_________________________________________________________________
London, Friday, December 20, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] Terrorists on the Net? Who Cares?
[2] Sklyarov reflects on DMCA case
[3] Student gets merit award for school computer hack
[4] Welsh Web designer pleads guilty to virus creation
[5] Report criticizes administration's e-gov efforts
[6] Q&A: Does the U.S. government have an open-source security plan?
[7] Air combat C2 made easier
[8] Malaysian Police Hunt Internet Scaremonger
[9] Computer crime center opens
[10] Feds Delay Launch of Cyber-Security Plan
[11] E-card virus warning for Christmas
[12] Sounding the alarm on video game ratings
[13] Security flaw threatens Cisco website
[14] Microsoft Baseline Security Analyzer V1.1
[15] Computer glitch causes £7m insurance error
[16] German ISPs must block US Nazi sites
[17] Air Force personnel misused government cards
[18] Audio files figure in latest Microsoft vulnerability
[19] Allbaugh leaving FEMA in March
_________________________________________________________________
CURRENT THREAT LEVELS
_________________________________________________________________
Electricity Sector Physical: Elevated (Yellow)
Electricity Sector Cyber: Elevated (Yellow)
Homeland Security Elevated (Yellow)
DOE Security Condition: 3, modified
NRC Security Level: III (Yellow) (3 of 5)
_________________________________________________________________
News
_________________________________________________________________
(See next email for comments. WEN)
[1] Terrorists on the Net? Who Cares?
By Noah Shachtman | Also by this reporter Page 1 of 1
02:00 AM Dec. 20, 2002 PT
To all those Chicken Littles clucking frantically about the imminent
threat of a terrorist attack on U.S. computer networks, a new report
says: Knock it off.
Online attacks are merely "weapons of mass annoyance," no more harmful
than the routine power failures, airplane delays and dropped phone calls
that take place every day.
"The idea that hackers are going to bring the nation to its knees is too
far-fetched a scenario to be taken seriously," said Jim Lewis, a 16-year
veteran of the State and Commerce Departments. He compiled the analysis
for the Center for Strategic and International Studies.
http://www.wired.com/news/infostructure/0,1377,56935,00.html
----------------------------------------------------
[2] Sklyarov reflects on DMCA case
14:24 Friday 20th December 2002
Lisa M. Bowman, CNET News.com
The Russian software programmer talks about life after his arrest and
how controversial copyright laws are affecting programmers
Russian programmer Dmitry Sklyarov thinks it was unfair of prosecutors
to play his videotaped deposition at the ElcomSoft trial rather than
calling him to the stand.
But after a legal saga that's included a surprise arrest outside his Las
Vegas hotel room, three weeks in jail, and visa tangles that almost
prevented him from coming back to the US for trial, Sklyarov has decided
not to worry about situations over which he has no control.
"During my life I'm trying not to spend too much time trying to find
what means for me things I cannot change," Sklyarov, 27, said in his
first interview since testifying in the criminal copyright case of
ElcomSoft, his employer.
http://news.zdnet.co.uk/story/0,,t269-s2127886,00.html
----------------------------------------------------
[3] Student gets merit award for school computer hack
By John Leyden
Posted: 20/12/2002 at 13:06 GMT
High school student Reid Ellison did exactly the opposite of what most
students would do when he hacked into his school computer records - he
marked his grades down.
The bright 15-year old changed his grades at Anzar High School in San
Juan Bautista, California from a A to a D+.
However, Reid didn't get into trouble for his actions. Far from it.
The intrusion was sanctioned by his school as part of his coursework and
his success in breaking into the school's systems earned him a perfect
score in the unconventional project. Reid's task of hacking into the
network was greatly simplified by the weak password the school used -
Silvia, the name of the school's secretary.
http://www.theregister.co.uk/content/55/28658.html
----------------------------------------------------
[4] Welsh Web designer pleads guilty to virus creation
By John Leyden
Posted: 20/12/2002 at 13:36 GMT
A 21-old Welsh Web designer has pleaded guilty to creating and
distributing three mass mailer viruses, in a hearing at Bow Street
Magistrates Court this morning.
Simon Vallor, of Llandudno, North Wales, admitted offences under section
three of the Computer Misuse Act 1990 in creating the Gokar, Redesi and
Admirer mass mailing viruses.
http://www.theregister.co.uk/content/55/28659.html
----------------------------------------------------
[5] Report criticizes administration's e-gov efforts
By Maureen Sirhal, National Journal's Technology Daily
A governmental oversight agency on Thursday criticized the Bush
administration for its initiatives designed to migrate government
services online, saying that the Office of Management and Budget chose
to implement various projects without establishing a clear strategy or
business plan.
The General Accounting Office said the 24 e-government projects lack key
accountability measures to ensure that the programs are implemented
efficiently. Senate Governmental Affairs Committee Chairman Joseph
Lieberman, D-Conn., released the study (GAO-03-229).
OMB embarked upon the 24 initiatives in August 2001 without developing
comprehensive cost-benefit assessments for each project, the report
said. GAO added that OMB lacked necessary information to adequately
measure and monitor implementation of the projects.
http://www.govexec.com/dailyfed/1202/121902td1.htm
----------------------------------------------------
[6] Q&A: Does the U.S. government have an open-source security plan?
An interview with the White House Office of Cyberspace Security's Marc
Sachs
Dec 11, 2002
Summary
Robert McMillan talks to Marc Sachs of the White House Cyberspace
Security Office about the current and future role of open-source
technologies in U.S. government departments. (2,200 words)
By Robert McMillan
LinuxWorld) — Is there room for open source in the U.S. government's
forthcoming cybersecurity plan? A recent draft of the plan, which will
eventually outline the government's computer-security strategy,
mentioned open-source software only once. But in the last few months,
Congressman Adam Smith (D-Wash.) has been lobbying to have the plan
explicitly reject the use of the GPL, and he has circulated a letter
around Washington calling for the authors of the plan to do just that on
the grounds that the GPL license is bad for computer security.
http://www.linuxworld.com/site-stories/2002/1211.sachs.html
----------------------------------------------------
[7] Air combat C2 made easier
BY Dan Caterinicchia
Dec. 20, 2002
The migration from a Unix server environment to one that is more PC- and
Web-based is one of the main enhancements in the latest version of the
military's main command and control (C2) system for air warfare.
The Defense Department's Joint Configuration Management Board (JCMB)
last month designated the Theater Battle Management Core Systems as the
"system of record," said Darcy Norton, TBMCS program manager at the Air
Force's Electronic Systems Center, Hanscom Air Force Base, Mass. That
means TBMCS is now authorized as the official system to be used by all
of the DOD's combatant commanders conducting air operations.
In its latest point in the spiral development process, TBMCS Spiral
1.1.1 is easier for military personnel to use, thanks to a greater
Web-enabling of the system, Norton said. Lockheed Martin Corp. is
developing TBMCS under a six-year, $375 million contract.
http://www.fcw.com/fcw/articles/2002/1216/web-airops-12-20-02.asp
----------------------------------------------------
[8] Malaysian Police Hunt Internet Scaremonger
Thu December 19, 2002 03:38 AM ET
KUALA LUMPUR (Reuters) - Malaysian police hunted for the author of an
email on Thursday that claimed tourist spots, shopping malls and
nightclubs were on a list of targets for terror bombings.
Six women and one man were arrested and freed on bail in connection with
the email, which claimed that Kuala Lumpur's famed Petronas Twin Towers,
the world's tallest buildings, were on the target list.
"We are determined to get to the origins of this email," Kuala Lumpur's
Deputy Chief of Police Ahmad Bahrin Idrus told reporters.
The email said the Philippine government was tipped off to the threats
against Malaysian tourist destinations.
Written by someone identified only as Jeremy, the message said Malaysia
was covering up the security scare.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=19330
86
----------------------------------------------------
[9] Computer crime center opens
FBI director Mueller on hand to open 'model' facility to fight
cybercrime
By CLIF LeBLANC
Staff Writer
The state's new computer- crime center signals greater cooperation
between federal and state police, which is key to the future of the FBI,
its director said Tuesday.
Robert Mueller helped officially open the S.C. Computer Crime Center at
a St. Andrews area office building.
The $5.6 million center, where more than a dozen state and federal
agents will use the latest technology, is the nation's first statewide
cybercrime lab. It also will be used to fight terrorism.
"I see this as a model here in South Carolina -- not only in the cyber
arena but as a model for law enforcement across the country," Mueller
said.
"The future of the FBI will be successful only to the extent that we are
successful in establishing close and abiding relationships with our law
enforcement counterparts," Mueller said. "If we cannot work together, we
will fail."
http://www.thestate.com/mld/thestate/news/local/4763628.htm
----------------------------------------------------
[10] Feds Delay Launch of Cyber-Security Plan
By Dennis Fisher
The White House's cyber-security arm will not release the next draft of
its National Strategy to Secure Cyberspace by the end of the year, as it
had originally planned.
The President's Critical Infrastructure Protection Board, which produced
the strategy, is still going over the comments submitted this fall on
the original draft. No specific date has been set for the release of the
next version of the document.
"We're hoping to get it out there soon," said Tiffany Olson, deputy
chief of staff at the PCIPB in Washington. "There's no timetable, but
it'll be early next year."
The board released the first draft of the strategy in September, and the
public comment period lasted until mid-November. A number of security
vendors and other software and hardware vendors submitted comments.
Olson said the board now is working to find a way to release all of the
comments it received without identifying their authors.
http://www.eweek.com/article2/0,3959,795411,00.asp
----------------------------------------------------
[11] E-card virus warning for Christmas
By Lyndsey Steven
CNN
Thursday, December 19, 2002 Posted: 10:51 AM EST (1551 GMT)
Safe surfing: A virus could ruin your Christmas
LONDON (CNN) -- Sophisticated computer viruses are hiding behind some
Christmas e-cards, wrecking the season of goodwill, analysts warn.
Thousands of European companies fall prey to viruses every month, and
this figure is rising as more employees send Christmas cards through
cyberspace.
A new virus called Yaha was identified by London-based watchdog Message
Labs on December 13. Meanwhile new versions of the existing Trojan,
Bride B and Happy 99 viruses are also spreading in the Christmas boom
http://www.cnn.com/2002/TECH/12/17/ecard.virus/index.html
----------------------------------------------------
[12] Sounding the alarm on video game ratings
By Brad Wright
CNN
Friday, December 20, 2002 Posted: 9:25 AM EST (1425 GMT)
WASHINGTON (CNN) -- Members of Congress and watchdog groups are again
sounding the alarm over the sexual and violent nature of some video
games that are falling into the hands of children even though they are
intended for adults.
Although critics agree that the majority of video games have little or
no objectionable violent or sexual content, those that do, they say,
have gone far beyond the pale.
http://www.cnn.com/2002/TECH/fun.games/12/19/games.ratings/index.html
----------------------------------------------------
[13] Security flaw threatens Cisco website
Oops...
By Patrick Gray
A cross-site scripting (XSS) vulnerability has been discovered in the
cisco.com website.
Securiteam.com, an online security portal, issued an advisory which
said: "The vulnerability would allow attackers to cause users to view
third-party malicious JavaScript or HTML code as if it were the
legitimate content offered by Cisco."
XSS vulnerabilities are at their most serious when user log-ins are
involved. They may in some circumstances make it possible for an
attacker to "steal" a user's session information, potentially allowing
them to login as the victim user.
http://www.silicon.com/bin/bladerunner?30REQEVENT=&REQAUTH=21046&14001RE
QSUB=REQINT1=56881
----------------------------------------------------
[14] Microsoft Baseline Security Analyzer V1.1
by Mike Fahland and Eric Schultze
last updated December 19, 2002
Earlier this month, Microsoft released version 1.1 of the Microsoft
Baseline Security Analyzer (MBSA). MBSA is the first product deliverable
from the recently formed Microsoft Security Business Unit (SBU), a key
division within Microsoft's Trustworthy Computing Initiative.
MBSA 1.0, originally released as a response to the Code Red and Nimda
worms, is a multi-threaded security scanner that analyzes an individual
computer or a group of computers for missing security patches and other
common security misconfigurations. Craig Fiebig, General Manager of SBU
Product Marketing, said that "MBSA v1.1 simplifies desktop and server
security vulnerability assessment, delivering another step on the path
to Trustworthy Computing."
The 1.1 release of MBSA provides bug fixes and enhancements to the
original scanner as well as replacing Microsoft's command line hotfix
scanner, HFNetChk, by exposing full HFNetChk functionality via the MBSA
command line interface. Below we will discuss some of the new features
of the 1.1 release, highlighting some of the technical aspects that are
not covered elsewhere. Microsoft documentation, including links to the
product download, FAQ, and technical whitepaper, are available at the
Microsoft MBSA Web site. It should be noted that MBSA was developed for
Microsoft by Shavlik Technologies LLC by whom the authors of this paper
are employed.
http://online.securityfocus.com/infocus/1649
----------------------------------------------------
[15] Computer glitch causes £7m insurance error
By Andy McCue [17-12-2002]
100,000 Norwich Union policy holders affected
An error caused partly by the computer systems of insurance company
Norwich Union has left 100,000 of its customers owed £7m on their
investments.
During an upgrade of its unit-linked pricing systems in September this
year, Norwich Union found that approximately three per cent of its three
million policy holders were entitled to additional units to their funds.
http://www.vnunet.com/News/1137637
----------------------------------------------------
[16] German ISPs must block US Nazi sites
By Nick Farrell [20-12-2002]
North Rhine-Westphalia wins court ruling over offensive material
A German state has ordered internet service providers (ISPs) to block
two US neo-Nazi websites.
According to Associated Press, the order follows months of legal
wrangling between North Rhine-Westphalia government and 18 ISPs in the
state, which claimed that they could not be held responsible for the
sites' content.
http://www.vnunet.com/News/1137718
----------------------------------------------------
[17] Air Force personnel misused government cards
LARRY MARGASAK
Associated Press
WASHINGTON - The Army and Navy have been pilloried for abuse of
government credit cards. Now it's the Air Force's turn.
Air Force plastic was used for cruises, gambling, adult clubs, Dallas
Cowboys football games, a down payment on a sapphire ring and a
general's Las Vegas casino party.
And for a mounted deer head at the Air Force Academy. Officials there
said the $375 charge for taxidermy services allowed the roadkill victim
to be used in educational programs.
The General Accounting Office, Congress' investigative agency, said in
findings obtained Thursday that Air Force personnel who abused their
credit cards often were not disciplined - although officials are now
cracking down.
http://www.macon.com/mld/macon/news/politics/4777832.htm
----------------------------------------------------
[18] Audio files figure in latest Microsoft vulnerability
By Laura Rohde, IDG News Service
DECEMBER 19, 2002
Content Type: Story
Source: IDG News Service
Two security alerts were issued yesterday concerning vulnerabilities in
Nullsoft Inc.'s Winamp music player and Microsoft Corp.'s Windows XP
operating system that can be exploited using corrupt audio files.
The flaws allow MP3 or Windows Media Audio (WMA) files containing
malicious code to be introduced into a user's PC, allowing an attacker
to run damaging code on that machine, according to security company
Foundstone Inc. in Mission Viejo, Calif. The corrupt files would sound
identical to unmodified music files, the company said.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801
,76935,00.html
----------------------------------------------------
[19] Allbaugh leaving FEMA in March
BY Megan Lisagor
Dec. 17, 2002
Joe Allbaugh, director of the Federal Emergency Management Agency, has
announced he will leave FEMA March 1 -- after helping the agency make
its transition to the new Homeland Security Department.
A FEMA news release Dec. 14 said that Allbaugh plans to pursue
opportunities in the private sector. The Associated Press further noted
that Allbaugh likely would become a key adviser in President Bush's
re-election effort. He served as Bush's national campaign manager in
2000, and was chief of staff for then-Gov. Bush in Texas from 1995 to
2000.
http://www.fcw.com/fcw/articles/2002/1216/web-fema-12-17-02.asp
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
------------------------------------------------------------------------
‘Information is the currency of victory on the battlefield.’
GEN Gordon Sullivan, CSA (1993)
------------------------------------------------------------------------
Wanja Eric Naef
Principal Researcher
IWS - The Information Warfare Site
http://www.iwar.org.uk
------------------------------------------------------------------------
Join the IWS Infocon Mailing List @
http://www.iwar.org.uk/general/mailinglist.htm
------------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
