London, Wednesday, October 30, 2002

                                INFOCON News

                            IWS - The Information Warfare Site



To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body

To unsubscribe - send an email to "[EMAIL PROTECTED]" with
infocon" in the body



                              [News Index]

[1] 12th Annual EICAR Conference: Call For Papers
[2] Don't Touch that Dial
[3] Defense, cybersecurity officials praise 'open source' software
[4] China prevented repeat cyber attack on US
[5] Politicians, police recruited to talk up IT security

[6] Responsible Disclosure by Corporate Fiat
[7] Homeland goes interstate route
[8] Q & A Kevin Mitnick
[9] MS gets top security rating for Win2k, makes big noise
[10] OMB issues draft standards to increase info-sharing, cut IT costs

[11] NIST details certification process
[12] Transcom chief touts IT
[13] Tech firms seek to play role in military transformation effort
[14] Defense procurement system prone to security lapses
[15] Sniper leaves a mark

[16] Brussels to spend €250k on Linux migration study
[17] Introducing Network Attached Encryption
[18] Wireless WarDrive: Wee Bit of Fun  
[19] Reuters says it wasn't hacking
[20] Greeting card email is not a worm

[21] Home-based cybersecurity defense won't work
[22] Nowhere to Hide
[23] Lawsuit to Test USA Patriot Act
[24] CIA warns of Net terror threat
[25] Online sales decline for first time

[26] A new threat to ICANN authority?
[27] Dear Saddam, How Can I Help?  
[28] Technology: Military conference highlights information systems
[29] Golden Age of IT Hasn't Arrived Yet
[30] DoCoMo gets defaced
[31] Is a larger Net attack on the way?
[32] Employee surveillance unaffected by terror threat
[33] FIPS testing finds lots of mistakes in crypto IT



[1] 12th Annual EICAR Conference: Call For Papers

12th Annual EICAR Conference: Call For Papers

The Conference will be held May 10-13 in Copenhagen, with three streams
of interest:


-Critical Infrastructure Protection (CIP)

-IT-Law and Forensics

with contributions from industry, government, and research. With the
of keeping abreast of new developments, EICAR will be a forum for 
discussions on subjects past, present and future, pertaining to 
"IT-Security in an Insecure Web".

Papers can be submitted through to December 1st, 2002.

For more information on formatting, panels, area chairs and other
check out


Submission of Papers to Area Chairs December 1, 2002 
Notifications to Authors of Acceptance and Reviewers' Comments January
15, 2003 

Submission of Camera-Ready Papers February 1, 2003 
First Round Registration March 1, 2003 


(I have seen a prototyp of such a phone due for release in January and
it looks amazing as it got so many features, but unfortuntely it looks
like they missed out the security bit. WEN)

[2] Don't Touch that Dial

Mobile phones packing Java virtual machines are gaining in popularity,
and are headed for American shores. Will they be the next arena for
malicious hacking? 

By Michael Fitzgerald, Oct 29 2002 9:05AM

Java phones are coming to the U.S., bringing with them a second chance
mobile applications, and, experts caution, a new platform for malicious 

"It's going to be an issue," says Tony Davis, acting CEO of Tira
Wireless, a 
Toronto startup that certifies and publishes J2ME (Java 2 MicroEdition) 
applications. Davis already uses a Trojan horse program when he makes
calls. "When I meet with European carriers, I pull up a phone and show
a car racing game that's actually not just that, it's sending a huge
of traffic back and forth," Davis says. "I tell them, your customer is
to get a bill for 500 pounds at the end of the month, and who are they
to come after? You."



[3] Defense, cybersecurity officials praise 'open source' software
By Drew Clark, National Journal's Technology Daily

A Defense Department technology expert and a White House cybersecurity
official on Tuesday praised government's use of "open source" software
and said that its security can be preferable to that of commercial

Speaking at a conference sponsored by Dell Computer and Red Hat, which
distributes the Linux open-source software, the defense and
cybersecurity officials said they anticipate that government use of the
software will continue to increase. The source code for Linux and other
such software is open for public inspection, unlike that of proprietary

"Open source allows us the opportunity to have a pro-active and
pre-emptive identification of security holes by friendly analysis," said
Ken Linker of the Defense Information Systems Agency. He read the
written presentation of Robert Walker, the program manager for the
agency, which runs the software for a large portion of the department's
command-and-control systems. 



'... However, 85 percent of the successful infiltrations and attacks on
these unclassified military computer networks are preventable with
available patches and proper security procedures but system
administrators do not use them. Every time a new computer is unpacked
and plugged in to the Pentagon's network without patches installed -- an
apparently frequent occurrence -- the entire network is exposed to that
one computer's vulnerabilities. ...'

'... "We are our own worst enemy," said Bradley. "The Defense Department
is more vulnerable than anyone in the world." ...'

'... At its simplest, computer network attack would be government
sanctioned hacking -- an attempt to deny an enemy use of is own computer
networks in wartime, to change critical information, or to trick him
into thinking they were working when they are not. ...'

'... "The attacks could be extremely precise. We have a wide range of
capabilities but there are very, very tight controls on this," Bradley
said. ...'

'... Only the president of the defense secretary can authorize a
computer network attack, according to the policies now being crafted.

'... "I've got to tell you we spend more time on the computer network
attack business than we do on computer network defense because so many
people at very high levels are interested in developing the policy for
it," Bradley said. ...'

'.... The Pentagon is moving cautiously, aware of the potential for
collateral damage to the world's computer networks and economy. ...'

[4] China prevented repeat cyber attack on US 
By Pamela Hess
UPI Pentagon Correspondent
>From the International Desk
Published 10/29/2002 12:40 PM

NASHVILLE, Oct. 29 (UPI) -- The Defense Department was braced for a new
onslaught of cyber attacks from Chinese hackers in May 2002 but they
never materialized: the Chinese government asked private hackers not to
repeat the 2001 defacement of U.S. government Web sites, a top Defense
Department official said Tuesday.

"We expected another series of attacks from Chinese hackers, but
actually the government of China asked them not to do that," said Air
Force Maj. Gen. John Bradley, deputy commander of the Pentagon's Joint
Task Force on Computer Network Operations, at an electronic warfare
conference Tuesday.

"I wouldn't call it state-sponsored, but state-controlled, I guess," he
said at the Annual Association of Old Crows conference being held in


(A nice quote from today's CompSec conference which I attended: - 'Most
of the attacks come from the outside, but the deadliest attacks come
from the inside'. WEN)

[5] Politicians, police recruited to talk up IT security
Reuters, 10.30.02, 3:37 AM ET

By Bernhard Warner, European Internet Correspondent

LONDON, Oct 30 (Reuters) - Politicians, law enforcement and national
security advisers have descended on London this week for a computer
security event, covering topics that more reflect surviving global
conflict than safeguarding computer networks.

While many corporate technology events have suffered from the economic
slowdown, security conferences around the globe have been relatively
well attended.

"The world's changed," said Martin Smith, chairman of the three-day
Compsec conference, a 19-year-old event that organisers say has
experienced renewed interest since the September 11 attacks in the
United States.



[6] Responsible Disclosure by Corporate Fiat

The new Organization for Internet Safety aims to make vulnerability
disclosure more responsible. It's a good idea, but is the group too
corporate to pull it off?
By Jon Lasser Oct 30, 2002  
I must have a masochistic streak. 

Nothing else could explain why I occasionally argue in this space that
people should act responsibly when disclosing holes in software. If I
even hint that the doctrine of full disclosure has limits, the reaction
is overwhelming. Among other things, I've been called a Microsoft
lackey, a fascist, and "just a plain dolt." You'd think I was
criticizing CISSPs. 

Most of the negative feedback seems to stem from the belief that I'm
opposed to full disclosure. In fact, I'm not. 

But I believe that it's time for the security community to develop a
broadly supported model for disclosing security vulnerabilities. This
model should ultimately result in full disclosure of every security hole
in every application. Just not all at once. 



[7] Homeland goes interstate route 
BY Dibya Sarkar 
Oct. 29, 2002 

If you're having a hard time envisioning what the national strategy for
homeland security would look like, try using the interstate highway
system, built more than 50 years ago, as an example.

That's what Steve Cooper, senior director of information integration and
chief information officer for the White House Office of Homeland
Security, told attendees at the National Association of State Chief
Information Officers in St. Louis on Oct. 28.

Cooper said that Lois Clark McCoy, president of the National Institute
for Urban Search and Rescue, told him several weeks ago that "national"
wasn't the best term to describe the homeland security strategy and
suggested another description: an "interstate communications



'... I think a cyber-terrorism attack is overblown, though the threat
exists. I think al Qaeda and other groups are more interested in
symbolic terrorism, like what they did to the World Trade Center --
suicide bombers or something that really has an effect and is meaningful
to people. ...'

[8] Q & A Kevin Mitnick 
Ex-hacker shares secrets of deception 
Mitnick says 'social engineers' play big role in cyber attacks

Verne Kopytoff, Chronicle Staff Writer    Monday, October 28, 2002 
Kevin Mitnick, the notorious computer hacker who was one of the FBI's
Most Wanted fugitives when he was arrested in 1995, says he has changed
his stripes. 

After serving a five-year prison term for breaking into the computers of
several high-tech firms, stealing software and causing millions of
dollars in damage, the 39-year-old has renounced his old ways and
launched a career as a public speaker and computer security consultant.



[9] MS gets top security rating for Win2k, makes big noise
By John Lettice
Posted: 30/10/2002 at 13:09 GMT

After three years of waiting, Microsoft has achieved Common Criteria
certification for Windows 2000, so it's probably handy that the company
decided not to start pulling the plugs on the OS before last from next
April. Common Criteria certification, since you ask, is an effort to
establish an internationally recognised set of security evaluation
criteria - Win2k getting achieving certification, since you also ask
that, does not mean that the product is any more secure this week than
it was last week. It does mean it'll be a lot easier for it to sell into
secure defence and government establishments, without having to get
special clearance. 

But you'd be forgiven for getting led astray, if you listened to some




[10] OMB issues draft standards to increase info-sharing, cut IT costs
By Tanya N. Ballard

The Office of Management and Budget issued a draft report last Friday
outlining federal technology standards designed to increase information
sharing among agencies and reduce overall technology costs.

“These standards will greatly facilitate the ability to share and reuse
a common set of technology components, while also leading to reduced
information technology investment,” according to a draft report from
OMB’s Federal Enterprise Architecture Program Management Office, which
is charged with designing a governmentwide IT plan. The standards
discussed in the report will initially be applied to 24 technology
projects the Bush administration plans to fund over the next three years
to maximize efficiency and improve its service to citizens and

Federal agencies spend millions of dollars on the development and
acquisition of technology components, according to OMB, but just a few
agencies are effectively using those resources. The majority of agencies
continue to struggle to adopt best practices. Several agencies also
duplicate efforts by separately collecting and processing identical
information, instead of just sharing the data they’ve gathered.



[11] NIST details certification process
BY Diane Frank 
Oct. 30, 2002 

The National Institute of Standards and Technology's Computer Security
Division this week released the first piece of a governmentwide project
aimed at enhancing the overall security of federal information
technology systems.

NIST released a draft publication that establishes a detailed standard
security certification and accreditation (C&A) process for agencies.


Draft Special Publication 800-37 (PDF)

Introductory tutorial for 800-37 (PDF)


[12] Transcom chief touts IT
BY Dan Caterinicchia 
Oct. 29, 2002 

Information technology helps the Defense Department track personnel and
products with unprecedented visibility and is as important to the
warfighter as other essential equipment, according to the commander of
the U.S. Transportation Command (Transcom). 

"Information technology is as central to our mission as the planes,
trains, trucks, and ships that support our warfighters every day around
the globe," said Air Force Gen. John Handy, Transcom commander. "If
information doesn't move, we don't move. We simply would not be able to
support the warfighter."



[13] Tech firms seek to play role in military transformation effort
By Molly M. Peterson, National Journal's Technology Daily

Noting that the military's ongoing "transformation" will provide new
market opportunities for technology companies, the Information
Technology Association of America (ITAA) on Tuesday released a new
publication that could serve as a primer for firms that have never done
business with the Pentagon.

"Defense transformation ... calls for new players and a new playbook,"
ITAA President Harris Miller said in the book's introduction. "ITAA
believes that many companies heretofore focused in part or in total on
the commercial sector will repurpose their products and services to
bring important new options and capabilities to the national defense."

The 50-page publication, which Miller called a "first link" for
high-tech companies looking to build new bridges to the Pentagon,
provides perspectives on military transformation from Defense Department
officials, members of Congress, and industry experts from the private
and academic sectors.



[14] Defense procurement system prone to security lapses
By Amelia Gruber

An electronic procurement system being developed at the Defense
Department needs to have better security features before it can be used,
according to an October report from the Pentagon’s inspector general. 

If deployed today, the Defense Procurement Payment System (DPPS) would
lack two basic safety measures, said the IG’s report on information
security. The existing version does not have proper access controls or
an adequate contingency plan if the systems feeding it fail. 

“Existing weaknesses may lead to unauthorized access by potential users
that may result in undetected alteration or misuse,” the report said. 



[15] Sniper leaves a mark
BY William Matthews 
Oct. 28, 2002 

Two electronic fingerprint databases turned out to be keys to cracking
the Washington, D.C., sniper case.

One, operated by the FBI, gave authorities the identity of a 17-year-old
suspect in the three-week killing spree. The other, operated by the
Immigration and Naturalization Service, led police to the 41-year-old
suspected gunman, John Allen Muhammad.

Initially, the databases were tapped by Montgomery, Ala., police who
were investigating a murder that appeared to be unrelated to the sniping



[16] Brussels to spend €250k on Linux migration study
By John Leyden
Posted: 30/10/2002 at 17:12 GMT

The European Commission has awarded UK-based consultancy netproject a
€250,000 contract to study the issues of migrating government computers
in member states to a Linux / Open Source environment. 

netproject has been hired by the Commission to draw up guidelines on a
move to open source technologies and to help define EU IT strategy on
desktop computing. The German state of Mecklenburg-Pomerania 
is to be used as a test bed in defining this strategy, which goes beyond
the investigation of a switch between Windows and Linux PCs. 



[17] Introducing Network Attached Encryption
By John Leyden
Posted: 30/10/2002 at 12:31 GMT

Application security specialist Ingrian Networks has developed a
technology to offload encryption functions from application or database
servers onto appliances with the aim of providing more robust security
for data in storage. 

Ingrian, which made its name marketing hardware platforms to speed up
the processing of SSL, secure caching, and secure switching (securing
data in transit – a market that has become commoditised), has developed
software service engines to secure data in storage as well. It calls
this technology Network Attached Encryption. 



[18] Wireless WarDrive: Wee Bit of Fun  

By Michelle Delio  
02:00 AM Oct. 29, 2002 PST

NEW YORK -- Finding a public restroom in Manhattan was the biggest
challenge on Day 1 of the WorldWide WarDrive. 

Within a 40-block radius, the WarDrivers identified dozens of wide-open
wireless networks. Among the spotted "private" business and home
networks were those appearing to belong to a bank, a police station,
several law firms and department stores, and a financial services firm. 

All of these networks appeared to be unprotected by even rudimentary
security systems. Anyone with no ethics and just a bit of technical
savvy could have logged in and accessed, at the very least, any of the
information being transmitted across the network. 



[19] Reuters says it wasn't hacking

Responding to accusations of "hacking" from Swedish software company
Intentia, the Reuters news agency has claimed that it merely downloaded
information from a publicly accessible section of the company's Web
site. On Saturday, Intentia alleged that Reuters had accessed its
computers without authorization. In a company announcement they openly
accused the news agency of "breaking in to" its systems.



[20] Greeting card email is not a worm

29 October 2002
- by Claire Woffenden

Web users need to watch out for a nuisance email that appears to be a
worm but is actually a greeting card company's online marketing

Anti-virus companies have reassured those that have received the email
that their computers have not been infected and that the email is not a
virus or a worm.



[21] Home-based cybersecurity defense won't work
By Robert Lemos 
Special to ZDNet
October 29, 2002, 5:55 AM PT

COMMENTARY--In 1944, the U.S. government kicked off the Smokey Bear
campaign to teach citizens how carelessness with smoldering matches
could set off raging forest fires. 

Now the government is making another call to arms--this time to defend
cyberspace from intruders. The most recent draft of the Bush
administration's "National Strategy to Secure Cyberspace" plan calls for
users of the Internet to secure their own part of the worldwide network.



[22] Nowhere to Hide
Recent Sniper, Internet Attacks Show Devastation of a New Breed of

Commentary By Michael S. Malone
Special to ABCNEWS.com
Every so often an unusual juxtaposition of events opens a brief window
into the world we now live in — and the future we are about to
encounter. Last week was, I think, one of those times. 
The two events were the capture, and disclosure of identity, of the
Washington, D.C.-area sniper; and the attempted destruction, via
hacking, of the Internet. Most of us were so busy following the first
that we barely noticed the second. But we should pay very close
attention, because the two are intimately connected, and their combined
implications are terrifying. 


[23] Lawsuit to Test USA Patriot Act
Privacy Groups Claim Government Abuse of Controversial Bill 

By Peter Barnes, Tech Live Washington, DC bureau chief

Oct. 28 — Two major privacy and civil liberties groups are preparing to
file lawsuits this week to force the Bush administration to disclose
more information about how it has been using the USA Patriot Act.  
The law was signed in the wake of the Sept. 11 terrorist attacks and
gives federal law enforcement officials greater powers to track and
eavesdrop on electronic communications.

The organizations, the American Civil Liberties Union (ACLU) and the
Electronic Privacy Information Center (EPIC), say the legal action could
come as early as Thursday, two days shy of the one-year anniversary of
the legislation's signing by President Bush.



[24] CIA warns of Net terror threat
By Declan McCullagh 
Special to ZDNet News
October 29, 2002, 3:40 PM PT

Al-Qaida is not the only terrorist network hoping to wreak havoc on the
United States through "cyberwarfare," the CIA says. 

America's spooks have named Sunni extremists, Hezbollah and
Aleph--formerly known as Aum Shinrikyo--as other top threats. 

"These groups have both the intentions and the desire to develop some of
the cyberskills necessary to forge an effective cyberattack modus
operandi," the CIA said in a report to the Senate Intelligence



[25] Online sales decline for first time
09:29 Wednesday 30th October 2002

US e-commerce sales slow as the industry matures and consumers worry
about their economic security 
Online retail sales in the US declined during the third quarter for the
first time in e-commerce history, according to a new study by Forrester

Forrester said third quarter e-commerce sales totalled $17bn (£11bn),
down from $20bn in the second quarter. Sales had been unchanged at $20bn
for the past two quarters. Forrester said the decline this month
signaled the industry was maturing and was not immune to overall
weakness in consumer confidence and spending.



[26] A new threat to ICANN authority?
30th October, 2002

The Internet Corporation of Assigned Names and Numbers (ICANN) is facing
a potential challenge to its position as the body that runs the
Internet's Domain Name System. 

A non-profit public policy group called the Center for Democracy and
Technology (CDT) has reportedly tabled plans for interested operators of
the 240 or so country code top level domains (ccTLDs) to bid for the
contract to run the Internet Assigned Numbers Authority (IANA) which
maintains administrative contacts for the Internet, updates name servers
and undertakes other administrative tasks. The effect, therefore, of any
successful bid would be to significantly reduce ICANN's power. The
contract to run IANA's function is awarded by US Department of Commerce
and comes up for renewal next March. 



[27] Dear Saddam, How Can I Help?  

By Brian McWilliams  
02:00 AM Oct. 28, 2002 PST

On the afternoon of July 17, a self-proclaimed expert in biochemistry
composed an e-mail message to Saddam Hussein. 

The message, sent from an MSN Hotmail account on a computer in China,
recommended the use of methyl bromide, an agricultural pesticide, as an
effective chemical weapon against the U.S. Army. 

"For weapon use, have function: no color, no smell, will let person dead
in a few second," wrote the e-mail's author, who provided the phone
number and address of a distributor in Riyadh, Saudi Arabia, from which
the toxic chemical could be purchased "in cylinder or in can."



[28] Technology: Military conference highlights information systems 
Copyright © 2002
United Press International               
Search the archive for: hacking

By PAMELA HESS, UPI Pentagon Correspondent

NASHVILLE (October 28, 2002 11:10 p.m. EST) - The Department of
Defense's computer networks were probed by hackers 14,500 times last
year, with just 70 getting in. Of those, only three caused any damage -
and they were the same viruses that hobbled the private computer
networks, according to the Army's chief of intelligence. 

The problem is not that hackers and virus-makers are getting better, but
that relatively low-level systems administrators are failing to stop
known gaps in their systems, said Lt. Gen. Robert Noonan, deputy chief
of staff for intelligence, at a conference of electronic warfare
professionals held here. 


[29] Golden Age of IT Hasn't Arrived Yet

JULY 29, 2002

"The mood here is grim," said W. Brian Arthur, Citibank professor at the
Santa Fe Institute, a think tank that specializes in emerging science.
"Broadband is dead in the water, some say, and Peter Drucker thinks the
information technology revolution is over." 

Arthur spoke those sobering words to a business and technology crowd
earlier this year in Silicon Valley. But then he went on to explain why
he thinks the IT revolution is anything but over. Indeed, Arthur argues,
it has only paused briefly to catch its breath before moving on to reach
its "golden age" between 2005 and 2015. 



[30] DoCoMo gets defaced
By John Leyden
Posted: 29/10/2002 at 14:21 GMT

Japanese mobile operator NTT DoCoMo shut down part of its Web site last
week after an attack by Internet vandals. 

DoCoMo was forced into action after pages on the Web site which allowed
business customers to contact the mobile operator were defaced.
WirelessWeek reports that the cracker left his name along with the
phrase "never die" on the defaced portion of the site.



[31] Is a larger Net attack on the way? 
Recent attack may have been just a prank — or a test shot 
By Bob Sullivan
Oct. 28 — The Internet was never really in danger of being knocked
offline during last week’s coordinated attack on its infrastructure,
most computer experts now agree. But the day is coming, some believe,
when the Net will go dark for a day or so, shut down by an attacker.
U.S. government officials are taking last week’s incident very
seriously, partly because it might have been a test shot fired over the
Internet’s bow by a group with larger plans, and partly because the
incident has sparked a fresh round of speculation about attack
strategies that could in fact cripple the Net.



[32] Employee surveillance unaffected by terror threat
15:29 Tuesday 29th October 2002
Declan McCullagh, CNET News.com   

US companies have not increased Internet surveillance of employees in
response to the government's anti-terrorism efforts, a new report
The General Accounting Office, an auditing arm of Congress, said in a
report released on Monday that corporate-level monitoring of email and
Web use does not appear to have changed since the 11 September, 2001,
terrorist attacks. 

"None of the employers we interviewed had increased the amount or type
of information they gathered on employees' use of email, the Internet or
computer files," the report said. Under the USA Patriot Act, signed by
President Bush a year ago, law enforcement received more power to
conduct Internet surveillance and seek information from private



[33] FIPS testing finds lots of mistakes in crypto IT 

By William Jackson 
GCN Staff

About half of the cryptographic modules submitted for Federal
Information Processing Standard validation have security flaws, a survey
by the National Institute of Standards and Technology has found. Almost
all evaluated products had documentation errors, said Annabelle Lee,
director of NIST's Cryptographic Module Validation Program.




The source material may be copyrighted and all rights are
retained by the original author/publisher.

Copyright 2002, IWS - The Information Warfare Site

Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site


To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body

To unsubscribe - send an email to "[EMAIL PROTECTED]" with
infocon" in the body


IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to