_________________________________________________________________
London, Friday, June 14, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
IWS Sponsor
National Center for Manufacturing Sciences
http://www.ncms.org
host of the
InfraGard Manufacturing Industry Association
http://trust.ncms.org
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
Homeland Security
[1] Merging cultures of homeland security agencies will be big challenge
[2] House leaders agree on plan for homeland security process
[3] Homeland department likely to house cybersecurity office
[4] Senate in a hurry on homeland security bill
[5] Ridge meets with House members on homeland security proposal
Infocon
[6] Feds, industry battle the biggest network bug
[7] Developing an Effective Incident Cost Analysis Mechanism
[8] Assessing Internet Security Risk, Part One: What is Risk Assessment?
[9] First JPEG virus not a threat
[10] Biometrics, Surveillance, National ID Threats to Privacy
[11] Anti-open source 'whitepaper' devastated
[12] Jail time is not the answer to cybercrime
[13] Australian directors alerted to cybercrime threats
[14] UK businesses are failing to work online
[15] U.S. turns screw on ICANN
[16] Woman faces charges in hacking case
[17] VA urged to improve management of technology
_________________________________________________________________
News
_________________________________________________________________
[1] Merging cultures of homeland security agencies will be big challenge
By Louis Jacobson, National Journal
Creating a unified "corporate culture" is sure to be one of the toughest challenges
facing a new
Department of Homeland Security, which will be cobbled together from 22 different
federal entities,
each with their own historical role and professional expertise.
On the upside, the new department will have an important prerequisite for a
establishing a strong
corporate culture-the clear and unassailable mission of preventing terrorist attacks
on U.S. soil.
On the downside, it won't have the luxury of time to assimilate the cultures of its
agencies.
Based on the experience of private sector mergers, "the new department will face
enormous problems,"
says Ralph Biggadike, a professor of management at Columbia University. "To think that
a structural
solution can bring about a major improvement in performance is a major mistake. Fixing
the structure
alone isn't enough to get at the culture."
http://www.govexec.com/dailyfed/0602/061302lj1.htm
----------------------------------------------------
[2] House leaders agree on plan for homeland security process
By Charlie Mitchell and Mark Wegner, CongressDaily
Republican and Democratic leaders have agreed on a bipartisan plan to move President
Bush's proposal
to create a new Homeland Security Department through the House on an expedited basis,
Speaker Dennis
Hastert, R-Ill., and Minority Leader Dick Gephardt, D-Mo., announced Thursday.
Under the plan, the Government Reform Committee and other panels with jurisdiction
over homeland
security issues will get first crack at the proposal, while a special,
leadership-appointed "ad hoc
select" panel-expected to be led by Majority Leader Dick Armey, R-Texas,-will meld the
committees'
handiwork into a single package.
Sources said the Government Reform Committee and the other panels would have three
weeks to work on
the legislation, after which the select committee would work on the package for two
weeks and then
send it directly to the floor, sources said. "There will be regular order for a short
period of
time, with the committees reporting to an ad hoc committee that will rationalize all
of these ideas
for leadership," said a GOP source, who added, "This gives the authorizers a bite at
the apple and
it gives the leaders a chance to rationalize the whole thing."
http://www.govexec.com/dailyfed/0602/061302cdpm1.htm
----------------------------------------------------
[3] Homeland department likely to house cybersecurity office
By William New, National Journal's Technology Daily
The White House Office of Cyberspace Security would "change a bit" under a proposal to
create a
Homeland Security Department but would retain its basic functions, the senior director
of that
office said Thursday.
Paul Kurtz said that the position of Cybersecurity Director Richard Clarke "would
likely remain the
same" and that Clarke would continue to report to the National Security Council (NSC),
headed by
Condoleezza Rice, and to the new department head. He spoke on a panel at the TechNet
International
conference of the Association for Communications, Electronics, Intelligence and
Information Systems
Professionals.
Clarke currently reports to the council and the White House Homeland Security Office
as chairman of
the Critical Infrastructure Protection Board. The position of Vice Chairman Howard
Schmidt also
likely would remain, Kurtz said. He said the board membership might change as portions
of agencies
are moved, but "we will have a coordinating mechanism on cybersecurity."
http://www.govexec.com/dailyfed/0602/061302td1.htm
----------------------------------------------------
[4] Senate in a hurry on homeland security bill
By Keith Koffler, Geoff Earle and Mark Wegner, CongressDaily
Senate Majority Leader Tom Daschle, D-S.D., and Minority Leader Trent Lott, R-Miss.,
are negotiating
a fast-paced schedule for creating a new Homeland Security Department under a
procedure that will
give Senate Republicans and Democrats a chance to help shape the proposal.
After a White House meeting Wednesday, Senate Democratic leaders said they plan to
debate the
measure in July.
"Hopefully-and I believe we can do it-[we will] get it passed in the Senate before we
leave for the
August recess," said Senate Governmental Affairs Chairman Joseph Lieberman, D-Conn.,
who spoke at
the White House following a meeting between President Bush and 20 chairmen and ranking
members of
House and Senate committees with jurisdiction over homeland security.
http://www.govexec.com/dailyfed/0602/061302cdam1.htm
----------------------------------------------------
[5] Ridge meets with House members on homeland security proposal
>From CongressDaily
Homeland Security Director Tom Ridge met with House members Wednesday on Bush's plan.
He will hold a
similar meeting Thursday with senators.
"This is the beginning of the collaboration between the president and his
administration and the
Congress of the United States," Ridge told reporters after the closed-door meeting on
the House
floor.
Ridge said he had received a "very positive" reaction from lawmakers and said he would
return to
Capitol Hill "sometime in the near future" to offer formal testimony.
http://www.govexec.com/dailyfed/0602/061302cdam2.htm
----------------------------------------------------
[6] Feds, industry battle the biggest network bug
By Kevin Poulsen, SecurityFocus Online
Posted: 12/06/2002 at 18:52 GMT
Four months after a public advisory warned of security vulnerabilities in a ubiquitous
Internet
remote management protocol, there have been no widespread attacks exploiting the
holes. But
technology companies and a special U.S. government panel are quietly evaluating the
threat of
related vulnerabilities in some of America's most critical electronic infrastructures,
including the
telephone network, the power grid, and the next generation of air traffic control
systems.
http://www.theregister.co.uk/content/55/25693.html
----------------------------------------------------
[7] Developing an Effective Incident Cost Analysis Mechanism
by David A. Dittrich
last updated June 12, 2002
When it comes to calculating damages from computer security incidents, some in the
media will tell
you that it is impossible to come up with a value. At the same time, others will tell
you that the
Melissa Virus caused $80 million in damages to US businesses. Who is right? Can these
damages be
calculated, and if so, how?
A project by representatives of the Big Ten Universities (plus a few others) in the
late 90's
undertook to systematically examine the real costs of security incidents. The results
of this
project were an incident cost model and examples of costs for typical security
incidents at these
institutions. This model has been used successfully in computer intrusion cases
involving federal
law enforcement, and by the Honeynet Project for comparison of entries in the Forensic
Challenge. It
proves that fair and accurate damage estimates can be produced, and with very little
work, provided
that those doing the work are disciplined and diligent in keeping track of time, at
the time of
incident response. Unfortunately, this is where the system often breaks down. As we
shall see, the
need for diligence in collecting time data for every security incident response calls
for policies
and procedures to be set at the institutional level, and enforced as a regular part of
incident
handling, in order to have meaningful figures on institutional losses due to security
incidents.
http://online.securityfocus.com/infocus/1592
----------------------------------------------------
[8] Assessing Internet Security Risk, Part One: What is Risk Assessment?
by Charl Van der Walt
last updated June 11, 2002
The Internet, like the Wild West of old, is an uncharted new world, full of fresh and
exciting
opportunities. However, like the Wild West, the Internet is also fraught with new
threats and
obstacles; dangers the average businessman and home user hasn't even begun to
understand. But I don'
t have to tell you this. You've heard that exact speech at just about every single
security
conference or seminar you've ever attended, usually accompanied by a veritable array
of slides and
graphs demonstrating exactly how serious the threat is and how many millions of
dollars your company
stands to loose. The "death toll" statistic are then almost always followed by a sales
pitch for
some or other product that's supposed to make it all go away. Yeah right.
Am I saying the threat isn't real? Am I saying the statistics aren't true? No. What
I'm saying is
that many users fail to see what relevance any of this has to themselves and their
company. Should
the fact that e-Bay supposedly spend $120,000 dollars recovering from Mafia Boy's DDoS
attack really
have an impact on the reader's corporate IT policy? Perhaps not.
http://online.securityfocus.com/infocus/1591
----------------------------------------------------
[9] First JPEG virus not a threat
By ComputerWire
Posted: 06/14/2002 at 04:14 EST
Anti-virus firms have discovered a Windows virus that infects JPEG image files, though
the chances
of it causing a major security risk any time soon are close to zero. W32/Perrun, as
Networks
Associates Inc named the virus, was assessed as low risk, and has not been found in
the wild.
