_________________________________________________________________ London, Wednesday, December 04, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Homeland defense commander stresses 'need to share' information [2] Homeland agency charged with outreach [3] PGP goes back to its roots [4] Virus payloads bigger, nastier [5] Barbarians at the Gate: An Introduction to Distributed Denial of Service Attacks [6] NetNames cock-up blamed for eBay detagging [7] Iowa governor dismisses CIO [8] OMB finds security leverage [9] GSA's center of activity [10] Cautionary tales [11] Does Research Support Dumping Linux? [12] E-government bill wins praise from tech officials [13] Infiltrating agency ops [14] New opportunities for NIST [15] Traveler smart card poses security concerns [16] Wennergren named Navy CIO [17] ISS Goes Public With Vulnerability Disclosure Guidelines [18] Firewalls face next challenge [19] Vendors complete tougher ICSA 4.0 firewall tests _________________________________________________________________ CURRENT THREAT LEVELS _________________________________________________________________ Electricity Sector Physical: Elevated (Yellow) Electricity Sector Cyber: Elevated (Yellow) Homeland Security Elevated (Yellow) DOE Security Condition: 3, modified NRC Security Level: III (Yellow) (3 of 5) _________________________________________________________________ News _________________________________________________________________ [1] Homeland defense commander stresses 'need to share' information By Molly M. Peterson, National Journal's Technology Daily Officials at the newly established U.S. Northern Command may have to consider abandoning the military's traditional system for classifying information as they build crucial lines of communication with federal, state and local homeland security agencies, the Northern Command's chief information officer said recently. Speaking to reporters at a homeland security summit late last month, Maj. Gen. Dale Meyerrose said inter-agency information sharing is a "blossoming requirement" for the Northern Command, which is headquartered at Peterson Air Force Base in Colorado Springs, Colo. The command is charged with consolidating the military's homeland defense and civil-support missions. The Defense Department's current classification system allows military offices to share information on a need-to-know basis, and requires security clearances and background checks for access to information with such labels as "top secret" and "classified." But Meyerrose said that system could hinder the Northern Command's ability to share real-time information with civilian agencies that classify their information differently. http://www.govexec.com/dailyfed/1202/120302td1.htm ---------------------------------------------------- [2] Homeland agency charged with outreach Security strategy at risk if coordination fails BY Diane Frank, Megan Lisagor and Dibya Sarkar Dec. 2, 2002 When President Bush signed the Homeland Security Department into law last week, he triggered activity on two fronts. Internally is the much-publicized effort to bring 170,000 employees from nearly two dozen agencies into a single department, if only virtually. Externally is the often overlooked effort to coordinate the department's work with a multitude of organizations across state and local government and the private sector. This second front, many observers say, is equally vital - and equally at risk for failure. http://www.fcw.com/fcw/articles/2002/1202/news-home-12-02-02.asp ---------------------------------------------------- [3] PGP goes back to its roots By ComputerWire Posted: 04/12/2002 at 10:03 GMT PGP Corp this week delivered its first set of product upgrades since the company was spun out of Network Associates Inc this August, and delivered on its promise to publish the source code to the pioneering cryptography software, writes Kevin Murphy. PGP sees 8.0 releases in its Desktop, Personal, Freeware and Enterprise edition, and offers support for Windows XP and Max OS X for the first time. The enterprise tools have been beefed up to feature better directory integration and configuration management. http://www.theregister.co.uk/content/55/28413.html ---------------------------------------------------- [4] Virus payloads bigger, nastier 'Experienced programmers switching to virus writing' Darren Greenwood, Auckland Virus specialist Daniel Zatz is hoping love blossoms for an 18-year-old Dutch woman and that the economies of Eastern Europe pick up. Zatz, a Sydney-based security consultant for Computer Associates, warns that more serious viruses are on the cards for 2003 following a lull this year. About 250 viruses a month have appeared in 2002, compared with 400 last year, he says, but the latest ones have been more damaging, with the Klez virus, now in its eighth variant, proving the most prevalent of all. http://www.idgnet.co.nz/webhome.nsf/UNID/57F452030DFA2A88CC256C830004435 A!opendocument ---------------------------------------------------- [5] Barbarians at the Gate: An Introduction to Distributed Denial of Service Attacks by Matt Tanase last updated December 3, 2002 Introduction Recently, major news outlets reported that a coordinated attack designed to disable several of the Internet's root name servers had taken place. The attack, described as sophisticated and complex, is known as a distributed denial of service (DDoS). Although no serious outages occurred, it was a hot topic in the security world - again. Again? Similar attacks first made headlines in February 2000. Although discussed in security circles for some time before that, this was the first prolonged example of a DDoS, and prevented legitimate traffic from reaching major sites for several hours. Yahoo, eBay, Buy.com, and CNN were but a few mjor sites who were inaccessible to their customers for extended periods of time. Now, almost three years later, can it be that we're still vulnerable? Unfortunately the answer is yes. This article will explain the concept of DDoS attacks, how they work, how to react if you become a target, and how the security community can work together to prevent them. http://online.securityfocus.com/infocus/1647 ---------------------------------------------------- [6] NetNames cock-up blamed for eBay detagging By Drew Cullen Posted: 04/12/2002 at 10:46 GMT Yesterday, we reported the detagging of eBay.co.uk. As we suspected, an adminstrative error was to blame. Here is the statement released today by NetNames, eBay's UK registrant. We can confirm that the www.ebay.co.uk domain name was partly or totally inaccessible for a period of about 2 1/2 hours on Tuesday, December 2 as a result of the failure to renew the domain name. This resulted from an administrative error on the part of NetNames for which we take full responsibility. eBay was in no way responsible for the site access problems. Once NetNames was alerted to the problem, we immediately took steps to rapidly restore access to the www.ebay.co.uk address. The eBay UK domain name and site are now fully operational. http://www.theregister.co.uk/content/6/28419.html ---------------------------------------------------- [7] Iowa governor dismisses CIO BY Dibya Sarkar Dec. 4, 2002 Iowa Gov. Tom Vilsack has fired Richard Varn, the state's chief information officer for the past four years and the leader of its Information Technology Department, along with five other agency heads. Varn said the recently reelected governor told him that technology would not be a focus during his second term. Instead, He said Vilsack would focus on economic development, education and health care. http://www.fcw.com/geb/articles/2002/1202/web-varn-12-04-02.asp ---------------------------------------------------- [8] OMB finds security leverage The Bush administration uses security law and funding threats to push agencies to offer security solutions BY Diane Frank Dec. 2, 2002 Two years ago, if someone brought up information security in a meeting of agency managers, the most likely response would have been, "The technology folks are taking care of it." But that attitude is changing. Now, federal security experts say, even some Cabinet-level secretaries could provide details about their agencies' security policies. Not every top government executive is so well informed, but information security clearly is a topic agency managers outside the information technology office are discussing in detail. As a result, they are no longer just discussing specific security strategies - they are also planning for them and putting them into practice, said an administration official who asked not to be named. http://www.fcw.com/fcw/articles/2002/1202/cov-sec-12-02-02.asp ---------------------------------------------------- [9] GSA's center of activity BY Diane Frank Dec. 2, 2002 A long-term goal of the General Services Administration's Federal Computer Incident Response Center has been to create a governmentwide security data analysis center. All agency-specific incident information would be examined to detect trends and possible incidents that were not obvious attacks when looking only at information from one or two agencies, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at GSA. FedCIRC, which serves as the central point for incident warnings, analysis and response for civilian agencies, is still working on methods for effectively collecting information from individual agencies. This includes using Extensible Markup Language-based forms to allow for easy reporting of incidents, said Mark Forman, associate director for information technology and e-government at the Office of Management and Budget. http://www.fcw.com/fcw/articles/2002/1202/cov-sec2-12-02-02.asp ---------------------------------------------------- [10] Cautionary tales BY Heather Hayes Dec. 2, 2002 Although there are plenty of benefits to partnerships with the private sector, the decision to do so needs to be made with great care. Connecticut and San Diego County, Calif., for example, experienced problems after deciding to enter into large information technology outsourcing arrangements, in large part, observers say, because they didn't define their requirements and expectations properly. Connecticut canceled its contract (reportedly worth $1.5 billion during 10 years) before it even got off the ground because of concerns over whether promised cost-savings and efficiencies could be realized. And San Diego County, which still holds a seven-year, $644 million deal with Computer Sciences Corp. for IT and telecommunications services, applications, networks, and desktop and data center operations, settled a contract dispute this past summer after charging that the company hadn't met agreed-upon milestones and service levels. http://www.fcw.com/supplements/homeland/2002/sup4/hom-assist1-12-02-02.a sp ---------------------------------------------------- [11] Does Research Support Dumping Linux? Microsoft's security policies are getting better every day, even as a new report slams open-source competitors as security nightmares. But the easy answers aren't always the right ones. By Tim Mullen Dec 02, 2002 Linux security is hopeless. I don't really believe that -- I just wanted to get your attention. But now that I have it, it is a good time to introduce you to some researchers whose sentiments are just that. In fact, The Aberdeen Group is calling open-source and Linux software the new "poster child" for operating system security for the year of 2002. In a research abstract published by Jim Hurley and Eric Hemmendinger, (note that the site requires free registration) the two Aberdeen analysts site CERT statistics where 16 of the 29 advisories for 2002 were for Linux/open-source issues -- over half of the total advisories. They also make some interesting comparisons between 2001 and 2002, noting a rise of issues with embedded systems, firewalls, and Trojan activity. http://online.securityfocus.com/columnists/127 ---------------------------------------------------- [12] E-government bill wins praise from tech officials By Maureen Sirhal, National Journal's Technology Daily Privacy advocates and technology industry groups are hailing the passage of legislation aimed at boosting online government services. They see the measure, which President Bush is expected to sign before year's end, as a way to cement the government's commitment to modernization and as a boon to consumer privacy. The bill, H.R. 2458, would establish an Office of Electronic Government within the White House Office of Management and Budget that would be modeled closely upon the Bush administration's current blueprint for e-government. But the measure also would mandate greater privacy protections by ensuring that all federal Web sites post standard privacy policies and establish safeguards for personally identifiable data held by the government. And federal Web sites could incorporate the technology known as the Platform for Privacy Preferences, which allows consumers to choose the level of privacy they want when surfing the Internet. http://www.govexec.com/dailyfed/1202/120202td2.htm ---------------------------------------------------- [13] Infiltrating agency ops BY Diane Frank Dec. 2, 2002 Including security as a basic feature of every system and program isn't as easy as it sounds. "Our philosophy has been - and our key objective for the cybersecurity program - is to improve executive management of the program by integrating [information technology] security controls into all the major business processes of the department," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department. http://www.fcw.com/fcw/articles/2002/1202/cov-sec1-12-02-02.asp ---------------------------------------------------- [14] New opportunities for NIST BY Diane Frank Dec. 2, 2002 Both the Homeland Security Act of 2002 and the E-Government Act of 2002 include provisions that attempt to raise the profile of cybersecurity initiatives. Central to each bill is a potentially larger role for the National Institute for Standards and Technology. NIST has developed security guidance for years, but agencies are not required to follow it because the secretary of the Commerce Department has rarely used the authority granted in the Computer Security Act of 1987 to make NIST's standards and guidance mandatory. Underscoring the importance of security, the e-government bill reaffirms that authority and "a lot of us hope that the secretary will use that authority more extensively than in the past," said Franklin Reeder, chairman of the federal Computer Systems Security and Privacy Advisory Board. http://www.fcw.com/fcw/articles/2002/1202/news-home1-12-02-02.asp ---------------------------------------------------- [15] Traveler smart card poses security concerns BY Megan Lisagor Dec. 2, 2002 While garnering support from stakeholders, the Transportation Security Administration's proposed registered traveler program could create new aviation vulnerabilities, the General Accounting Office found. The program would allow certain credentialed and pre-screened passengers to speed through security checkpoints in airports using smart cards. The goal would be to reduce long waits and better target resources to those travelers who might pose greater risks. "GAO concluded that a registered traveler program is one possible approach for managing some of the security vulnerabilities in our nation's aviation systems," office officials wrote in highlights of the November 2002 report. "However, decisions concerning key issues are needed before developing and implementing such a program." http://www.fcw.com/fcw/articles/2002/1202/web-tsa1-12-02-02.asp ---------------------------------------------------- [16] Wennergren named Navy CIO BY Matthew French Dec. 3, 2002 Moving quickly after the Department of Navy's chief information officer said he will be retiring, Navy Secretary Gordon England announced Dec. 2 that David Wennergren will become the department's new information technology leader. The move gives the department some stability. Wennergren has been serving as the Department of Navy's deputy CIO for enterprise integration and security for the past several years. Dan Porter, who had been DON CIO since September 1998, officially retired Dec. 1 to become senior vice president for strategic development at Vredenburg Inc., a small professional services company in Reston, Va. http://www.fcw.com/fcw/articles/2002/1202/web-doncio-12-03-02.asp ---------------------------------------------------- [17] ISS Goes Public With Vulnerability Disclosure Guidelines By Dennis Fisher Internet Security Systems Inc. on Monday released to the public the vulnerability disclosure guidelines that its internal X-Force research team uses in identifying flaws and notifying vendors and the public. The guidelines are fairly standard and include a provision that is becoming more and more common among security vendors that also do vulnerability research. The clause informs vendors that ISS customers who subscribe to the company's X-Force Threat Analysis Service will be told about any new vulnerabilities one business day after ISS notifies the affected vendor. Customers will also get information on any countermeasures that may be available. http://www.eweek.com/article2/0,3959,741332,00.asp ---------------------------------------------------- [18] Firewalls face next challenge November 27, 2002 Deep Packet Inspection: Next Phase of Firewall Evolution By Richard Stiennon Enterprises must ensure that their firewalls perform deep packet inspection at wire speeds, and apply security policies based on application content as well as source, destination, and port, to effectively block cyberattacks. What you need to know Deep packet inspection firewalls that have rich feature sets and high throughput will lead the way to better network security and return on investment. Enterprises that are deploying Web services should ensure that their firewalls can handle the security requirements that these services demand. http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2898730,00.h tml ---------------------------------------------------- [19] Vendors complete tougher ICSA 4.0 firewall tests By ComputerWire Posted: 04/12/2002 at 10:24 GMT ICSA Labs, which provides one of the most important certifications firewall vendors strive for, said yesterday it has completed the first wave of tests of product against version 4.0 of its certification criteria, writes Kevin Murphy. For the first time, ICSA has also split its certification into three categories and is awarding three different certification logos - for residential, small and medium business, and corporate firewall products. "Firewall vendors didn't want a firewall that costs $100,000 to buy to have the same certification as one costing $200," said ICSA Labs program manager Brian Monkman. "The one-size-fits-all criteria doesn't work any more." http://www.theregister.co.uk/content/55/28417.html ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk