(Due to a power outage there was no Infocon on Friday. WEN)
_________________________________________________________________
London, Monday, November 25, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] Homeland Security organized along administration's proposal
[2] War with Iraq will mean virus outbreak, hacker says
[3] Academy seizes computers from nearly 100 mids
[4] White House science team outlines anti-terrorism focus
[5] Tech Insider: Total information unawareness
[6] Sept. 11 showed work needed on Internet
[7] Pentagon backs off on Net ID tags
[8] Preparing for a Different Kind of Cyberattack
[9] Net auctions targeted for crackdown
[10] No two cyber-policies are alike
[11] When Washington Mimics Sci Fi
[12] Security Alert: New Wi-Fi Security Scheme Allows DoS
[13] Comdex's Secure Side
[14] Court to decide Kazaa's US liability
[15] Congress responds to concerns, but conflict could delay action
[16] Why is mi2g so unpopular?
[17] Internet security journalist hacks Saddam's e-mail
[18] Microsoft warns of security hole
[19] SQL Injection and Oracle
[20] Researchers: Pull plug on battery attacks
[21] Marines move toward PKI
_________________________________________________________________
News
_________________________________________________________________
_________________________________________________________________
CURRENT THREAT LEVELS
_________________________________________________________________
Electricity Sector Physical: Elevated (Yellow)
Electricity Sector Cyber: Elevated (Yellow)
Homeland Security Elevated (Yellow)
DOE Security Condition: 3, modified
NRC Security Level: III (Yellow) (3 of 5)
----------------------------------------------------
[1] Homeland Security organized along administration's proposal
By Tanya N. Ballard
The Homeland Security Department approved by Congress this week looks
much like the department President Bush proposed five months ago.
The new department will merge at least 170,000 federal employees from 22
agencies who perform a vast array of missions, from agricultural
research to port security to disaster assistance. Under H.R. 5005, the
Homeland Security Department would include the Transportation Security
Administration, Customs Service, Immigration and Naturalization Service,
Secret Service, Coast Guard and Federal Emergency Management Agency. The
agencies will be reorganized into four directorates within the
department: Information Analysis and Infrastructure Protection, Science
and Technology, Border and Transportation Security, and Emergency
Preparedness and Response.
The information analysis unit would absorb all of the functions of the
FBI's National Infrastructure Protection Center, the Defense
Department's National Communications System, the Commerce Department's
Critical Infrastructure Assurance Office, the Energy Department's
National Infrastructure Simulation and Analysis Center, and the General
Services Administration's Federal Computer Incident Response Center.
http://www.govexec.com/dailyfed/1102/112002t1.htm
----------------------------------------------------
(FUD. A bragging teenager who is rather a lame virus writer, but
naturally the journalist believes him that he is able to write a
'Uebervirus'. WEN)
[2] War with Iraq will mean virus outbreak, hacker says
By DAN VERTON
NOVEMBER 20, 2002
Content Type: Story
Source: Computerworld
A Malaysian virus writer who is sympathetic to the cause of the al-Qaeda
terrorist group and Iraq and who has been connected to at least five
other malicious code outbreaks is threatening to release a megavirus if
the U.S. launches a military attack against Iraq.
The virus writer, who goes by the handle Melhacker and is believed to
have the real name of Vladimor Chamlkovic, is thought to have written or
been involved in the development of the VBS.OsamaLaden@mm, Melhack,
Kamil, BleBla.J and Nedal worms.
However, in an exclusive interview today with Computerworld, Melhacker
confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that he
has developed and tested a "three-in-one" megaworm code-named Scezda
that combines features from the well-known SirCam, Klez and Nimda worms.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,
10801,76071,00.html
----------------------------------------------------
(This is out of order. The record industry is just digging its own grave
by doing this as it will lose popular support. Instead of arresting
students, the record industry should look at their business model and
adopt it to the Internet age. It was already a big mistake to 'shut
down' Napster as it could have been used to develop some sort of online
distribution platform (subscription model, ....), but now it is too
late. WEN)
[3] Academy seizes computers from nearly 100 mids
By JESSICA R. TOWHEY, Staff Writer
Officials at the Naval Academy have seized nearly 100 midshipmen's
computers that allegedly contained illegally downloaded music and
movies, sources said.
The raid occurred Thursday while students were in class, and a source
familiar with the investigation said the computers were being held by
the administration.
Cmdr. Bill Spann, academy spokesman, confirmed that an investigation
into what material is on the computers is under way, but declined
further comment.
http://www.hometownannapolis.com/cgi-bin/read/live/11_23-19/NAV
----------------------------------------------------
[4] White House science team outlines anti-terrorism focus
By Bara Vaida, National Journal's Technology Daily
The Bush administration's science and technology policy team has
identified five areas related to fighting terrorism that likely will
receive additional investment as the fiscal 2004 budget is developed for
release early next year, according to White House science adviser John
Marburger.
The research areas are information infrastructure development,
behavioral and risk management, terrorist-related crime and networks,
public health and crisis response intervention and socioeconomic
intervention, and international policy, Marburger said in a speech to
the Consortium of Social Science Associations on Monday.
To "identify areas that warrant additional investment," Jim Griffin,
assistant director of social, behavioral and educational issues at the
White House Office of Science and Technology Policy (OSTP), worked with
staff from the National Science Foundation, the National Institutes of
Health, the Justice and Education departments, the Centers for Disease
Control and Prevention, the Pentagon and the CIA through the
administration's anti-terrorism task force created this year.
http://www.govexec.com/dailyfed/1102/112202td1.htm
----------------------------------------------------
[5] Tech Insider: Total information unawareness
By Shane Harris
In the past week, privacy advocates and media commentators have sounded
an alarm, saying that the Defense Department is building a new computer
system to spy on personal transactions such as credit card purchases and
e-mails. Their fears are unfounded and overblown.
At issue is a project called the Total Information Awareness (TIA)
system, run by the Defense Advanced Research Projects Agency (DARPA),
the research and development arm of the Pentagon that takes technologies
in their prenatal stage and turns them into prototypes, usually over the
course of three to four years per project.
The goal of the TIA system is clear, but far from simple: To predict
terrorist attacks before they happen. Unfortunately, almost nothing has
been published describing what the TIA system is, and more importantly,
what it isn't, so that citizens can make up their minds about whether
this project is advisable or even feasible.
http://www.govexec.com/dailyfed/1102/112002ti.htm
----------------------------------------------------
[6] Sept. 11 showed work needed on Internet
By Scott R. Burnell
UPI Science News
>From the Science & Technology Desk
Published 11/20/2002 6:44 PM
View printer-friendly version
WASHINGTON, Nov. 20 (UPI) -- The Sept. 11 terrorist attacks on New
York's World Trade Center had a minor physical effect on the Internet,
but the experience shows that operators of key Web facilities need to
review their redundancy plans, according to a National Research Council
report released Wednesday.
The Association for Computing Machinery requested the study to try and
collect available data on how the Internet dealt with the loss of key
communications nodes in Lower Manhattan, said Craig Partridge, chair of
the report committee and chief scientist at the pioneering Internet
research and development company, BBN Technologies, in Cambridge, Mass.
"New York City is a 'super hub' of Internet links and services,"
Partridge said. "The collapse of the World Trade Center buildings
damaged some of those, often in subtle and surprising ways."
http://www.upi.com/view.cfm?StoryID=20021120-052609-3816r
----------------------------------------------------
[7] Pentagon backs off on Net ID tags
By Declan McCullagh
Special to ZDNet News
November 22, 2002, 10:24 AM PT
A Defense Department agency recently considered--and rejected--a
far-reaching plan that would sharply curtail online anonymity by tagging
e-mail and Web browsing with unique markers for each Internet user.
The idea involved creating secure areas of the Internet that could be
accessed only if a user had such a marker, called eDNA, according to a
report in Friday's New York Times.
eDNA grew out of a private brainstorming session that included Tony
Tether, president of the Defense Advanced Research Projects Agency
(DARPA), the newspaper said, and that would have required at least some
Internet users to adopt biometric identifiers such as voice or
fingerprints to authenticate themselves.
http://zdnet.com.com/2100-1105-966894.html
----------------------------------------------------
[8] Preparing for a Different Kind of Cyberattack
By Dennis Fisher
While many agencies are still licking their wounds from once again
failing their annual information security test, the Department of
Defense and the National Security Agency on Thursday will announce a new
partnership that could go a long way toward shoring up the security of
the government's networks.
The new agreement is a joint research and development initiative with
Lancope Inc., to build an advanced intrusion-detection appliance for use
both inside the government and in the private sector. Code-named the
Therminator, the appliance will incorporate Lancope's StealthWatch,
behavior-based IDS system with a new data-reduction and visualization
technology developed by the government.
Perhaps indicating the government's current emphasis on information
security, the organizations have set forth an aggressive development
schedule and are hoping to deploy a prototype appliance within six
months.
http://www.eweek.com/article2/0,,717180,00.asp
----------------------------------------------------
[9] Net auctions targeted for crackdown
5 in Valley arrested in fraud probe
Susan Carroll
The Arizona Republic
Nov. 22, 2002 12:00 AM
Valley shoppers routinely turn to Internet auction sites to buy items
ranging from a diet bake mix to a Disneyland vacation.
But instead of getting their goods, authorities say, many Net users have
received a lesson in cybercrime. Maricopa County Sheriff Joe Arpaio
vowed Thursday to crack down on Valley computer crooks who post items
and fail to deliver.
http://www.azcentral.com/news/articles/1122auctionfraud22.html
----------------------------------------------------
[10] No two cyber-policies are alike
National Underwriter; Property & casualty/risk & b - November 11, 2002
00:00
Lisa S Howard
National Underwriter
Erlanger
Not all e-commerce policies are alike, and if buyers aren't careful they
might find that unseen exclusions leave them without the proper
coverage, according to several industry practitioners.
"These policies are like snowflakes," emphasized David O'Neill, vice
president of e-Business solutions with Zurich North America Financial
Enterprises in Atlanta.
"What I mean by that is they may all have the same type of insuring
agreements..., but on the back side, the exclusionary clauses can be
very, very significantly different," he said.
http://www.insurancenewsnet.com/article.asp?newsid=CpC85ue:amJqYmte1nZyX
&src=moreover
----------------------------------------------------
[11] When Washington Mimics Sci Fi
John Poindexter's evil design for an all-seeing God Machine seems torn
from the pages of visionary science fiction, where such schemes rarely
end well.
By George Smith Nov 24, 2002
In Polish science fiction writer Stanislaw Lem's collection of short
stories, "Imaginary Magnitude," there is a tale of a DARPA project to
create a deus computing system -- a vigilant and all-knowing god
machine.
A handful of technical monstrosities with names like Golem XIV,
Supermaster and the Honest Annihilator are built. None perform as
predicted and, as I recall, the Honest Annihilator mysteriously shuts
itself off after being forced to deal with people too much.
When reading of scalawag John Poindexter's supreme anti-terrorist Total
Information Awareness System (TIAS), I thought I had stumbled into
another Lem fable of the future. Lem loved dry references to overseeing
national security mechanisms, not unlike the Information Assurance
Office and its motto "Scientia Est Potentia" -- "Knowledge is Power,"
and he used them as props in bitter jokes on the nature of technological
domination.
http://online.securityfocus.com/columnists/126
----------------------------------------------------
[12] Security Alert: New Wi-Fi Security Scheme Allows DoS
By Brett Glass
The industry has, at last, agreed upon a security scheme to replace WEP
-- the encryption technique that was supposed to ensure
"wired-equivalent privacy" but in fact did no such thing.
The new scheme, called WPA ("Wi-Fi Protected Access"), is supposedly
much tougher to crack, and it's backward compatible with older cards
because it can be implemented in software in the host machine. (The
Wi-Fi Alliance has posted a FAQ answering users' most common questions.)
http://www.extremetech.com/article2/0,3973,717170,00.asp
----------------------------------------------------
[13] Comdex's Secure Side
A sampling of the information security products on the menu at Comdex.
By Michael Fitzgerald, SecurityFocus Nov 22 2002 12:17AM
LAS VEGAS--Comdex Fall 2002 was far from previous year's heights, but
still continues to function as a smorgasbord for the information
technology world. No surprise, then, that some security companies were
there serving up products.
At the same time, Comdex failed to draw many of the major security
vendors. While the pickings were slim, some of them might prove
interesting.
Zone Labs introduced version 2.0 of its Integrity enterprise security
product. The firewall and administration tool now blocks "spyware"
components, and beefs up data port management features. But primarily
the administrative tools are now easier to use, and the product is
easier to install.
http://online.securityfocus.com/news/1713
----------------------------------------------------
[14] Court to decide Kazaa's US liability
09:29 Monday 25th November 2002
John Borland, CNET News.com
If a judge says Sharman can be sued in the United States, Kazaa will be
sucked into the same legal maelstrom that has grabbed Napster, Aimster,
Audio Galaxy, Grokster and Morpheus
A Los Angeles federal judge will hear arguments Monday as to whether
record companies and movie studios can sue the parent company of Kazaa,
the most popular online file-swapping service, in the United States.
http://news.zdnet.co.uk/story/0,,t278-s2126445,00.html
----------------------------------------------------
[15] Congress responds to concerns, but conflict could delay action
By Patrick Ross
Staff Writer, CNET News.com
February 23, 2001, 4:00 a.m. PT
WASHINGTON--Congress is growing more responsive to calls for online
privacy legislation, but a major conflict looms that could hurt efforts
this year to enact consumer safeguards against prying Web sites.
Last fall saw Republicans and Democrats in the House and Senate vow that
2001 would be the year an online privacy law was passed. Politicians
have begun working on multiple bills, and predictably, Internet
companies are voicing caution while privacy advocates are urging speed.
http://news.com.com/2009-1023-252897.html
----------------------------------------------------
[16] Why is mi2g so unpopular?
By John Leyden
Posted: 21/11/2002 at 18:02 GMT
Richard Forno, author of The Art of Information Warfare and security
consultant to the US Department of Defense, has launched a broadside
against mi2g, accusing the UK-based security consultancy of spreading
fear, uncertainty and doubt about cyberterrorism risks.
In a critique entitled Security Through Soundbyte: The 'Cybersecurity
Intelligence' Game, Forno questions mi2g's estimates of damage caused by
cyber attacks and the whole basis of its 'cybersecurity intelligence'
business.
Much of Forno's criticism of mi2g chimes with that of VMyths editor Rob
Rosenberger, who features mi2g high up in his hysteria roll call of
security industry Prophets of Doom.
http://www.theregister.co.uk/content/55/28233.html
----------------------------------------------------
[17] Internet security journalist hacks Saddam's e-mail
Published Sunday, November 24, 2002
DURHAM, N.H. (AP) - Even Saddam Hussein gets spam.
He also gets e-mail purporting to be from U.S. companies offering
business deals, and threats, according to a journalist who figured out a
way into an Iraqi government e-mail account and downloaded more than
1,000 messages.
Brian McWilliams, a free-lancer who specializes in Internet security,
says he hardly needed high-level hacking skills to snoop through e-mail
addressed to Saddam.
While doing research late one October night, the Durham resident clicked
on the official Iraqi government Web site, http://www.uruklink.net/iraq.
http://www.showmenews.com/2002/Nov/20021124News014.asp
----------------------------------------------------
[18] Microsoft warns of security hole
10:20 Friday 22nd November 2002
Reuters
The software giant has warned users of a significant security hole in
its Windows operating system which is prone to cyber-attack
Microsoft has issued a "critical" security bulletin which said the
company has discovered a security hole in its software which would let
cyber-attackers run programs on Web servers and computers in homes and
businesses.
The software giant on Thursday said that users of its Windows operating
system, except for its latest Windows XP version, as well as users of
its Internet Explorer, were vulnerable to malicious attacks.
http://news.zdnet.co.uk/story/0,,t269-s2126363,00.html
----------------------------------------------------
[19] SQL Injection and Oracle
by Pete Finnigan
last updated November 21, 2002
SQL injection techniques are an increasingly dangerous threat to the
security of information stored upon Oracle Databases. These techniques
are being discussed with greater regularity on security mailing lists,
forums, and at conferences. There have been many good papers written
about SQL Injection and a few about the security of Oracle databases and
software but not many that focus on SQL injection and Oracle software.
This is the first article in a two-part series that will examine SQL
injection attacks against Oracle databases. The objective of this series
is to introduce Oracle users to some of the dangers of SQL injection and
to suggest some simple ways of protecting against these types of attack.
Oracle is a huge product and SQL injection can be applied to many of its
modules, languages and APIs, so this paper is intended to be an overview
or introduction to the subject. This two-part series is not intended as
a detailed treatise of how to SQL inject an Oracle database, nor is it
intended as a detailed discussion on the finer points of the technique
in general. (Details of SQL injection techniques have been covered
admirably in the past for other languages and databases, particularly by
Rain Forest Puppy who pioneered the subject. Some of these papers are
included in the reference section at the end of this paper.) Rather, I
have designed this paper so that as many readers as possible can try out
the examples. To achieve this I have used a PL/SQL procedure that uses
dynamic SQL to demonstrate the techniques of SQL injection from the
ubiquitous SQL*Plus.
http://online.securityfocus.com/infocus/1644
----------------------------------------------------
[20] Researchers: Pull plug on battery attacks
By Sandeep Junnarkar
Special to ZDNet News
November 22, 2002, 9:09 AM PT
A team of computer scientists is working to prevent new types of
denial-of-service attacks aimed at battery-powered mobile devices.
Tom Martin, a professor at Virginia Tech's electrical and computer
engineering department, has received a grant for more than $400,000 from
the National Science Foundation to devise a way to protect
battery-operated computers from security attacks that could drain their
batteries.
Although the researchers concede that such kinds of attacks are
extremely rare, the proliferation of notebook computers, personal
digital assistants, tablet PCs, networked cell phones and other devices
could make them alluring targets.
The threat could be even more menacing to businesses that use battery
backup systems to protect their databases and storage systems against
electrical power outages.
http://zdnet.com.com/2100-1103-966886.html
----------------------------------------------------
[21] Marines move toward PKI
BY Dan Caterinicchia
Nov. 25, 2002
The Marine Corps' Marine Forces Pacific is scheduled to transition to a
new public-key infrastructure early next year, but it found that the
process has been more difficult than anticipated.
Downloading the personal certificates from a certificate authority on
the mainland has proven to be a time-consuming and frustrating process,
which has lead the command to request a certificate authority be placed
in the Pacific region.
Col. Mark Clapp of Marine Forces Pacific said all of the command's
private Web servers have been issued PKI server certificates, and more
than 600 end-user certificates have been generated from the certificate
authority in Chambersburg, Pa.
http://www.fcw.com/fcw/articles/2002/1125/web-pki-11-25-02.asp
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
