_________________________________________________________________ London, Tuesday, October 01, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Northcom faces obstacles at launch [2] Models of mayhem [3] RE: At least 100 countries building cyber weapons - expert [4] China's 'Great Firewall' limits Internet [5] Viruses are dead. Long live viruses! [6] Cybersecurity regulations imminent, industry and government warn [7] Disconnect [8] Defense Agency Leaves Shopping List Online [9] One Patch to Rule Them All [10] CIOs look to stretch dollars [11] Can Software Security Be Certified? [12] Bugbear virus on the loose [13] State Department asks firms to create intelligence database [14] Insiders, not hackers, biggest information theft risk [15] Toward Optimal Cyberspace Security [16] Killer monkeys attack spammers [17] Defense tracking system proves crucial to port security _________________________________________________________________ News _________________________________________________________________ [1] Northcom faces obstacles at launch BY Dan Caterinicchia Sept. 30, 2002 The Defense Department's new Northern Command is scheduled to start up Oct. 1, but Northcom faces major cultural and technical obstacles in communicating and sharing information — both internally and with the civilian authorities it will support. The command will include representatives from all the armed services, and it is charged with ensuring homeland defense capabilities and supporting civil authorities when directed by the president or secretary of Defense. Technology would play a role in easing the flow of information between Northcom and its new partners, and Peter Verga, special assistant to the secretary of Defense for homeland security noted an example while speaking Sept. 26 at the Heritage Foundation, a Washington, D.C., think tank. http://www.fcw.com/fcw/articles/2002/0923/web-dod-09-27-02.asp ---------------------------------------------------- [2] Models of mayhem The government wants to simulate the ripple effects of critical infrastructure attacks BY Jennifer Jones Sept. 30, >From major power outages and crippled telecommunications nodes to the dramatic spread of pneumonic plague, government agencies have increasingly played out mock disasters since last September's terrorist attacks using sophisticated modeling and simulation tools. Yet few of those models take into account the set of "interdependencies," or specific repercussions, that affect the outcome when a disaster in one industry wreaks havoc on the nearby, dependent infrastructures of other sectors. The electronic simulation of those interdependencies and relationships has emerged as a field begging for more federal research and development. http://www.fcw.com/fcw/articles/2002/0930/web-cio-09-30-02.asp ---------------------------------------------------- [It would be interesting to discuss what an information warfare capability is in the first place. WEN] [3] RE: At least 100 countries building cyber weapons - expert Original article http://www.theregister.co.uk/content/6/27265.html Ralf Bendrath (http://www.fogis.de) says: As far as I see it, he just referred to an old (and IMHO overblown) estimate from last year. And the Register in turn quoted Matt from the Melbourne Herald Sun... Classic example of a media "debate". Note: It was not the CIA, but the GAO: In a hearing in the House of Representatives in August 2001, Keith A. Rhodes, Chief Technology Officer of the General Accounting Office, said: "Over 100 countries already have or are developing computer attack capabilities. (...) NSA has determined that potential adversaries are developing a body of knowledge about U.S. systems and methods to attack them." The numbers are a bit odd, I know. In March 2001, the Defense Science Board issued a report on the United States' vulnerability from cyber attacks. According to this study, "more than 20 states" are supposed to have information warfare capabilities or have started developing them. The numbers have been reduced recently by Dick Clarke to "five or six": "There are terrorist groups that are interested. We now know that al Qaeda was interested. But the real major threat is from the information-warfare brigade or squadron of five or six countries." (quoted in: Ariana Eunjung Cha / Jonathan Krim, "White House Officials Debating Rules for Cyberwarfare", Washington Post, 22 August 2002) ---------------------------------------------------- [4] China's 'Great Firewall' limits Internet Thomas Crampton International Herald Tribune Tuesday, October 1, 2002 HONG KONG Some Chinese Internet users are reporting more sophisticated and fine-tuned filtering of their browsing, searching and e-mailing recently, suggesting a newly refined and focused approach in the government's efforts to control Web content coming into and out of China. Some of the recent restrictions include selective blocking of e-mail that mentions certain words, difficult access to foreign sites that use secure connections and continued interruption of search engines on particular topics, according to reports of Internet users in China and independent analysts elsewhere. These restrictions are technically possible through software filters used at the level of Internet service providers and cybercafés, which in China are indirectly controlled by the government. Chinese Foreign Ministry officials contacted last week responded with denials of knowledge about any restrictions on Internet use. http://www.iht.com/articles/72279.html ---------------------------------------------------- [5] Viruses are dead. Long live viruses! By John Leyden Posted: 09/27/2002 at 09:35 EST This year has been mercifully quiet on the virus front but anyone who reckons the virus problem has finally been beaten is failing to learn the lessons of history. The problem of computer viruses has been declared "over" before, only to be "reinvented" a few months later, argues David Perry, a marketing manager at Trend Micro. In the mid 90s, for example, when Microsoft moved to a virtualised 32-bit OS this greatly reduced the potential effects of boot sector viruses. There wasn't much relief for users though, since this threat rapidly was supplanted with the emergence of Word concept viruses. http://www.theregus.com/content/56/26449.html ---------------------------------------------------- [6] Cybersecurity regulations imminent, industry and government warn By Neil Munro, National Journal In the debate over national cybersecurity strategy, most of the participants insist they don't want new regulations. Instead, they say, they want the marketplace to create cyberdefenses against hackers, viruses, and other Information Age threats. But regulations are coming anyway, some industry and government officials warn, in part because the high-tech sector is reluctant to take on new burdens during an economic slowdown. And some factions in the debate actually want regulations that would boost information-sharing within industry, increase federal spending for industry's priorities, and encourage lawsuits against companies that have sloppy computer defenses. http://www.govexec.com/dailyfed/0902/093002nj.htm ---------------------------------------------------- [7] Disconnect By Shane Harris [EMAIL PROTECTED] Information sharing won’t make us safer if agencies can’t get it right. hen a computer mistakes a 70-year-old black woman for a 28-year-old white man who’s a triple murder suspect on the FBI’s terrorist list, something is wrong with the computer or the information inside it. Both were true on March 23, when Johnnie Thomas got a firsthand lesson in the federal government’s inability to share information as she tried to board a US Airways shuttle from Boston to New York. Thomas’ name appeared in the airline’s database as a wanted terrorist. The FBI had sent the list to some airlines weeks before, but failed to provide more information than just the name—John Thomas. That name, it turned out, is an alias used by the suspect. http://www.govexec.com/features/0902/0902s7.htm ---------------------------------------------------- [8] Defense Agency Leaves Shopping List Online Faulty access controls open DISA's technology requisition system to snoops. By Brian McWilliams, Sep 30 2002 10:57AM An improperly secured database operated by the U.S. Defense Information System Agency (DISA) allowed Internet surfers to view and place orders for computers, networks, cell phones, software, and other technology used by the military. Before it was locked down over the weekend, visitors to the Web site of DISA's Requirements Identification and Tracking System (RITS) were able to peruse hundreds of requisition documents, such as a $310,000 order for "new generation STE crypto devices" in support of the Global Command and Control System. A $235,000 order for 30 Sun Ultra 10 workstations for the same GCCS project was also viewable by Web surfers. http://online.securityfocus.com/news/911 ---------------------------------------------------- [9] One Patch to Rule Them All A recent XP security hole begs the question, do we really want Microsoft to release individual fixes for every bug? By Tim Mullen Sep 30, 2002 On August 15th, Shane Hird published the details of a potentially serious issue with the Windows XP Help and Support Center where the contents of a known directory could be deleted if an attacker tricked someone into executing a maliciously formatted URL. At the time, there was no published patch, and no official work-around. For the most part, it went widely unnoticed. Well, that may be a generalization -- I failed to notice it, as did all of the security people I know, but that doesn't mean the bad guys didn't tuck the information away into their cache of "crappy things to do to people when you're a script kiddie." Granted, it wasn't a huge bug, but it did allow for one to trivially delete files from a victim's box (under the right circumstances). And since we are talking about an exploit primarily against the end user -- the home user -- we could hardly expect that the potential targets would be employing "best practices" security that would mitigate their exposure. Honestly, we can't expect them to even know what the best practices are in the first place. http://online.securityfocus.com/columnists/112 ---------------------------------------------------- [10] CIOs look to stretch dollars BY Diane Frank Oct. 1, 2002 With a tight governmentwide budget, agencies recognize that they are not likely to get new money to pay for all of their planned information technology improvements, federal chief information officers said Sept. 27. In view of agencies' priorities for fiscal 2003 — improving their basic IT infrastructure, protecting that infrastructure and enhancing e-government — the big question for officials is "how do we do more with what we currently have, because more isn't coming," said Janet Barnes, CIO at the Office of Personnel Management. She was speaking at a breakfast sponsored by the Armed Forces Communications and Electronics Association's Bethesda, Md., chapter. As agencies work on their infrastructures, some of that money will appear as old networks and systems are consolidated and new requirements are merged to meet intra-agency needs. http://www.fcw.com/fcw/articles/2002/0930/web-cio-09-30-02.asp ---------------------------------------------------- [11] Can Software Security Be Certified? New rules for encryption products sold to Uncle Sam tighten the acceptable standards. That's a good start toward a worthy goal These are busy days at InfoGard Labs. The San Luis Obispo (Calif.) outfit is one of only six info-tech laboratories in the U.S. and Canada allowed to issue a government seal of approval known as FIPS compliance. FIPS stands for Federal Information Processing Standard, a rigorous set of criteria established by groups of government and private-sector experts on cryptography standards and implementations. Starting in July, 2002, FIPS 140 level-2 standards became mandatory, replacing the more lenient FIPS 140 level-1 rules. Every company seeking to sell encryption software to the federal government or to do business with Uncle Sam involving computers and encryption has to use equipment that holds a FIPS-2 compliance rating. We're not talking just spookware. Once the strictly the province of military and intelligence communities, encryption is now common in everything from e-mail and instant-messaging software to databases. http://www.businessweek.com/technology/content/oct2002/tc2002101_6896.ht m ---------------------------------------------------- [12] Bugbear virus on the loose By Iain Thomson [01-10-2002] New worm disables security software A worm which disables security software and can steal passwords and credit card details is spreading rapidly through Windows-based PCs, according to antivirus companies. Codenamed Bugbear, the worm was first detected in Malaysia and is spreading fast. Network Associates' Anti-Virus Emergency Response Team identified the worm on 29 September and has upgraded its threat rating from 'low' to 'medium'. Antivirus company MessageLabs has reported 6,000 infections in the UK, US and India. http://www.vnunet.com/News/1135543 ---------------------------------------------------- [13] State Department asks firms to create intelligence database By Bara Vaida, National Journal's Technology Daily Secretary of State Colin Powell on Monday asked the private firms that make up the President's Council of Advisors on Science and Technology (PCAST) for help in creating an integrated intelligence database that would ensure that the more than 300 U.S. embassies do not grant visas to individuals who mean harm to the United States. Powell said the State Department needs a system where its overseas officers can enter applicant data and cross-reference it against a network of compatible national security databases to confidently grant visas to the estimated 7 million people a year that apply to enter the country. http://www.govexec.com/dailyfed/0902/093002td1.htm ---------------------------------------------------- [14] Insiders, not hackers, biggest information theft risk By Juan Carlos Perez September 30, 2002 10:45 am PT U.S. COMPANIES WORRIED about hackers stealing their trade secrets should be even more afraid of former employees, competitors and contractors, according to a new study. Intellectual property and proprietary information are more at risk from ex-employees, foreign and domestic competitors and contractors working on-site than from computer hackers, according to a study released Monday by PricewaterhouseCoopers, the U.S. Chamber of Commerce and the American Society for Industrial Security (ASIS) International. The study, titled "Trends in proprietary information loss," defines proprietary information and intellectual property as "information that is not within the public domain and which the owner has taken some measures to protect." It refers to, for example, information about new products and services. http://www.infoworld.com/articles/hn/xml/02/09/30/020930hninsiders.xml ---------------------------------------------------- [15] Toward Optimal Cyberspace Security On the eve of the planned unveiling of the national Strategy to Secure Cyberspace, the chairman of the President's Critical Infrastructure Protection Board, Richard Clarke, announced the "working draft" would be open to comment for 60 days, rather than being delivered in read-only form. "The process is almost as important" as the document, said Clarke. We think the process might be more important. Since he's asking for comment, here's our take. The released draft waters down many provisions of a preliminary draft, a copy of which was obtained by eWeek reporters. On the whole, while the preliminary draft may have been too draconian, the draft as published was too weak. Some solid middle ground has to be found—and soon. Thanks to the backlash to the pre-release draft, there were a number of changes, including the softening of calls for a federal NOC to monitor and collect security data, suggestions for security audits at private companies, and a move to prohibit most wireless LANs in federal agencies. Clearly, Clarke wants to spark discussion, rather than provoke reaction. http://www.eweek.com/article2/0,3959,562487,00.asp ---------------------------------------------------- [16] Killer monkeys attack spammers By Dinah Greek [01-10-2002] Online game offers virtual revenge on senders of junkmail A custom-made game offering virtual revenge on spammers is gaining cult status as internet users queue up to take out their frustrations at receiving unwanted email. The game boasts a delicious menu of punishments to inflict upon the purveyors of junkmail who target your inbox. 'Torture a Spammer' was devised by a US company, Marketing Sherpa, after the theft of more than 10 million of its customers' email addresses. The firm believes its troubles began when ex-employees of SparkList.com, its mailing list host, sold a back-up copy of the list to spammers. http://www.vnunet.com/News/1135533 ---------------------------------------------------- [17] Defense tracking system proves crucial to port security By Molly M. Peterson, National Journal's Technology Daily A real-time tracking system developed years ago for the Defense Department is emerging as a crucial component of an industry-driven cargo security network that aims to prevent terrorists from smuggling weapons of mass destruction into major ports. "The big concern is that terrorists will put a bomb or a chemical—or even themselves—into one of these containers coming into the United States," said Mark Nelson, a spokesman for Savi Technology, which helped build the Defense Department's Total Asset Visibility (TAV) network, and is now helping to spearhead a public-private effort to achieve an "end-to-end" tracking system for commercial cargo. http://www.govexec.com/dailyfed/0902/093002td2.htm ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk