(Due to a power outage there was no Infocon on Friday. WEN) _________________________________________________________________
London, Monday, November 25, 2002 _________________________________________________________________ INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Homeland Security organized along administration's proposal [2] War with Iraq will mean virus outbreak, hacker says [3] Academy seizes computers from nearly 100 mids [4] White House science team outlines anti-terrorism focus [5] Tech Insider: Total information unawareness [6] Sept. 11 showed work needed on Internet [7] Pentagon backs off on Net ID tags [8] Preparing for a Different Kind of Cyberattack [9] Net auctions targeted for crackdown [10] No two cyber-policies are alike [11] When Washington Mimics Sci Fi [12] Security Alert: New Wi-Fi Security Scheme Allows DoS [13] Comdex's Secure Side [14] Court to decide Kazaa's US liability [15] Congress responds to concerns, but conflict could delay action [16] Why is mi2g so unpopular? [17] Internet security journalist hacks Saddam's e-mail [18] Microsoft warns of security hole [19] SQL Injection and Oracle [20] Researchers: Pull plug on battery attacks [21] Marines move toward PKI _________________________________________________________________ News _________________________________________________________________ _________________________________________________________________ CURRENT THREAT LEVELS _________________________________________________________________ Electricity Sector Physical: Elevated (Yellow) Electricity Sector Cyber: Elevated (Yellow) Homeland Security Elevated (Yellow) DOE Security Condition: 3, modified NRC Security Level: III (Yellow) (3 of 5) ---------------------------------------------------- [1] Homeland Security organized along administration's proposal By Tanya N. Ballard The Homeland Security Department approved by Congress this week looks much like the department President Bush proposed five months ago. The new department will merge at least 170,000 federal employees from 22 agencies who perform a vast array of missions, from agricultural research to port security to disaster assistance. Under H.R. 5005, the Homeland Security Department would include the Transportation Security Administration, Customs Service, Immigration and Naturalization Service, Secret Service, Coast Guard and Federal Emergency Management Agency. The agencies will be reorganized into four directorates within the department: Information Analysis and Infrastructure Protection, Science and Technology, Border and Transportation Security, and Emergency Preparedness and Response. The information analysis unit would absorb all of the functions of the FBI's National Infrastructure Protection Center, the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, the Energy Department's National Infrastructure Simulation and Analysis Center, and the General Services Administration's Federal Computer Incident Response Center. http://www.govexec.com/dailyfed/1102/112002t1.htm ---------------------------------------------------- (FUD. A bragging teenager who is rather a lame virus writer, but naturally the journalist believes him that he is able to write a 'Uebervirus'. WEN) [2] War with Iraq will mean virus outbreak, hacker says By DAN VERTON NOVEMBER 20, 2002 Content Type: Story Source: Computerworld A Malaysian virus writer who is sympathetic to the cause of the al-Qaeda terrorist group and Iraq and who has been connected to at least five other malicious code outbreaks is threatening to release a megavirus if the U.S. launches a military attack against Iraq. The virus writer, who goes by the handle Melhacker and is believed to have the real name of Vladimor Chamlkovic, is thought to have written or been involved in the development of the VBS.OsamaLaden@mm, Melhack, Kamil, BleBla.J and Nedal worms. However, in an exclusive interview today with Computerworld, Melhacker confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that he has developed and tested a "three-in-one" megaworm code-named Scezda that combines features from the well-known SirCam, Klez and Nimda worms. http://www.computerworld.com/securitytopics/security/cybercrime/story/0, 10801,76071,00.html ---------------------------------------------------- (This is out of order. The record industry is just digging its own grave by doing this as it will lose popular support. Instead of arresting students, the record industry should look at their business model and adopt it to the Internet age. It was already a big mistake to 'shut down' Napster as it could have been used to develop some sort of online distribution platform (subscription model, ....), but now it is too late. WEN) [3] Academy seizes computers from nearly 100 mids By JESSICA R. TOWHEY, Staff Writer Officials at the Naval Academy have seized nearly 100 midshipmen's computers that allegedly contained illegally downloaded music and movies, sources said. The raid occurred Thursday while students were in class, and a source familiar with the investigation said the computers were being held by the administration. Cmdr. Bill Spann, academy spokesman, confirmed that an investigation into what material is on the computers is under way, but declined further comment. http://www.hometownannapolis.com/cgi-bin/read/live/11_23-19/NAV ---------------------------------------------------- [4] White House science team outlines anti-terrorism focus By Bara Vaida, National Journal's Technology Daily The Bush administration's science and technology policy team has identified five areas related to fighting terrorism that likely will receive additional investment as the fiscal 2004 budget is developed for release early next year, according to White House science adviser John Marburger. The research areas are information infrastructure development, behavioral and risk management, terrorist-related crime and networks, public health and crisis response intervention and socioeconomic intervention, and international policy, Marburger said in a speech to the Consortium of Social Science Associations on Monday. To "identify areas that warrant additional investment," Jim Griffin, assistant director of social, behavioral and educational issues at the White House Office of Science and Technology Policy (OSTP), worked with staff from the National Science Foundation, the National Institutes of Health, the Justice and Education departments, the Centers for Disease Control and Prevention, the Pentagon and the CIA through the administration's anti-terrorism task force created this year. http://www.govexec.com/dailyfed/1102/112202td1.htm ---------------------------------------------------- [5] Tech Insider: Total information unawareness By Shane Harris In the past week, privacy advocates and media commentators have sounded an alarm, saying that the Defense Department is building a new computer system to spy on personal transactions such as credit card purchases and e-mails. Their fears are unfounded and overblown. At issue is a project called the Total Information Awareness (TIA) system, run by the Defense Advanced Research Projects Agency (DARPA), the research and development arm of the Pentagon that takes technologies in their prenatal stage and turns them into prototypes, usually over the course of three to four years per project. The goal of the TIA system is clear, but far from simple: To predict terrorist attacks before they happen. Unfortunately, almost nothing has been published describing what the TIA system is, and more importantly, what it isn't, so that citizens can make up their minds about whether this project is advisable or even feasible. http://www.govexec.com/dailyfed/1102/112002ti.htm ---------------------------------------------------- [6] Sept. 11 showed work needed on Internet By Scott R. Burnell UPI Science News >From the Science & Technology Desk Published 11/20/2002 6:44 PM View printer-friendly version WASHINGTON, Nov. 20 (UPI) -- The Sept. 11 terrorist attacks on New York's World Trade Center had a minor physical effect on the Internet, but the experience shows that operators of key Web facilities need to review their redundancy plans, according to a National Research Council report released Wednesday. The Association for Computing Machinery requested the study to try and collect available data on how the Internet dealt with the loss of key communications nodes in Lower Manhattan, said Craig Partridge, chair of the report committee and chief scientist at the pioneering Internet research and development company, BBN Technologies, in Cambridge, Mass. "New York City is a 'super hub' of Internet links and services," Partridge said. "The collapse of the World Trade Center buildings damaged some of those, often in subtle and surprising ways." http://www.upi.com/view.cfm?StoryID=20021120-052609-3816r ---------------------------------------------------- [7] Pentagon backs off on Net ID tags By Declan McCullagh Special to ZDNet News November 22, 2002, 10:24 AM PT A Defense Department agency recently considered--and rejected--a far-reaching plan that would sharply curtail online anonymity by tagging e-mail and Web browsing with unique markers for each Internet user. The idea involved creating secure areas of the Internet that could be accessed only if a user had such a marker, called eDNA, according to a report in Friday's New York Times. eDNA grew out of a private brainstorming session that included Tony Tether, president of the Defense Advanced Research Projects Agency (DARPA), the newspaper said, and that would have required at least some Internet users to adopt biometric identifiers such as voice or fingerprints to authenticate themselves. http://zdnet.com.com/2100-1105-966894.html ---------------------------------------------------- [8] Preparing for a Different Kind of Cyberattack By Dennis Fisher While many agencies are still licking their wounds from once again failing their annual information security test, the Department of Defense and the National Security Agency on Thursday will announce a new partnership that could go a long way toward shoring up the security of the government's networks. The new agreement is a joint research and development initiative with Lancope Inc., to build an advanced intrusion-detection appliance for use both inside the government and in the private sector. Code-named the Therminator, the appliance will incorporate Lancope's StealthWatch, behavior-based IDS system with a new data-reduction and visualization technology developed by the government. Perhaps indicating the government's current emphasis on information security, the organizations have set forth an aggressive development schedule and are hoping to deploy a prototype appliance within six months. http://www.eweek.com/article2/0,,717180,00.asp ---------------------------------------------------- [9] Net auctions targeted for crackdown 5 in Valley arrested in fraud probe Susan Carroll The Arizona Republic Nov. 22, 2002 12:00 AM Valley shoppers routinely turn to Internet auction sites to buy items ranging from a diet bake mix to a Disneyland vacation. But instead of getting their goods, authorities say, many Net users have received a lesson in cybercrime. Maricopa County Sheriff Joe Arpaio vowed Thursday to crack down on Valley computer crooks who post items and fail to deliver. http://www.azcentral.com/news/articles/1122auctionfraud22.html ---------------------------------------------------- [10] No two cyber-policies are alike National Underwriter; Property & casualty/risk & b - November 11, 2002 00:00 Lisa S Howard National Underwriter Erlanger Not all e-commerce policies are alike, and if buyers aren't careful they might find that unseen exclusions leave them without the proper coverage, according to several industry practitioners. "These policies are like snowflakes," emphasized David O'Neill, vice president of e-Business solutions with Zurich North America Financial Enterprises in Atlanta. "What I mean by that is they may all have the same type of insuring agreements..., but on the back side, the exclusionary clauses can be very, very significantly different," he said. http://www.insurancenewsnet.com/article.asp?newsid=CpC85ue:amJqYmte1nZyX &src=moreover ---------------------------------------------------- [11] When Washington Mimics Sci Fi John Poindexter's evil design for an all-seeing God Machine seems torn from the pages of visionary science fiction, where such schemes rarely end well. By George Smith Nov 24, 2002 In Polish science fiction writer Stanislaw Lem's collection of short stories, "Imaginary Magnitude," there is a tale of a DARPA project to create a deus computing system -- a vigilant and all-knowing god machine. A handful of technical monstrosities with names like Golem XIV, Supermaster and the Honest Annihilator are built. None perform as predicted and, as I recall, the Honest Annihilator mysteriously shuts itself off after being forced to deal with people too much. When reading of scalawag John Poindexter's supreme anti-terrorist Total Information Awareness System (TIAS), I thought I had stumbled into another Lem fable of the future. Lem loved dry references to overseeing national security mechanisms, not unlike the Information Assurance Office and its motto "Scientia Est Potentia" -- "Knowledge is Power," and he used them as props in bitter jokes on the nature of technological domination. http://online.securityfocus.com/columnists/126 ---------------------------------------------------- [12] Security Alert: New Wi-Fi Security Scheme Allows DoS By Brett Glass The industry has, at last, agreed upon a security scheme to replace WEP -- the encryption technique that was supposed to ensure "wired-equivalent privacy" but in fact did no such thing. The new scheme, called WPA ("Wi-Fi Protected Access"), is supposedly much tougher to crack, and it's backward compatible with older cards because it can be implemented in software in the host machine. (The Wi-Fi Alliance has posted a FAQ answering users' most common questions.) http://www.extremetech.com/article2/0,3973,717170,00.asp ---------------------------------------------------- [13] Comdex's Secure Side A sampling of the information security products on the menu at Comdex. By Michael Fitzgerald, SecurityFocus Nov 22 2002 12:17AM LAS VEGAS--Comdex Fall 2002 was far from previous year's heights, but still continues to function as a smorgasbord for the information technology world. No surprise, then, that some security companies were there serving up products. At the same time, Comdex failed to draw many of the major security vendors. While the pickings were slim, some of them might prove interesting. Zone Labs introduced version 2.0 of its Integrity enterprise security product. The firewall and administration tool now blocks "spyware" components, and beefs up data port management features. But primarily the administrative tools are now easier to use, and the product is easier to install. http://online.securityfocus.com/news/1713 ---------------------------------------------------- [14] Court to decide Kazaa's US liability 09:29 Monday 25th November 2002 John Borland, CNET News.com If a judge says Sharman can be sued in the United States, Kazaa will be sucked into the same legal maelstrom that has grabbed Napster, Aimster, Audio Galaxy, Grokster and Morpheus A Los Angeles federal judge will hear arguments Monday as to whether record companies and movie studios can sue the parent company of Kazaa, the most popular online file-swapping service, in the United States. http://news.zdnet.co.uk/story/0,,t278-s2126445,00.html ---------------------------------------------------- [15] Congress responds to concerns, but conflict could delay action By Patrick Ross Staff Writer, CNET News.com February 23, 2001, 4:00 a.m. PT WASHINGTON--Congress is growing more responsive to calls for online privacy legislation, but a major conflict looms that could hurt efforts this year to enact consumer safeguards against prying Web sites. Last fall saw Republicans and Democrats in the House and Senate vow that 2001 would be the year an online privacy law was passed. Politicians have begun working on multiple bills, and predictably, Internet companies are voicing caution while privacy advocates are urging speed. http://news.com.com/2009-1023-252897.html ---------------------------------------------------- [16] Why is mi2g so unpopular? By John Leyden Posted: 21/11/2002 at 18:02 GMT Richard Forno, author of The Art of Information Warfare and security consultant to the US Department of Defense, has launched a broadside against mi2g, accusing the UK-based security consultancy of spreading fear, uncertainty and doubt about cyberterrorism risks. In a critique entitled Security Through Soundbyte: The 'Cybersecurity Intelligence' Game, Forno questions mi2g's estimates of damage caused by cyber attacks and the whole basis of its 'cybersecurity intelligence' business. Much of Forno's criticism of mi2g chimes with that of VMyths editor Rob Rosenberger, who features mi2g high up in his hysteria roll call of security industry Prophets of Doom. http://www.theregister.co.uk/content/55/28233.html ---------------------------------------------------- [17] Internet security journalist hacks Saddam's e-mail Published Sunday, November 24, 2002 DURHAM, N.H. (AP) - Even Saddam Hussein gets spam. He also gets e-mail purporting to be from U.S. companies offering business deals, and threats, according to a journalist who figured out a way into an Iraqi government e-mail account and downloaded more than 1,000 messages. Brian McWilliams, a free-lancer who specializes in Internet security, says he hardly needed high-level hacking skills to snoop through e-mail addressed to Saddam. While doing research late one October night, the Durham resident clicked on the official Iraqi government Web site, http://www.uruklink.net/iraq. http://www.showmenews.com/2002/Nov/20021124News014.asp ---------------------------------------------------- [18] Microsoft warns of security hole 10:20 Friday 22nd November 2002 Reuters The software giant has warned users of a significant security hole in its Windows operating system which is prone to cyber-attack Microsoft has issued a "critical" security bulletin which said the company has discovered a security hole in its software which would let cyber-attackers run programs on Web servers and computers in homes and businesses. The software giant on Thursday said that users of its Windows operating system, except for its latest Windows XP version, as well as users of its Internet Explorer, were vulnerable to malicious attacks. http://news.zdnet.co.uk/story/0,,t269-s2126363,00.html ---------------------------------------------------- [19] SQL Injection and Oracle by Pete Finnigan last updated November 21, 2002 SQL injection techniques are an increasingly dangerous threat to the security of information stored upon Oracle Databases. These techniques are being discussed with greater regularity on security mailing lists, forums, and at conferences. There have been many good papers written about SQL Injection and a few about the security of Oracle databases and software but not many that focus on SQL injection and Oracle software. This is the first article in a two-part series that will examine SQL injection attacks against Oracle databases. The objective of this series is to introduce Oracle users to some of the dangers of SQL injection and to suggest some simple ways of protecting against these types of attack. Oracle is a huge product and SQL injection can be applied to many of its modules, languages and APIs, so this paper is intended to be an overview or introduction to the subject. This two-part series is not intended as a detailed treatise of how to SQL inject an Oracle database, nor is it intended as a detailed discussion on the finer points of the technique in general. (Details of SQL injection techniques have been covered admirably in the past for other languages and databases, particularly by Rain Forest Puppy who pioneered the subject. Some of these papers are included in the reference section at the end of this paper.) Rather, I have designed this paper so that as many readers as possible can try out the examples. To achieve this I have used a PL/SQL procedure that uses dynamic SQL to demonstrate the techniques of SQL injection from the ubiquitous SQL*Plus. http://online.securityfocus.com/infocus/1644 ---------------------------------------------------- [20] Researchers: Pull plug on battery attacks By Sandeep Junnarkar Special to ZDNet News November 22, 2002, 9:09 AM PT A team of computer scientists is working to prevent new types of denial-of-service attacks aimed at battery-powered mobile devices. Tom Martin, a professor at Virginia Tech's electrical and computer engineering department, has received a grant for more than $400,000 from the National Science Foundation to devise a way to protect battery-operated computers from security attacks that could drain their batteries. Although the researchers concede that such kinds of attacks are extremely rare, the proliferation of notebook computers, personal digital assistants, tablet PCs, networked cell phones and other devices could make them alluring targets. The threat could be even more menacing to businesses that use battery backup systems to protect their databases and storage systems against electrical power outages. http://zdnet.com.com/2100-1103-966886.html ---------------------------------------------------- [21] Marines move toward PKI BY Dan Caterinicchia Nov. 25, 2002 The Marine Corps' Marine Forces Pacific is scheduled to transition to a new public-key infrastructure early next year, but it found that the process has been more difficult than anticipated. Downloading the personal certificates from a certificate authority on the mainland has proven to be a time-consuming and frustrating process, which has lead the command to request a certificate authority be placed in the Pacific region. Col. Mark Clapp of Marine Forces Pacific said all of the command's private Web servers have been issued PKI server certificates, and more than 600 end-user certificates have been generated from the certificate authority in Chambersburg, Pa. http://www.fcw.com/fcw/articles/2002/1125/web-pki-11-25-02.asp ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk