_________________________________________________________________

                      London, Wednesday, November 27, 2002       
   _________________________________________________________________

                                INFOCON News
    _________________________________________________________________

                            IWS - The Information Warfare Site
                                    http://www.iwar.org.uk

    _________________________________________________________________


---------------------------------------------------------------------

To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body

To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body

---------------------------------------------------------------------

    _________________________________________________________________

    
          ----------------------------------------------------
                              [News Index]
          ----------------------------------------------------

[1] Most homeland security agencies to move by March, White House says
[2] Intelligence experts pan call for domestic spying agency
[3] Lawmaker urges Bush to fill key homeland positions
[4] FEMA debuts DisasterHelp.gov
[5] Secure Programming with .NET

[6] Free Chinese Net users - Amnesty
[7] AKO offers secure portal lessons
[8] Hackers Fight Censorship, Human Rights Violations
[9] Firms to splash cash on IT security
[10] Winning the Cybersecurity War

[11] Justice Department outlines security roadmap for chemical plants
[12] RIAA punishing Navy cadets 'because it can'
[13] Court finds limits to California jurisdiction in cyberspace
[14] Lawyers Fear Misuse of Cyber Murder Law
[15] The seven deadly sins of e-tailers

[16] Command to score joint C2
[17] RealPlayer security fix is faulty
[18] Possessed! The Solaris font daemon
[19] Feds break massive identity fraud

    _________________________________________________________________

                        CURRENT THREAT LEVELS 
    _________________________________________________________________


Electricity Sector Physical: Elevated (Yellow) 

Electricity Sector Cyber: Elevated (Yellow) 

Homeland Security Elevated (Yellow) 

DOE Security Condition: 3, modified  

NRC Security Level: III (Yellow) (3 of 5) 

    _________________________________________________________________

                                News
    _________________________________________________________________


[1] Most homeland security agencies to move by March, White House says
By Jason Peckenpaugh

The White House released its initial plan for organizing the Homeland
Security Department on Monday, including a time frame for moving
agencies to the new department.

Pending Senate confirmation, Homeland Security Secretary-designate Tom
Ridge will take office on Jan. 24, and nearly all of the agencies slated
to move to the department will transfer on March 1. All agency transfers
will be completed by Sept. 30, 2003 according to the plan, which was
required under the Homeland Security Act that President Bush signed
Monday.

The plan does not state whether any employees will move offices when
their agencies are transferred. The White House is looking for office
space in the Washington area, and District of Columbia politicians,
including Del. Eleanor Holmes Norton, D-D.C., have argued the new
department's headquarters should be in the District. Northern Virginia
offers additional sites for the potential headquarters, according to
Rep. James Moran, D-Va. "Because we built more than in Maryland and the
District, we have more office space and you can get very good prices,"
he said in a recent interview with Government Executive.

http://www.govexec.com/dailyfed/1102/112602p1.htm

         ----------------------------------------------------

[2] Intelligence experts pan call for domestic spying agency
By Drew Clark, National Journal's Technology Daily 

A new domestic spying agency would neither serve the interests of police
or spying agencies nor ameliorate Americans' fears about enhanced
electronic surveillance by the government, a panel of intelligence
experts largely agreed, for different reasons, on Friday.

The proposal, reportedly discussed in the White House, is one of the
recommendations of the Gilmore Commission, an advisory panel on
terrorism and weapons of mass destruction. The issue gained renewed
attention with a Nov. 18 decision of a secret court that expanded the
government's authority to use intelligence information in criminal
prosecutions.

Attorney General John Ashcroft praised the decision, but civil liberties
advocates said it represented a new avenue for spying on Americans.

http://www.govexec.com/dailyfed/1102/112602td1.htm

         ----------------------------------------------------

[3] Lawmaker urges Bush to fill key homeland positions
>From National Journal's Technology Daily 

A key House lawmaker on Monday urged President Bush to immediately
appoint the chief privacy and civil liberties officers of the new
Homeland Security Department.

Both positions are to be created in the department, but because they do
not require Senate confirmation, California Democrat Jane Harman, the
ranking minority member on the House Intelligence Terrorism and Homeland
Security Subcommittee, encouraged Bush to fill the jobs quickly, given
rising concerns about privacy.

"It is vital that the department rebalance privacy and security from Day
One, or we are in danger of never getting it right," she said in a
statement.

http://www.govexec.com/dailyfed/1102/112602td2.htm

         ----------------------------------------------------

[4] FEMA debuts DisasterHelp.gov

BY Megan Lisagor 
Nov. 26, 2002 

The Federal Emergency Management Agency on Nov. 25 launched a pilot
version of DisasterHelp.gov, a one-stop portal for emergency
preparedness and response information.

The disaster management effort is one of 24 cross-agency e-government
initiatives highlighted by the Bush administration. FEMA is in charge of
the project but is working with 26 partners.

http://www.fcw.com/fcw/articles/2002/1125/web-fema-11-26-02.asp 

         ----------------------------------------------------

[5] Secure Programming with .NET 

by Rohyt Belani and David Wong 
last updated November 26, 2002 

At the core of Microsoft's .NET initiative is the goal of
interconnecting businesses, users, applications, and data. However, with
all the concerns regarding security and privacy of data, many
individuals and companies are reluctant to connect their business
systems and place their data in reach of hackers thousands of miles
away. Microsoft understands the challenges and concerns facing early
adopters of their technology, and has made security one of their top
priorities. The fundamental pillar for building applications is the
security surrounding the .NET framework and the security services it
provides. In this article, we will provide an overview of .NET framework
security features and provide practical tips on how to write secure code
in the .NET framework. More importantly, we will discuss which pitfalls
to avoid. 

http://online.securityfocus.com/infocus/1645 

         ----------------------------------------------------

[6] Free Chinese Net users - Amnesty 
By Tim Richardson
Posted: 27/11/2002 at 10:32 GMT

Amnesty International has called on the Chinese authorities to free all
those who've been locked up for using the Internet to express their
views or share information. 

The group claims that at least 33 people - including writers and
political activists - have been detained for Net-related offences. 

Two of those died in custody apparently after being tortured by police.
Both were members of the Falun Gong spiritual movement, which was banned
as a "heretical organisation" in July 1999. 

http://www.theregister.co.uk/content/6/28316.html

         ----------------------------------------------------

[7] AKO offers secure portal lessons
BY Dan Caterinicchia 
Nov. 26, 2002 

In developing its own secure portal, the Air Force might be able to take
some lessons learned from the Army Knowledge Online portal, which has
more than 1 million accounts, including about 6,000 with SIPRNET access,
said Robert Coxe, the Army's former chief technology officer who managed
AKO. 

The Air Force is in the initial phases of developing a secure portal
that will provide air operations centers with access to the data they
need to make critical warfighting decisions. Such information currently
is maintained in disparate systems.

http://www.fcw.com/fcw/articles/2002/1125/web-ako-11-26-02.asp 

         ----------------------------------------------------

[8] Hackers Fight Censorship, Human Rights Violations
By  Dennis Fisher 

A hacker group on Tuesday released a novel license agreement that gives
end-users the power to enforce the agreement and sue governments and
other entities that misuse software covered by the license. 
The Hacktivismo Enhanced-Source Software License Agreement (HESSLA) is
designed to prevent governments, corporations and other organizations
from using Hacktivismo's applications to censor Internet content or
subvert human rights, the group said. The license is based on the
open-source concept of transparency but builds in some unique legal
provisions designed to make the application's user base a volunteer
enforcement army. 

http://www.eweek.com/article2/0,3959,729843,00.asp 

         ----------------------------------------------------

[9] Firms to splash cash on IT security
17:24 Tuesday 26th November 2002
Graeme Wearden   

Analysts predict that identity management solutions are the next hot
security technologies 
Concerns over the security of their computer systems will force many
companies to invest in identity management technologies, according to
new research.

Analyst firm IDC predicted on Tuesday that, despite the tech recession,
the amount of money spent on IT security will grow over the coming
years.

IDC's European Corporate Infrastructure Survey 2002 has found that
security is the top priority for European chief information officers,
due to growing concern over security breaches. As a result, the survey
revealed, many companies are employing the services of security auditors
to assess the state of their systems -- a move that IDC says is also
driven by growing regulatory requirements.

http://news.zdnet.co.uk/story/0,,t269-s2126572,00.html 

         ----------------------------------------------------

[10] Winning the Cybersecurity War
By Tim Howes 
November 25, 2002 

There must be a fundamental shift from addressing vulnerabilities in a
reactive mode to tackling them proactively.  

Cybersecurity is on everyone's mind. Threats run the gamut, from
domestic to foreign, internal to external, from teenage hackers to
sophisticated rings with malicious intentions. So, how should
corporations protect themselves? And how do they implement security
measures without breaking the bank? 

What Is the Weakest Link? 

What is the biggest vulnerability in most security systems? Any good
security expert will tell you that good security is mostly not about
technology. It is about the people, processes, policies, and ways in
which technology is used in an organization. People play a huge role in
cybersecurity, and people are not infallible. Even the best make
mistakes. 

We know the basic human-error risks in security -- people don't always
follow security policies, creating holes in the system. But perhaps the
biggest weak spot of enterprise corporations and government agencies can
be found inside the hundreds of thousands of servers that live within
the data center. The number of required security patches and updates for
all these servers and the applications that run on them is overwhelming.


http://www.newsfactor.com/perl/story/20084.html 

         ----------------------------------------------------

[11] Justice Department outlines security roadmap for chemical plants
By Bryan Bender, Global Security Newswire 

The Justice Department has published a plan to help thousands of U.S.
chemical plant operators assess their vulnerability to terrorist attack
and identify necessary security measures to prevent or mitigate attempts
to use chemical facilities as potential weapons of mass destruction.

The National Institute of Justice report marks one in a series of
federal initiatives to help the industry beef up security as
intelligence officials warn of possible terrorist attacks on chemical
factories and shipping routes.

A guide for assessing a facility's security weaknesses, A Method to
Assess the Vulnerability of U.S. Chemical Facilities was compiled with
the assistance of the Energy Department's Sandia National Laboratory,
responsible for assessing the vulnerability of critical U.S.
infrastructure. Also participating in the effort were the Office of
Homeland Security, the Environmental Protection Agency, the
Transportation Department and the chemical industry.

http://www.govexec.com/dailyfed/1102/112602gsn1.htm

         ----------------------------------------------------

[12] RIAA punishing Navy cadets 'because it can'
By Andrew Orlowski in San Francisco
Posted: 26/11/2002 at 10:21 GMT

The RIAA may be "I demand the story be taken down immediately" - RIAA
shocked (shocked!) by our satirical treatment of the US Navy Academy's
confiscation of PCs containing MP3s, but Register readers are just as
shocked that the RIAA has gone for a soft target. 

Many military staff past and present have written to us. The difference
between the Navy academy and other colleges is clear: the academy is
obliged to investigate and punish miscreants.

http://www.theregister.co.uk/content/6/28293.html 

         ----------------------------------------------------

[13] Court finds limits to California jurisdiction in cyberspace
By Howard Mintz
Mercury News
 
The California Supreme Court on Monday set some fresh legal boundaries
in cyberspace, ruling that the vastness of the Internet doesn't give
companies carte blanche to use the California courts as a forum to sue
defendants in other states.

In a closely watched case involving the DVD industry's efforts to
prevent illegal copying, a divided state Supreme Court found that DVD
makers cannot pursue claims against a Texas man because they have failed
to establish any connection between his conduct and California. The
justices determined that simply posting material on the Internet was not
in itself enough to meet the law's basic demands for suing in
California.

http://www.siliconvalley.com/mld/siliconvalley/4608355.htm 

         ----------------------------------------------------

[14] Lawyers Fear Misuse of Cyber Murder Law

Defense attorneys say the new threat of life imprisonment for hackers
who try to "cause death" by computer will be used to squeeze quick
guilty pleas from even non-lethal cyberpunks. 
By Kevin Poulsen, SecurityFocus Nov 21 2002 12:23PM

A genuine cyber murder may never happen outside the pages of tabloid
newspapers and Tom Clancy novels, but defense attorneys say that won't
keep federal prosecutors from getting some mileage out of a provision in
the newly-passed Homeland Security bill that dictates a maximum sentence
of life imprisonment without parole for computer hackers with homicide
in their hearts. 

One of many information security and cybercrime measures in the 484-page
bill -- which won final approval in the Senate Tuesday -- the life
sentence is reserved for those who deliberately transmit a program,
information, code, or command that impairs the performance of a computer
or modifies its data without authorization, "if the offender knowingly
or recklessly causes or attempts to cause death."

http://online.securityfocus.com/news/1702 

         ----------------------------------------------------

[15] The seven deadly sins of e-tailers 
Author: Staff writer , ITWeb

[ITWeb, 22 Nov 2002] The silly season is upon us, and for those who
suffer from serious time constraints at this time of year, online
shopping should be a blessing in disguise - if only the e-tailers would
stop making life difficult for their customers.

Debbie Nelson, MD of iLAB Project Services, is a regular online shopper
who believes that there are certain cardinal sins that an e-tailer
should never commit.

http://www.sundaytimes.co.za/business/technology/Tech2.asp 

         ----------------------------------------------------

[16] Command to score joint C2
BY Dan Caterinicchia 
Nov. 27, 2002 

U.S. Joint Forces Command soon will be managing the Defense Department's
joint command and control (C2) decisions, as soon as Pentagon leaders
sign off on the implementation plan.

"Joint Forces Command will be fully in charge of joint command and
control, and we're making them accountable by giving them the money to
do it," said Army Lt. Gen. Joseph Kellogg Jr., director of command,
control, communications and computer systems for the Joint Staff, during
a Nov. 26 luncheon speech sponsored by the Washington, D.C., chapter of
AFCEA International. 

http://www.fcw.com/fcw/articles/2002/1125/web-forces-11-27-02.asp

         ----------------------------------------------------

[17] RealPlayer security fix is faulty
By John Leyden
Posted: 26/11/2002 at 17:49 GMT

That nemesis of application security, the buffer overrun, has found its
way into media players from RealNetworks. 

Three similar, though separate, flaws in RealPlayer (and its update
RealOne) create a way for crackers to inject hostile code onto Windows
boxes of victims induced to run maliciously constructed media files. In
common with most buffer overflow flaws (which are typically attributable
to programming errors), hostile code could execute in the security
context of the logged-on user/victim.

http://www.theregister.co.uk/content/55/28308.html 

         ----------------------------------------------------

[18] Possessed! The Solaris font daemon 
By John Leyden
Posted: 27/11/2002 at 10:45 GMT

A buffer overflow risk exists in the font service which ships with
Solaris. There is a workaround, but no comprehensive fix just yet. 

Security clearing house CERT warns in an advisory that Solaris X Window
Font Service (XFS) daemon (fs.auto) contains a remotely exploitable
buffer overflow vulnerability which could allow an attacker to execute
arbitrary code or cause a denial of service. 

The Solaris X Window Font Service (XFS) serves font files to clients. It
ships with Solaris and is included as a component in a limited number of
other operating systems.

http://www.theregister.co.uk/content/55/28318.html 

         ----------------------------------------------------

[19] Feds break massive identity fraud 
By John Leyden
Posted: 26/11/2002 at 13:33 GMT


US investigators have charged three people for involvement in an ID
theft scam believed to have hit upwards of 30,000 victims and cost
millions through fraudulent transactions. Prosecutors say it the largest
identity fraud case in US history. 

According to newswire reports, the chief suspect in the case is Philip
Cummings, 33, of Cartersville, Georgia, who turned himself in yesterday.
Cummings worked for Teledata Communications, which supplies software to
link the systems of banks and credit reference agencies.

http://www.theregister.co.uk/content/55/28302.html 

         ----------------------------------------------------

_____________________________________________________________________

The source material may be copyrighted and all rights are
retained by the original author/publisher.

Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________

Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>

---------------------------------------------------------------------

To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body

To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body

---------------------------------------------------------------------







IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk


Reply via email to