"It is believed to be the first of its kind," said Vincent Gullotto. "It's no danger,
but it shows
that virus writers are looking at other methods of infection." In the last year, virus
writers have
started using other file types, such as PDFs and Flash animations, to spread
themselves.
http://www.theregus.com/content/56/25238.html
http://www.wired.com/news/technology/0,1282,53196,00.html
----------------------------------------------------
[10] Biometrics, Surveillance, National ID Threats to Privacy
Electronic Frontier Foundation Releases Reports
For Immediate Release: Thursday, June 13, 2002
San Francisco - The Electronic Frontier Foundation (EFF) today released a series of
reports on the
shortcomings of large-scale civilian biometrics systems, the invasive nature of public
surveillance,
and the inherent dangers of a national identification system.
http://www.eff.org/Privacy/20020613_eff_privacy_pr.html
----------------------------------------------------
[11] Anti-open source 'whitepaper' devastated
By Thomas C Greene in Washington
Posted: 11/06/2002 at 02:16 GMT
Roaring Penguin's David Skoll has written a fine rebuttal to the ADTI whitepaper. With
his
permission we're reproducing it whole and unedited:
The Alexis de Tocqueville Institution (AdTI) has finally published its white paper
entitled "Opening
the Open Source Debate". My earlier comments were based on media reports and e-mail
correspondence
with the paper's author. This document was written after I read the actual white
paper. (The
original link seems not to work; I managed to grab a copy of the paper before AdTI
pulled it. This
link may work.)
http://www.theregister.co.uk/content/55/25659.html
----------------------------------------------------
[12] Jail time is not the answer to cybercrime
By Robert Vamosi
AnchorDesk
March 6, 2002, 4:30 AM PT
Patriot Act of 2001, a sweeping law which, among other things, said those who break
into other
peoples' computers could be considered terrorists, and prosecuted as such.
In the months since the act was signed, several lower-profile bills have been proposed
in
Congress--all of which are either overreaching in scope or simply flawed. One of these
is H.R. 3482,
the Cyber Security Enhancement Act of 2002 (CSEA).
http://zdnet.com.com/2100-1107-852767.html
----------------------------------------------------
[13] Australian directors alerted to cybercrime threats
By Vivienne Fisher, ZDNet Australia
07 June 2002
Australian company directors and officers are being warned of the damaging impact
cybercrime can
have if they don't address risks effectively.
Leif Gamertsfelder, head of the e-security group at law firm Deacons, outlined the
potential
pitfalls at an Australian Institute of Company Directors briefing yesterday.
Cybercrime has been garnering increased interest in Australia over the past week, with
the Federal
Government announcing finalisations to a bundle of counter-terrorism bills on
Wednesday. Federal
Attorney-General Daryl Williams has described the proposed legislation as a response
to September
11.
http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20265835,00.htm
----------------------------------------------------
[14] UK businesses are failing to work online
So the vendors say... but then they would wouldn't they...
Conducting your business electronically might be the best way to cut costs in these
difficult times
but UK plc remains reluctant to get involved.
According to B2B vendor Ariba the level of business conducted electronically in the UK
is falling
well short of a 20 per cent target set by analysts.
http://www.silicon.com/bin/bladerunner?30REQEVENT=&REQAUTH=21046&14001REQSUB=REQINT1=53932
----------------------------------------------------
[15] U.S. turns screw on ICANN
Reuters
June 13, 2002, 4:30 PM PT
U.S. lawmakers said on Wednesday that they would step up oversight of the nonprofit
group that
oversees the Internet's domain-name system, but stopped short of saying the United
States should run
the controversial body.
Several senators and a Bush administration official said the Internet Corporation for
Assigned Names
and Numbers (ICANN) would have to change the way it operates if it wants to continue
to oversee the
system that allows Internet users to navigate using easy-to-remember domain names.
----------------------------------------------------
[16] Woman faces charges in hacking case
By Globe Staff and Wire Services, 6/13/2002
BOSTON
A Middleton woman will face criminal charges after she allegedly hacked into her
former boss's
computer and sent e-mail from his account, Attorney General Thomas F. Reilly said
yesterday. Wendy
Sholds, 38, will face two counts of unauthorized access to a computer system after she
allegedly
hacked into the e-mail account of her former boss - CEO of Middleton-based Business
Travel
International - in February, and forwarded to two employees an e-mail between the CEO
and a vice
president that allegedly contained discussion of the termination of those two
employees, according
to Reilly's office. Sholds will be arraigned in Salem District Court July 1.
http://www.boston.com/dailyglobe2/164/metro/Woman_faces_charges_in_hacking_case+.shtml
----------------------------------------------------
[17] VA urged to improve management of technology
>From National Journal's Technology Daily
Despite its progress in raising corporate awareness of departmental information
technology needs,
the Veterans Affairs Department has "significant work" to accomplish in order to use
IT investments
to improve overall performance, according to a General Accounting Office report
released Wednesday.
A GAO official testified before a House subcommittee in March on VA's IT successes and
failures. The
GAO report, "Veterans Affairs: Sustained Management Attention is Key to Achieving
Information
Technology Results" (GAO-02-703), recommends that the VA chief information officer:
http://www.govexec.com/dailyfed/0602/061302td2.htm
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
