_________________________________________________________________ London, Wednesday, November 20, 2002 _________________________________________________________________
INFOCON News _________________________________________________________________ IWS - The Information Warfare Site http://www.iwar.org.uk _________________________________________________________________ --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- _________________________________________________________________ ---------------------------------------------------- [News Index] ---------------------------------------------------- [1] U.S. fails cybersecurity review--again [2] Experts: Don't dismiss cyberattack warning [3] Cyber center planned [4] Senate approves Homeland bill [5] Business Week Online Special - Enhancing Computer Security [6] Caught in a BIND [7] Navy restructuring CIO's office [8] A case in point [9] Internet Provisions in Security Bill [10] Don't trust that spam: Ignore 'Nigerian scam' [11] At a stroke, MS cuts critical vuln reports [12] Bill's secrecy provisions stick [13] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game [14] Local officials give homeland bill mixed reviews [15] CIA searching out technologies to boost national security [16] Internet, E-Commerce Boom Despite Economic Woes [17] Liberty Alliance Updates Specs [18] Hill OKs security research [19] Northcom orders C4ISR, info ops work _________________________________________________________________ News _________________________________________________________________ [1] U.S. fails cybersecurity review--again By Reuters November 19, 2002, 3:04 PM PT The U.S. government flunked a computer-security review for the third consecutive year on Tuesday, showing no improvement despite increased attention from high-level officials. Government agencies that oversee military forces, prosecute criminals, coordinate emergency response efforts and set financial policy all received failing grades from congressional investigators. The Department of Transportation, whose computer systems guide commercial aircraft and allocate millions of dollars in highway funding, received the lowest score, 28 out of a possible 100. Stung by a series of electronic break-ins and Internet-based attacks, Congress has voted to triple spending on cybersecurity research efforts while the Bush administration is pulling together a much-publicized set of guidelines for businesses and individuals. http://news.com.com/2100-1001-966444.html?tag=lh See also: http://www.mail-archive.com/infocon@infowarrior.org/msg00321.html ---------------------------------------------------- (There is quite a difference between developing an 'expertise in computer science' and launch a strategic CNO campaign. Just ask some IO people from Kelly AFB or Fort Mead and they will agree. AQ claims lots of things and it certainly makes sense that they research this area, but there is a major difference between 'looking into something' and actually having the capability of doing something like that. It takes quite a bit more than a mouse click to bring down an economy. So, I would still say that at the moment any kinetic force is far more powerful than any ping of death. WEN) [2] Experts: Don't dismiss cyberattack warning By DAN VERTON NOVEMBER 18, 2002 Security experts and two former CIA officials said today that warnings of cyberattacks by al-Qaeda against western economic targets should not be taken lightly. Vince Cannistraro, the former chief of counterterrorism at the CIA, said that a number of Islamists, some of them close to al-Qaeda, have developed expertise in computer science. "And some are well schooled in how to carry out cyberattacks," he said. "We know from material retrieved from [al-Qaeda] camps in Afghanistan that this is true. But their expertise seems mostly dedicated to communicating securely among al-Qaeda cells. Cyberattacks would probably render them less secure by focusing attention on their location." In an exclusive interview with Computerworld on Monday, Sheikh Omar Bakri Muhammad, a London-based fundamentalist Islamic cleric with known ties to Osama bin Laden, said al-Qaeda and various other fundamentalist Muslim groups around the world are actively planning to use the Internet as a weapon in their "defensive" jihad, or holy war, against the West. http://computerworld.com/securitytopics/security/story/0,10801,76000,00. html Update: Omar Bakri Muhammad, bin Laden's man in London http://computerworld.com/securitytopics/security/cybercrime/story/0,1080 1,76007,00.html ---------------------------------------------------- [3] Cyber center planned BY Diane Frank Nov. 18, 2002 The Bush administration last week proposed creating a national cyberspace response center to help federal, state and local governments, as well as the private sector, detect cyberattacks. The proposal is included in five priorities that the President's Critical Infrastructure Protection Board is considering as part of its draft National Strategy to Secure Cyberspace, said Richard Clarke, board chairman. http://www.fcw.com/fcw/articles/2002/1118/news-cyber-11-18-02.asp ---------------------------------------------------- [4] Senate approves Homeland bill Wednesday, November 20, 2002 Posted: 12:48 AM EST (0548 GMT) WASHINGTON (CNN) -- Capping months of debate, the Senate on Tuesday approved 90-9 a bill that would create a Department of Homeland Security -- a massive reorganization of the federal government sparked by the devastating September 11, 2001, terrorist attacks. President Bush praised the Senate in a statement issued shortly after the vote and said he looked "forward to signing this important legislation." "This landmark legislation, the most extensive reorganization of the federal government since the 1940s, will help our nation meet the emerging threats of terrorism in the 21st century," Bush said. Bush may sign the bill early next week, according to a spokesman for the White House Office of Homeland Security. http://www.cnn.com/2002/ALLPOLITICS/11/19/homeland.security/index.html ---------------------------------------------------- [5] Business Week Online Special - Enhancing Computer Security A Tech Sector That's Set to Soar While overall IT spending is likely to slide next year, companies plan to buy plenty of security products -- especially from the market's top names Is Microsoft Muscling In on the Market? Separate products and services would be a logical outgrowth of Gates & Co.'s increased emphasis on security in its current lineup Open-Source Security Is Opening Eyes >From out of nowhere in just two years, this once unimaginable segment is gaining credibility, venture-capital backing, and sales Safety Is Elusive for Security Stocks After a market pummeling, the sector is poised for consolidation, with the likely winners being big players that set industry standards. http://www.businessweek.com/technology/tc_special/02security2.htm ---------------------------------------------------- [6] Caught in a BIND How did one of the Internet's most ubiquitous software packages grow up to be chronically insecure? History offers a lesson. By Jon Lasser Nov 19, 2002 Weinberg's second law, a decades-old programmers' joke, states, "If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization." There may be no better example of that principal in action than the BIND name server software. The most recent misadventure to befall the ubiquitous program came to light last week -- when a new exploitable vulnerability in BIND 4 and BIND 8 was announced. http://online.securityfocus.com/columnists/125 ---------------------------------------------------- [7] Navy restructuring CIO's office BY Dan Caterinicchia Nov. 18, 2002 As part of Navy Secretary Gordon England's plan to minimize the secretariat staff, the Navy Department's Office of the Chief Information Officer will be cut in half during the next few months. The CIO office has been reviewing its job functions for the past six weeks and found that its combined military and civilian staff of 50 people could be reduced to 25 by April 2003, said Ron Turner, the Navy's deputy CIO for infrastructure, systems and technology. http://www.fcw.com/fcw/articles/2002/1118/web-navy-11-18-02.asp Navy cuts CIO staff http://www.fcw.com/fcw/articles/2002/1118/news-navy-11-18-02.asp ---------------------------------------------------- [8] A case in point Interagency criminal justice system provides model for information sharing BY Dibya Sarkar Nov. 18, 2002 Strengthening a unique intergovernmental collaboration, Washington, D.C., and several federal criminal justice agencies recently expanded and enhanced a secure Web portal used to quickly and efficiently share justice information online. The portal, officials maintain, has become one of the leading examples of an integrated criminal justice system. It demonstrates how agencies with different procedures and information needs can jointly develop a system that benefits them all, without compromising any individual agency's security or data management requirements. http://www.fcw.com/fcw/articles/2002/1118/cov-justice-11-18-02.asp ---------------------------------------------------- [9] Internet Provisions in Security Bill By THE ASSOCIATED PRESS Filed at 6:05 p.m. ET WASHINGTON (AP) -- Internet providers such as America Online could give the government more information about subscribers and police would gain new Internet wiretap powers under legislation creating the new Department of Homeland Security. Provisions of the bill tucked into a section about ``cyber-security enhancements'' received scant attention during debate. http://www.nytimes.com/aponline/technology/AP-Homeland-Security-Police.h tml?ex=1038459600&en=bb2fc1dafcd52b05&ei=5040&partner=MOREOVER ---------------------------------------------------- [10] Don't trust that spam: Ignore 'Nigerian scam' The so-called "Nigerian scam" has recently become the spam of choice for people who don't want to work for a living, with average users receiving several daily chances to enhance their lot in life by helping themselves and their fellow man. Most of us pass up this e-mail, but there are enough people who believe the promises to keep the scam moving. Said cybercrime expert Jayne Hitchcock, "If it wasn't working on someone, you wouldn't get so many of these." These letters differ in the details - supposed country of origin, relationship to a rich person, amount of money involved - but the idea is the same. There is a large amount of money languishing away in a foreign bank, and the correspondent needs your help to move the cash to safety. For your trouble you will get a small percentage, which is actually more than what many people will see in a lifetime. They make contact, you reply and they ask you to open a bank account, or ask for a small amount of cash to get things started. Pretty soon they ask for more, for bribes or expenses. Soon after that you should get wise. http://seattletimes.nwsource.com/html/personaltechnology/134577167_ptinb o16.html ---------------------------------------------------- [11] At a stroke, MS cuts critical vuln reports By ComputerWire Posted: 20/11/2002 at 09:25 GMT The Good News: Microsoft Corp will be making fewer warnings of "critical" security vulnerabilities in its products from now on, Kevin Murphy writes The Bad News: This is because Microsoft has changed the way it advises users and administrators of vulnerabilities, raising the threshold to require a "critical" advisory. Steve Lipner, director of security assurance at the company, said in an email circular yesterday that Microsoft has overhauled its security advisory services to provide less "confusing" technical information to end users, while still providing administrators with the details they need to rectify problems. http://www.theregister.co.uk/content/55/28191.html ---------------------------------------------------- [12] Bill's secrecy provisions stick BY William Matthews Nov. 19, 2002 Last-minute efforts by Senate Democrats to strip objectionable secrecy provisions from the homeland security bill apparently failed Nov. 18. Language added to the bill by the House of Representatives would block the disclosure of information about technology vulnerabilities through the Freedom of Information Act. Attempts to remove the language seemed certain to fail even as the Democrats wrestled to remove other provisions they dislike. http://www.fcw.com/fcw/articles/2002/1118/web-foia-11-19-02.asp ---------------------------------------------------- [13] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game Richard Forno Essay #2002-12 Some say that cyberspace is the new battlefield, with its own unique rules, challenges, and concerns for those charged with defending it. If one does consider cyberspace a modern battlefield, intelligence must naturally play a key role in developing appropriate, proactive defenses. Regarding battlefield intelligence, military strategist Sun Tzu wrote that "what is called foreknowledge cannot be elicited from spirits, nor from gods, nor by analog with past events, nor from calculations. It must be obtained from men who know the enemy situation." That's sound advice. During recent months, hardly a week goes by without some reference to some firm's findings or statistics on hackers, crackers, cyberterrorists, and the general state of internet security as they see it. Many times these reports are marketed as cybersecurity "intelligence." The latest player in the internet security industry is UK-based mi2g, and the subject of this article. mi2g offers a suite of security products (essentially they're a systems integrator focused on security), but is best known perhaps as a "security intelligence provider" providing research, assessment, and analysis services on the state of the cybersecurity. As a security professional - and someone 'on the front lines' of the cyberspace battlefield - I'm both curious and dubious about the whole 'cybersecurity intelligence' business concept, and wonder what it takes to both become a 'cybersecurity intelligence' expert and make money at it, too. http://www.infowarrior.org/articles/2002-12.html ---------------------------------------------------- [14] Local officials give homeland bill mixed reviews By Maureen Sirhal, National Journal's Technology Daily Local officials are lauding a provision in the bill to create a Homeland Security Department that would clarify rules allowing federal law enforcement authorities to share sensitive information with state and local counterparts. But at the same time, they are expressing concern over budgetary delays halting the distribution of funds to local and state emergency "first responders." "We're pleased that the homeland security reorganization is going through, but the funding issue is left unresolved," Andrew Solomon, a spokesman for the U.S. Conference of Mayors, said on Tuesday. "These cities are in a really difficult position. They've been forced to spend millions" of dollars for national security improvements without federal aid, he said. The bill would allow federal agencies to share intelligence and other information related to homeland security with local-level peers. "It specifically clarified the rules of criminal procedures," such as grand-jury information, Solomon noted. The measure also states that the spirit of information sharing should be cooperative, he said. http://www.govexec.com/dailyfed/1102/111902td1.htm ---------------------------------------------------- [15] CIA searching out technologies to boost national security By Matt Marshall Mercury News The Central Intelligence Agency has come to stay in an area near you. In 1999, the CIA opened up a venture capital firm, In-Q-Tel, on Sand Hill Road -- the heart of Silicon Valley's venture capital community. It was supposed to be a five-year experiment into the risky business of funding start-ups and a way to acquire commercially viable technologies that enhance national security at the same time. Since Sept. 11, though, In-Q-Tel has acted more like a permanent resident. ``It's no longer an experiment,'' says In-Q-Tel Chief Executive Gilman Louie. There's a new urgency within the CIA to find technology that makes sense of all the unstructured data floating around on the Internet and elsewhere. The agency can't train analysts quickly enough. ``Government agencies are scrambling . . . We're in a state of hyperactivity,'' he says. http://www.siliconvalley.com/mld/siliconvalley/4540623.htm ---------------------------------------------------- [16] Internet, E-Commerce Boom Despite Economic Woes By Reuters 11/19/02 GENEVA (Reuters) - Use of the Internet is booming all around the world, bucking the global economic downturn and the crisis in the information technology industry, according to United Nations figures issued on Monday. An annual report by the UNCTAD trade and development agency forecast that registered Internet users could total 655 million by the end of 2002, a year-on-year increase of 30 percent. At the same time, the value of electronic commerce -- goods and services bought and sold over the Internet -- could reach as high as $2.3 billion this year, a 50 percent rise from last year, climbing to around $3.9 billion at the end of 2003. http://www.ispworld.com/Reuters/BreakingNews/111902_js09.htm ---------------------------------------------------- [17] Liberty Alliance Updates Specs By Thor Olavsrud The Liberty Alliance Project Tuesday published a public review draft of a maintenance update of the version 1.0 specifications it released in July. The version 1.1 draft primarily makes some editorial changes in an effort to clarify the specifications, but also adds a few fixes and minor enhancements. For instance, the new version fixes a vulnerability in the Liberty-enabled Client/Proxy Profile (LECP), identified by both IBM and Sun Microsystems. The Liberty Alliance said the vulnerability could have allowed a spurious site to interpose itself between a user and a service provider, allowing the site to impersonate the user. http://www.internetnews.com/dev-news/article.php/1503481 ---------------------------------------------------- [18] Hill OKs security research BY Diane Frank Nov. 18, 2002 A bill that authorizes the first steady stream of funding for cybersecurity research and education is on its way to President Bush for his signature, after the final version cleared the full Congress Nov. 12. The Cybersecurity Research and Development Act (H.R. 3394) provides for $903 million for grants and scholarships through the National Science Foundation and the National Institute of Standards and Technology, and guidance for federal agencies, among other things. http://www.fcw.com/fcw/articles/2002/1118/pol-hill-11-18-02.asp ---------------------------------------------------- [19] Northcom orders C4ISR, info ops work BY Dan Caterinicchia Nov. 19, 2002 The Defense Department's new Northern Command recently awarded $5.8 million in contract task orders to Lockheed Martin Corp.'s information technology business unit. The orders support Northcom's command, control, communications, computer, intelligence, surveillance and reconnaissance (C4ISR) and information operations (IO) requirements. http://www.fcw.com/fcw/articles/2002/1118/web-north-11-19-02.asp ---------------------------------------------------- _____________________________________________________________________ The source material may be copyrighted and all rights are retained by the original author/publisher. Copyright 2002, IWS - The Information Warfare Site _____________________________________________________________________ Wanja Eric Naef Webmaster & Principal Researcher IWS - The Information Warfare Site <http://www.iwar.org.uk> --------------------------------------------------------------------- To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe infocon" in the body To unsubscribe - send an email to "[EMAIL PROTECTED]" with "unsubscribe infocon" in the body --------------------------------------------------------------------- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk