_________________________________________________________________ London, Monday, 07 October 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] Q&A: Security expert says cyberterrorism is exaggerated [2] Facing facts [3] Life after dotcom death [4] Security patch award due soon [5] Busboy admits stealing personal data of rich and famous [6] Defense agency launches back into space research arena [7] FBI sting snares top Russian crackers [8] Security Tools Go Mobile [9] Run-Up to Sydney WTO Meet Sparks Internet Clash [10] Commerzbank may sue Merrill over email [11] Internet creaks after huge network crash [12] Ex-Coast Guard commander sees 'dangerously unprotected' ports [13] Hackware Author Arrested -- Maybe [14] Experts fear that computers are terrorism's next target [15] Opasoft worm threatens Windows systems [16] Army awards secure phones BPA [17] Assessing Internet Security Risk, Part Four: Custom Web Applications _________________________________________________________________ News _________________________________________________________________ (A must read as it is a really good interview and at least Schneier knows his stuff. Whilst some scaremonger companies mention the Australian sewage attack as an example of a critical infrastructure attack, reality looks quite different (pity Schneier did not expand on this). Vitek Boden, the culprit, worked for Hunter Watertech, a company which 'specialises in the design, manufacture and installation of SCADA, telemetry and communications systems for process control and monitoring applications'. Hunter Watertech installed Scada systems for the Maroochy Shire Council Council's sewage systems. After 'leaving' Watertech, Boden applied for a position with the council and he got rejected. He wanted to 'pay them back'. So he stole some radio equipment and drove around opening waste dumps (at least 46 times). Bottom line: the attack was launched by an insider, the Internet was not involved, and the impact of the attacks was not great as more waste gets spilled by error ... Nevertheless some FUD Infosec companies want to make you believe that it was a Cyberterrorist attack in order to sell their products & services. WEN) Bruce Schneier: ... I don't think we have seen cyberterrorism and I don't think we are going to see it for a couple of decades. It is still more complicated to use technology for (terrorist gain). The closest thing that we have had is in Australia where someone hacked into a system and dumped sewage out into a bay. If you look at what he did, it took him dozens of attempts, he barely made it work, and it didn't do that much damage. That is not terrorism. ... .... A network going down is not terrorism ... ... This whole electronic Pearl Harbor, where people might die, I think it is really overblown. ... ... We can invent hypothetical scenarios but they are not realistic. There is a lot of bad stuff going on, but I don't see terrorism on computers. I just don't. ... ... Microsoft certainly produces lousy software but everyone else does also. ... [1] Q&A: Security expert says cyberterrorism is exaggerated By By Chris Conrath, ComputerWorld Canada OCTOBER 02, 2002 Bruce Schneier, designer of the popular Blowfish encryption algorithm, CTO of Counterpane Internet Security Inc. and renowned security expert, spoke with Computerworld Canada during his recent visit to Toronto. What follows are some excerpts from those discussions: Q: Do companies care more about computer security since 9/11? A: We have not learned from the attacks, but do not be too surprised. It is true for all of society. Why should IT be different? Companies should not care any more now than they did before. They should have cared before and they should care now. But are they caring enough? No, of course not. http://www.computerworld.com/securitytopics/security/story/0,10801,74791 ,00.html More: Testimony and Statement for the Record of Bruce Schneier Chief Technical Officer, Counterpane Internet Security, Inc. Hearing on Internet Security before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation United States Senate, July 16, 2001, 253 Russell Senate Office Building http://www.iwar.org.uk/comsec/resources/schneier/commerce-testimony.htm ---------------------------------------------------- [2] Facing facts Biometrics, seen as a future cornerstone of security, proves more difficult than feds anticipated BY William Matthews Oct. 7, 2002 A facial-recognition system tested at a Palm Beach, Fla., airport last spring failed to match airport employees with their digital photos 53 percent of the time. Legislation to require the states to adopt standardized driver's licenses with biometric identifiers has stalled. As of now, there are no biometric "trusted traveler" cards to whisk registered travelers through airports. The Defense Department is issuing 4 million new smart identification cards - all without digital fingerprints, iris scans or other biometric identifiers. The State Department's new high-tech ID cards being distributed this month also lack biometrics. http://www.fcw.com/fcw/articles/2002/1007/cov-bio-10-07-02.asp Not ready for prime time? http://www.fcw.com/fcw/articles/2002/1007/fcw-edit-10-07-02.asp Hands-on lawmaking http://www.fcw.com/fcw/articles/2002/1007/cov-bio1-10-07-02.asp ---------------------------------------------------- [3] Life after dotcom death Oct 3rd 2002 | SAN FRANCISCO >From The Economist print edition If you think B2B marketplaces are dead, read on REMEMBER Chemdex, the Silicon Valley start-up that led the craze surrounding business-to-business (B2B) marketplaces? After gaining almost 70% in its first day of public trading and reaching a market capitalisation of $11 billion early in 2000, within a year it had shut down its exchanges and started a second life as a B2B software company. In August 2001, it bought NexPrise, a software start-up, whose identity it has now assumed. Most of the hundreds of B2B marketplaces that sprang up in the late 1990s failed to raise enough capital for a makeover and so simply closed. But contrary to conventional wisdom, not all of these exchanges are doomed. One of them, DoveBid, had even hoped to become the first initial public offering in America since July, though this week it pulled its plans indefinitely. Although the firm is losing money ($265,000 on revenues of $27.5m in the quarter ending in June), it may yet revive its planned sale and even prove, at least in the long term, a good investment. That is primarily because, unlike most dotcoms, it runs on a healthy mix of old and new economy. http://www.economist.com/business/displayStory.cfm?story_id=1367820 ---------------------------------------------------- [4] Security patch award due soon BY Diane Frank Oct. 3, 2002 Government agencies soon should be able to tap a free service that will ensure that they get the right security patches to plug holes in their software. The General Services Administration's Federal Computer Incident Response Center this week expects to award its patch dissemination service, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at GSA's Federal Technology Service. http://www.fcw.com/fcw/articles/2002/0930/web-patch-10-03-02.asp ---------------------------------------------------- [5] Busboy admits stealing personal data of rich and famous NEW YORK (Reuters) - A 32-year-old restaurant busboy pleaded guilty Thursday to pilfering personal and financial data belonging to America's rich and famous - including billionaire investor Warren Buffett - in what authorities believe is the largest identity theft in Internet history. Abraham Abdallah, a high-school dropout, entered his guilty plea in response to a 12-count indictment charging him with wire, mail and credit card fraud, identity theft and conspiracy. http://www.usatoday.com/tech/news/2002-10-03-net-heist_x.htm ---------------------------------------------------- [6] Defense agency launches back into space research arena By Molly M. Peterson, National Journal's Technology Daily The Pentagon's Defense Advanced Research Projects Agency (DARPA) is using its growing budget to shift its focus back to long-term, high-risk projects, many of which are based in space, DARPA Director Anthony Tether said Friday. Speaking to reporters at a breakfast sponsored by New Technology Week, Tether said the Bush administration has instructed him to transform DARPA, which played a central role in creating the Internet, "back to the way it was when it was a swashbuckling agency, constantly getting the director in trouble, and almost getting him fired." "I almost got fired yesterday," Tether said with a chuckle. He declined to elaborate. http://www.govexec.com/dailyfed/1002/100402td1.htm ---------------------------------------------------- [7] FBI sting snares top Russian crackers By John Leyden Posted: 07/10/2002 at 11:05 GMT A Russian cracker, tricked by the FBI into visiting the US on the pretext of a job interview, has been sentenced to three years in jail. Vasiliy Gorshkov, 27, was also ordered to pay $690,000 in compensation for his crimes by Federal District Court Judge John Coughenour, who took his family's medical and financial problems into account in sentencing the Russian to serve far less time than the 16 years demanded by prosecutors. Last October, Gorshkov was convicted of 20 counts of conspiracy, various computer crimes, and fraud against online banks and e-commerce operations. His co-accused, Alexey Ivanov, 20, pleaded guilty in August to similar charges along with five counts of extortion, Reuters reports. He is currently in custody, awaiting sentencing. http://www.theregister.co.uk/content/55/27463.html Russian hacker sentenced to 3 years in prison http://www.modbee.com/24hour/technology/story/562860p-4430289c.html Russian hacker gets 3-year sentence http://news.zdnet.co.uk/story/0,,t278-s2123414,00.html FBI tricks hacker into jail http://www.vnunet.com/News/1135691 ---------------------------------------------------- [8] Security Tools Go Mobile Software companies are developing new ways to keep handheld devices secure--without burdening the users. Paul Roberts, IDG News Service Friday, October 04, 2002 Recognizing the growing popularity of mobile computing devices such as handhelds, personal digital assistants, and smart phones, companies are rolling out a host of new products to secure data and communications on portable devices. >From disposable soft tokens to virtual private network software for PDAs to security management software for mobile devices, security companies are catching up to and cracking down on mobile users. In September alone, Trust Digital, RSA Security, and ION Networks announced security products targeted at users of cell phones, PDAs, and other mobile devices. "Companies have more mobile workers than ever, and they want to give [those workers] all the tools they need to do their job effectively," says Laura Koetzle, an analyst at Forrester Research in Cambridge, Massachusetts. http://www.pcworld.com/news/article/0,aid,105642,00.asp ---------------------------------------------------- [9] Run-Up to Sydney WTO Meet Sparks Internet Clash Last Updated: October 04, 2002 04:44 AM ET Print This Article By Michael Christie SYDNEY (Reuters) - Battle lines between police and protesters are already being drawn ahead of a world trade meeting in Sydney in November, after state officials applied for anti-WTO Web Sites to be banned for allegedly promoting violence. New South Wales police commissioner Michael Costa asked federal authorities to take the message boards offline because they carried suggestions for activists to bring baseball bats and marbles to protests during the November 14-15 mini-summit. http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1533 988 ---------------------------------------------------- [10] Commerzbank may sue Merrill over email Jill Treanor Monday October 7, 2002 The Guardian Germany's Commerzbank may take legal action against Merrill Lynch after the Wall Street firm questioned its financial health. The query made to the ADVERTISEMENT Standard & Poor's ratings agency by Merrill Lynch's credit department was blamed for a 6% fall in the bank's share price on Friday in markets already very concerned about the strength of financial firms. The falls in share prices and the general deterioration in the economic backdrop have led to fears - so far unfounded - that European financial firms are facing severe difficulties. http://www.guardian.co.uk/business/story/0,3604,805776,00.html ---------------------------------------------------- [11] Internet creaks after huge network crash 14:91 04 October 02 NewScientist.com news service Millions of people who use services powered by UUNet were left with poor or dead net connections on Thursday after the company suffered a huge network failure. UUNet is owned by the troubled communications corporation WorldCom. According to WorldCom, the problem has now been traced to a faulty route table, software that directs traffic around the internet. "WorldCom experienced an issue on its internet network, affecting approximately 20 per cent of our US internet customer base. A preliminary investigation indicates there was a route table issue," said spokeswoman Jennifer Baker. http://www.newscientist.com/news/news.jsp?id=ns99992883 ---------------------------------------------------- [12] Ex-Coast Guard commander sees 'dangerously unprotected' ports By Molly M. Peterson, National Journal's Technology Daily The United States is more vulnerable to terrorist threats now than before Sept. 11, 2001, a leading port security expert said Thursday at a National Academy of Sciences conference. "America, a year later, is dangerously unprotected and dangerously unprepared for a catastrophic terrorist attack," said Stephen Flynn, a retired Coast Guard commander and senior fellow at the Council on Foreign Relations. Flynn said the Sept. 11 attacks have highlighted the nation's vulnerabilities, giving terrorists ideas for asymmetric, "David and Goliath"-style attack plans that probably could be developed more quickly than government and private-sector officials can secure the nation's potential targets. http://www.govexec.com/dailyfed/1002/100402td2.htm ---------------------------------------------------- [13] Hackware Author Arrested -- Maybe By Brian McWilliams 2:00 a.m. Oct. 4, 2002 PDT When Scotland Yard jubilantly announced the arrest of a London-based malware author nicknamed Torner last month, most Internet users probably drew a blank. After all, Torner's Linux-based Tornkit hacking program was hardly in the same league as Melissa or Love Bug, the mainstream Windows worms created by David Smith and Onel de Guzman, respectively. http://www.wired.com/news/technology/0,1282,55515,00.html ---------------------------------------------------- [14] Experts fear that computers are terrorism's next target Pamela Griner Leavy Courier Contributor Riad Sleit called his Tampa and Sarasota, Fla., staffs together after Sept. 11, 2001, and urged the 58 digital imaging systems and technical consulting employees to get back to business. "If we sit here and feel sorry for ourselves, we play into the hands of the people who did this," Sleit, branch general manager for Savin Corp., a Ricoh Co. Ltd. firm, recalled telling the staff. "We have to go out there and drive business as usual. That's the least we owe this country." http://www.bizjournals.com/cincinnati/stories/2002/10/07/focus1.html ---------------------------------------------------- [15] Opasoft worm threatens Windows systems Monday 7 October 2002 A worm that targets machines running Microsoft's Windows 95, 98, and ME operating systems is spreading across networks by infecting computers that share access to hard drives. Leading antivirus software makers have warned that the "Opasoft", "W32/Opasoft" or "Opaserv" virus, which emerged last week, takes advantage of a common Windows application program interface (API) and loose security practices to spread over local and wide-area networks. The worm's file name, Scrsvr.exe, misleads users into clicking on it because they think it is a screensaver. http://www.cw360.com/bin/bladerunner?REQSESS=L453825I&2149REQEVENT=&CART I=116369&CARTT=1&CCAT=1&CCHAN=13&CFLAV=1 ---------------------------------------------------- [16] Army awards secure phones BPA BY Dan Caterinicchia Oct. 4, 2002 Defense Department officials will be able to exchange sensitive and classified information securely over a commercial network thanks to specially equipped wireless phones included in a blanket purchase agreement the Army awarded to T-Mobile USA Inc. http://www.fcw.com/fcw/articles/2002/0930/web-phones-10-04-02.asp ---------------------------------------------------- [17] Assessing Internet Security Risk, Part Four: Custom Web Applications by Charl van der Walt last updated October 3, 2002 This article is the fourth in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. This installment will discuss a relatively unexplored aspect of Internet security, custom Web applications. http://online.securityfocus.com/infocus/1631 Assessing Internet Security Risk, Part One Charl Van der Walt, SecurityFocus http://online.securityfocus.com/infocus/1591 Assessing Internet Security Risk, Part Two Charl Van der Walt, SecurityFocus http://online.securityfocus.com/infocus/1607 Assessing Internet Security Risk, Part Three Charl Van der Walt, SecurityFocus http://online.securityfocus.com/infocus/1612 ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk