_________________________________________________________________ London, Monday, October 28, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] NIST sets security checkup standards [2] Are snipers terrorists, too? [3] Panel laments 'reactive' approach to homeland security [4] Some companies dig deep in quest for security [5] Comment: Trust hackers to dupe users [6] The hacker's tale: an interview with Kevin Mitnick [7] ICANN critic won't be silenced [8] FBI to IT Execs: You Will be a Cyber-crime Victim [9] Web sites in Spain go blank to protest new laws [10] SA websites come under attack [11] Readers Rate Microsoft's Security Progress [12] You Win the Loss of Your Privacy [13] Blogger.com survives hack attack [14] Ruling may expand findings in MS lawsuits [15] Going crackers over hackers [16] Weapons of mass destruction [17] Google's new site shows strong editorial judgment [18] Why Hackers Don't Care About Wi-Fi _________________________________________________________________ News _________________________________________________________________ [1] NIST sets security checkup standards By Vandana Sinha GCN Staff Federal agencies get their first peek Monday at proposed guidelines that, by spring, will begin to standardize the testing of systems security. The National Institute of Standards and Technology developed the guidelines, to be posted Monday at csrc.nist.gov. Special Publication 800-37 lays out instructions for a security checkup. It is the first in a three-part series designed to bring consistency to certifying and accrediting systems security. NIST will accept public comments on 800-37 for three months. http://www.gcn.com/vol1_no1/daily-updates/20332-1.html ---------------------------------------------------- [2] Are snipers terrorists, too? Jeffrey Gettleman The New York Times Monday, October 28, 2002 WASHINGTON Atomized cells. Leaderless revolutionaries. Soft targets. After Sept. 11, these were the dangers that intelligence officials warned about. The sniper case amplifies them all. These days, it is increasingly difficult to figure out who is a terrorist - or what that even means. Terror - as opposed to terrorism - may be inflicted by any loner with a vague political grievance and a gun. John Allen Muhammad, the prime suspect in a string of killings around the Washington area, is the perfect enigma. The police say he seems to have been driven by split motivations, a mix of ideology and rage. Muhammad, a Muslim convert, sympathized with Al Qaeda and was angry at America, acquaintances said, but he also had personal problems that may have set him off. In the end, one motive may have been much more mundane: money. The police say that a note left at a shooting scene included a demand for $10 million. http://www.iht.com/articles/75055.html ---------------------------------------------------- [3] Panel laments 'reactive' approach to homeland security By Jason Peckenpaugh The United States remains highly vulnerable to terrorist attacks despite unprecedented efforts to tighten homeland security over the past year, according to a panel chaired by former senators Gary Hart and Warren Rudman. The panel found that billions of dollars in new security funding has failed to fix weaknesses in information sharing and transportation security, or to improve the ability of thousands of state and local "first responders" to deal with terrorist attacks. It also observed that the federal government has taken a "reactive" approach to homeland security, moving quickly to shore up security lapses revealed on Sept. 11, but doing little to counter future threats. "The federal government is dedicating an extraordinary amount of energy and resources in response to the specific character of the Sept.11 attacks," said the panel's report, which was sponsored by the Council on Foreign Relations, a think-tank based in New York. "A reactive mindset is inevitably wasteful in terms of resources and can distract agencies from anticipating more probable future scenarios and undertaking protective measures." http://www.govexec.com/dailyfed/1002/102502p1.htm See also http://www.mail-archive.com/infocon@;infowarrior.org/msg00281.html ---------------------------------------------------- [4] Some companies dig deep in quest for security Dermot McGrath Special to the International Herald Tribune Monday, October 28, 2002 PARIS Looking for a sense of security in an insecure world, a number of companies are putting their most valuable computer databases 30 meters below ground in a bunker - trying to guard against the risk of nuclear explosion, terrorist attack, chemical or biological warfare, electronic eavesdropping, electromagnetic "pulse bombs" and former employees bent on revenge. Companies in media, finance, telecommunications and biotechnology have placed their servers in hermetically sealed environments, protected by pressurized air locks, sophisticated electronic detection systems, steel doors with a thickness of about 45 centimeters (18 inches), security personnel and barbed wire. http://www.iht.com/articles/75068.html ---------------------------------------------------- [5] Comment: Trust hackers to dupe users Neil Barrett, IT Week [25-10-2002] As that awful woman on the TV has it, you are the weakest link. As we strive to improve the security of platforms, networks and applications provided over networks, increasingly the weakest link in the chain is the people involved in the systems. Not merely the helpdesk staff - though they are traditionally a target for "social engineering" attacks - but now many others within the organisation as well. Simply phoning a member of staff and asking questions in an attempt to gain useful information is the most basic type of social engineering attack. But the most effective attacks depend on an escalating and sophisticated series of measures. There are four key stages to this type of attack. First of all, selection: a search is carried out to identify as many people as possible within an organisation, and a subset of those people are selected for the actual attack. http://www.pcw.co.uk/Analysis/1136277 ---------------------------------------------------- [6] The hacker's tale: an interview with Kevin Mitnick Iain Thomson [25-10-2002] Kevin Mitnick has been the world's most notorious hacker for over a decade. After two jail terms, the second lasting five years, he was released in September 2000. He has since written a book on the art of social engineering and is starting a consultancy to advise companies on the best way to protect IT infrastructures. Firstly, to set the record straight, are you a hacker or a cracker? Definitely a hacker. Crackers go into systems for financial gain or to deliberately cause damage. My motivations were those of the prankster and explorer. When I went into systems I was usually just looking around or on the search for specific software for personal use. I've served my time and those days are now over. http://www.pcw.co.uk/Analysis/1136282 ---------------------------------------------------- [7] ICANN critic won't be silenced Cantankerous contrarian, ousted from board, vows to keep complaining By Anick Jesdanun Associated Press SCOTTS VALLEY -- Karl Auerbach joined the Internet's key oversight body as a voice of the online public, pledging to transform an organization he considers beholden to vested commercial interests. Auerbach got his change all right. Fellow board members on the Internet Corporation for Assigned Names and Numbers responded to Auerbach's caustic challenges by eliminating his seat and those of the four other publicly elected directors. Auerbach was consistently the contrarian on a board whose decisions on Internet domains affect everything from how Web sites are named to how e-mail is sent. As he prepares to step down in December, an exhausted and frustrated Auerbach believes ICANN is as out of synch as ever with the needs of innovators and the general Internet public. http://www.dailynews.com/Stories/0,1413,200%257E20950%257E952937,00.html ---------------------------------------------------- [8] FBI to IT Execs: You Will be a Cyber-crime Victim By Colin C. Haley FOXBORO, Mass. -- Speaking before a crowd of IT managers, FBI Special Agent Jim Hegarty couldn't help inserting amusing anecdotes about New York wiseguys and Soviet intelligence agents. The crowd-pleasing stories, gleaned from years of field work, could have come straight from "The Sopranos" or spy novelist John LeCarre. But on the main topic of the evening, Hegarty's message was sobering: "You're going to be a victim of cyber-crime, it's going to happen." Hegarty, who oversees a team of IT investigators based in Boston, outlined ways to prevent some attacks, or at least, limit the damage they cause. His remarks came at a security forum sponsored by Lighthouse Computer Services and held at the Gillette Stadium conference center. http://www.internetnews.com/dev-news/article.php/1488321 ---------------------------------------------------- [9] Web sites in Spain go blank to protest new laws Associated Press MADRID - Times have been hard for Georgeos Diaz-Montexano's online course in Egyptian hieroglyphics. One student in two years, $12 US in tuition. But Diaz-Montexano pulled the plug on what he calls the world's only Spanish-language Egyptology site for a different reason: fears of hassle or a hefty fine under Spain's new law regulating cyberspace. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1035583895538_309930 95///?hub=SciTech ---------------------------------------------------- [10] SA websites come under attack Posted Thu, 24 Oct 2002 A hacker with a chip on his shoulder has hit South African websites, reports the Business Day. The Brazilian hacker, who calls himself 'r00t3rs' has attacked 20 websites with the domain name .co.za, causing the most damage inflicted on South African websites in a single day, says the daily. The hacker defaces the websites by entering them and deleting entire pages, replacing them with blank pages featuring only his name. http://cooltech.iafrica.com/technews/178837.htm ---------------------------------------------------- [11] Readers Rate Microsoft's Security Progress By Tom Smith We've recently looked at the security of Microsoft products from several angles: how the company has lived up to expectations on its Trustworthy Computing initiative, how it's managing the flow of security information to customers, and how individual products are faring from a security perspective. In one of the more recent developments, Microsoft and a security company called GreyMagic are publicly disagreeing over how security flaws should be reported. GreyMagic has reported several holes in Internet Explorer, while Microsoft says it's investigating and third parties should report the flaws to Microsoft for the security of users. What's your view? Take our poll. As a follow-up to our recent Microsoft Progress Report, we asked you in a reader poll to evaluate Microsoft's progress in Trustworthy Computing, its plan to make security a primary design goal in all its products. http://www.internetwk.com/security02/INW20021024S0004 ---------------------------------------------------- [12] You Win the Loss of Your Privacy Software at iWon Web Site Tracks Users Even After Removal By Becky Worley, Tech Live Oct. 23 - IWon.com offers prize money of up to $1 million to Web surfers who visit the Internet portal site and make it their homepage. But a chance to win money also means that members may be losing something more important: their privacy. While just browsing the iWon site is relatively harmless, the potential privacy problem stems from the installation of its iWonPlus subscriber package, which allows members access to other site features such as chat. http://abcnews.go.com/sections/scitech/TechTV/techtv_iwonspyware021023.h tml ---------------------------------------------------- [13] Blogger.com survives hack attack By Troy Wolverton Special to ZDNet News October 25, 2002, 11:46 AM PT update Pyra sparked up its popular Blogger.com site Friday after shutting it down earlier in the day in response to a hacker attack. The hack compromised individual accounts, locking out site users from their blogs. Pyra has taken the machine that was compromised offline and restored the Blogger site from its redundant servers, said Jason Shellen, the company's director of business development. Users whose accounts were compromised should be able to access them again, he said. http://zdnet.com.com/2100-1105-963375.html ---------------------------------------------------- [14] Ruling may expand findings in MS lawsuits By Sandeep Junnarkar Special to ZDNet News October 25, 2002, 9:46 AM PT In what could be a legal blow to Microsoft, a federal judge has signaled that antitrust plaintiffs who filed recent private lawsuits against the software giant might be able to use findings from the government's earlier case, according to published reports. The comments by U.S. District Judge Frederick Motz in Baltimore were made during a one-day hearing on a motion by plaintiffs Thursday. The plaintiffs--including number of software makers--asked that they be allowed to base their lawsuits on the antitrust violations that were established in the Justice Department's long-running case against Microsoft. http://zdnet.com.com/2100-1104-963339.html ---------------------------------------------------- [15] Going crackers over hackers Author: Alastair Otter , ITWeb journalist [ITWeb, 24 Oct 2002] I've learned over the past few years while writing about IT security that if you ever mention the word "hacker" in reference to someone who breaks into a computer system or defaces a Web site, you're bound to get a whole lot of "real hackers" coming out of the woodwork to tell you off. Each time it is the same story: we're hackers because we like to "experiment", but they (being the alleged criminal element) are "crackers" because they have some sort of malicious intent. More often than not, you get referred to one or other online definition of the differences between hackers and crackers. http://www.sundaytimes.co.za/business/technology/Tech3.asp ---------------------------------------------------- [16] Weapons of mass destruction Rebecca Peters IHT Monday, October 28, 2002 A plague of small arms LONDON Ten people died from the sniper's bullets in the Washington area. In the same three-week period, 1,600 people died from gunfire in the United States generally, and more than 17,000 around the world. Apart from evoking horror, high-profile shootings in the United States cause us to shake our heads and lament the easy availability of guns in America. The Land of the Free, as we all know, is also the Home of the Handgun. But the United States is not the only country affected by the proliferation of guns. The United Nations recently identified the widespread availability of small arms (the term preferred in international diplomatic circles) as a major problem throughout the world. http://www.iht.com/articles/75028.html ---------------------------------------------------- [17] Google's new site shows strong editorial judgment Lee Dembart International Herald Tribune Monday, October 7, 2002 PARIS Since you are holding a newspaper in your hands, I conclude that you are interested in news, and since you are reading this column, I conclude that you have some interest in the electronic goodies that the world arrays before us. How about the conjunction of the two? Many news organizations, including the International Herald Tribune, have Web sites on which they post what they're publishing or broadcasting that day, frequently supplemented by additional material specially prepared for the Internet. In all cases, there are human editors who select and package the news for the parent publication or broadcast medium in the first place, and there are additional editors who oversee putting it on the Web. http://www.iht.com/articles/72944.html ---------------------------------------------------- [18] Why Hackers Don't Care About Wi-Fi By Lou Hirsh www.WirelessNewsFactor.com, Part of the NewsFactor Network October 25, 2002 Experts at war driving -- scanning communities for the existence of wireless networks that can be tapped -- routinely exchange location secrets and sniffing tips over the Web, the way gamers trade strategies for reaching new levels. Call them traditionalists, but breaching wireless networks apparently does not hold the same allure for hackers as wreaking havoc on closed systems via the wired Internet -- at least not so far. Despite efforts to ferret out truly insidious hacking on Wi-Fi systems, security experts generally have turned up little evidence of nefarious activity. For instance, one honeypot set up by a government contractor in the Washington, D.C., area earlier this year failed to attract much attention in its first few weeks. One possible explanation is that hacking Wi-Fi is too easy. And with constant warnings about how porous these networks can be, users have been cautious about transmitting sensitive data over them, so there is not much to steal. http://www.newsfactor.com/perl/story/19776.html ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk