that you should get wise.
http://seattletimes.nwsource.com/html/personaltechnology/134577167_ptinb
o16.html
----------------------------------------------------
[11] At a stroke, MS cuts critical vuln reports
By ComputerWire
Posted: 20/11/2002 at 09:25 GMT
The Good News: Microsoft Corp will be making fewer warnings of
"critical" security vulnerabilities in its products from now on, Kevin
Murphy writes
The Bad News: This is because Microsoft has changed the way it advises
users and administrators of vulnerabilities, raising the threshold to
require a "critical" advisory.
Steve Lipner, director of security assurance at the company, said in an
email circular yesterday that Microsoft has overhauled its security
advisory services to provide less "confusing" technical information to
end users, while still providing administrators with the details they
need to rectify problems.
http://www.theregister.co.uk/content/55/28191.html
----------------------------------------------------
[12] Bill's secrecy provisions stick
BY William Matthews
Nov. 19, 2002
Last-minute efforts by Senate Democrats to strip objectionable secrecy
provisions from the homeland security bill apparently failed Nov. 18.
Language added to the bill by the House of Representatives would block
the disclosure of information about technology vulnerabilities through
the Freedom of Information Act. Attempts to remove the language seemed
certain to fail even as the Democrats wrestled to remove other
provisions they dislike.
http://www.fcw.com/fcw/articles/2002/1118/web-foia-11-19-02.asp
----------------------------------------------------
[13] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game
Richard Forno
Essay #2002-12
Some say that cyberspace is the new battlefield, with its own unique
rules, challenges, and concerns for those charged with defending it. If
one does consider cyberspace a modern battlefield, intelligence must
naturally play a key role in developing appropriate, proactive defenses.
Regarding battlefield intelligence, military strategist Sun Tzu wrote
that "what is called foreknowledge cannot be elicited from spirits, nor
from gods, nor by analog with past events, nor from calculations. It
must be obtained from men who know the enemy situation." That's sound
advice.
During recent months, hardly a week goes by without some reference to
some firm's findings or statistics on hackers, crackers,
cyberterrorists, and the general state of internet security as they see
it. Many times these reports are marketed as cybersecurity
"intelligence."
The latest player in the internet security industry is UK-based mi2g,
and the subject of this article. mi2g offers a suite of security
products (essentially they're a systems integrator focused on
security), but is best known perhaps as a "security intelligence
provider" providing research, assessment, and analysis services on the
state of the cybersecurity.
As a security professional - and someone 'on the front lines' of the
cyberspace battlefield - I'm both curious and dubious about the whole
'cybersecurity intelligence' business concept, and wonder what it takes
to both become a 'cybersecurity intelligence' expert and make money at
it, too.
http://www.infowarrior.org/articles/2002-12.html
----------------------------------------------------
[14] Local officials give homeland bill mixed reviews
By Maureen Sirhal, National Journal's Technology Daily
Local officials are lauding a provision in the bill to create a Homeland
Security Department that would clarify rules allowing federal law
enforcement authorities to share sensitive information with state and
local counterparts. But at the same time, they are expressing concern
over budgetary delays halting the distribution of funds to local and
state emergency "first responders."
"We're pleased that the homeland security reorganization is going
through, but the funding issue is left unresolved," Andrew Solomon, a
spokesman for the U.S. Conference of Mayors, said on Tuesday. "These
cities are in a really difficult position. They've been forced to spend
millions" of dollars for national security improvements without federal
aid, he said.
The bill would allow federal agencies to share intelligence and other
information related to homeland security with local-level peers. "It
specifically clarified the rules of criminal procedures," such as
grand-jury information, Solomon noted. The measure also states that the
spirit of information sharing should be cooperative, he said.
http://www.govexec.com/dailyfed/1102/111902td1.htm
----------------------------------------------------
[15] CIA searching out technologies to boost national security
By Matt Marshall
Mercury News
The Central Intelligence Agency has come to stay in an area near you.
In 1999, the CIA opened up a venture capital firm, In-Q-Tel, on Sand
Hill Road -- the heart of Silicon Valley's venture capital community.
It was supposed to be a five-year experiment into the risky business of
funding start-ups and a way to acquire commercially viable technologies
that enhance national security at the same time.
Since Sept. 11, though, In-Q-Tel has acted more like a permanent
resident. ``It's no longer an experiment,'' says In-Q-Tel Chief
Executive Gilman Louie.
There's a new urgency within the CIA to find technology that makes sense
of all the unstructured data floating around on the Internet and
elsewhere. The agency can't train analysts quickly enough.
``Government agencies are scrambling . . . We're in a state of
hyperactivity,'' he says.
http://www.siliconvalley.com/mld/siliconvalley/4540623.htm
----------------------------------------------------
[16] Internet, E-Commerce Boom Despite Economic Woes
By Reuters
11/19/02
GENEVA (Reuters) - Use of the Internet is booming all around the world,
bucking the global economic downturn and the crisis in the information
technology industry, according to United Nations figures issued on
Monday.
An annual report by the UNCTAD trade and development agency forecast
that registered Internet users could total 655 million by the end of
2002, a year-on-year increase of 30 percent.
At the same time, the value of electronic commerce -- goods and services
bought and sold over the Internet -- could reach as high as $2.3 billion
this year, a 50 percent rise from last year, climbing to around $3.9
billion at the end of 2003.
http://www.ispworld.com/Reuters/BreakingNews/111902_js09.htm
----------------------------------------------------
[17] Liberty Alliance Updates Specs
By Thor Olavsrud
The Liberty Alliance Project Tuesday published a public review draft of
a maintenance update of the version 1.0 specifications it released in
July.
The version 1.1 draft primarily makes some editorial changes in an
effort to clarify the specifications, but also adds a few fixes and
minor enhancements.
For instance, the new version fixes a vulnerability in the
Liberty-enabled Client/Proxy Profile (LECP), identified by both IBM and
Sun Microsystems. The Liberty Alliance said the vulnerability could have
allowed a spurious site to interpose itself between a user and a service
provider, allowing the site to impersonate the user.
http://www.internetnews.com/dev-news/article.php/1503481
----------------------------------------------------
[18] Hill OKs security research
BY Diane Frank
Nov. 18, 2002
A bill that authorizes the first steady stream of funding for
cybersecurity research and education is on its way to President Bush for
his signature, after the final version cleared the full Congress Nov.
12.
The Cybersecurity Research and Development Act (H.R. 3394) provides for
$903 million for grants and scholarships through the National Science
Foundation and the National Institute of Standards and Technology, and
guidance for federal agencies, among other things.
http://www.fcw.com/fcw/articles/2002/1118/pol-hill-11-18-02.asp
----------------------------------------------------
[19] Northcom orders C4ISR, info ops work
BY Dan Caterinicchia
Nov. 19, 2002
The Defense Department's new Northern Command recently awarded $5.8
million in contract task orders to Lockheed Martin Corp.'s information
technology business unit.
The orders support Northcom's command, control, communications,
computer, intelligence, surveillance and reconnaissance (C4ISR) and
information operations (IO) requirements.
http://www.fcw.com/fcw/articles/2002/1118/web-north-11-19-02.asp
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
