_________________________________________________________________
London, Wednesday, December 04, 2002
_________________________________________________________________
INFOCON News
_________________________________________________________________
IWS - The Information Warfare Site
http://www.iwar.org.uk
_________________________________________________________________
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe infocon" in the body
---------------------------------------------------------------------
_________________________________________________________________
----------------------------------------------------
[News Index]
----------------------------------------------------
[1] Homeland defense commander stresses 'need to share' information
[2] Homeland agency charged with outreach
[3] PGP goes back to its roots
[4] Virus payloads bigger, nastier
[5] Barbarians at the Gate: An Introduction to Distributed Denial of
Service Attacks
[6] NetNames cock-up blamed for eBay detagging
[7] Iowa governor dismisses CIO
[8] OMB finds security leverage
[9] GSA's center of activity
[10] Cautionary tales
[11] Does Research Support Dumping Linux?
[12] E-government bill wins praise from tech officials
[13] Infiltrating agency ops
[14] New opportunities for NIST
[15] Traveler smart card poses security concerns
[16] Wennergren named Navy CIO
[17] ISS Goes Public With Vulnerability Disclosure Guidelines
[18] Firewalls face next challenge
[19] Vendors complete tougher ICSA 4.0 firewall tests
_________________________________________________________________
CURRENT THREAT LEVELS
_________________________________________________________________
Electricity Sector Physical: Elevated (Yellow)
Electricity Sector Cyber: Elevated (Yellow)
Homeland Security Elevated (Yellow)
DOE Security Condition: 3, modified
NRC Security Level: III (Yellow) (3 of 5)
_________________________________________________________________
News
_________________________________________________________________
[1] Homeland defense commander stresses 'need to share' information
By Molly M. Peterson, National Journal's Technology Daily
Officials at the newly established U.S. Northern Command may have to
consider abandoning the military's traditional system for classifying
information as they build crucial lines of communication with federal,
state and local homeland security agencies, the Northern Command's chief
information officer said recently.
Speaking to reporters at a homeland security summit late last month,
Maj. Gen. Dale Meyerrose said inter-agency information sharing is a
"blossoming requirement" for the Northern Command, which is
headquartered at Peterson Air Force Base in Colorado Springs, Colo. The
command is charged with consolidating the military's homeland defense
and civil-support missions.
The Defense Department's current classification system allows military
offices to share information on a need-to-know basis, and requires
security clearances and background checks for access to information with
such labels as "top secret" and "classified." But Meyerrose said that
system could hinder the Northern Command's ability to share real-time
information with civilian agencies that classify their information
differently.
http://www.govexec.com/dailyfed/1202/120302td1.htm
----------------------------------------------------
[2] Homeland agency charged with outreach
Security strategy at risk if coordination fails
BY Diane Frank, Megan Lisagor and Dibya Sarkar
Dec. 2, 2002
When President Bush signed the Homeland Security Department into law
last week, he triggered activity on two fronts.
Internally is the much-publicized effort to bring 170,000 employees from
nearly two dozen agencies into a single department, if only virtually.
Externally is the often overlooked effort to coordinate the department's
work with a multitude of organizations across state and local government
and the private sector. This second front, many observers say, is
equally vital - and equally at risk for failure.
http://www.fcw.com/fcw/articles/2002/1202/news-home-12-02-02.asp
----------------------------------------------------
[3] PGP goes back to its roots
By ComputerWire
Posted: 04/12/2002 at 10:03 GMT
PGP Corp this week delivered its first set of product upgrades since the
company was spun out of Network Associates Inc this August, and
delivered on its promise to publish the source code to the pioneering
cryptography software, writes Kevin Murphy.
PGP sees 8.0 releases in its Desktop, Personal, Freeware and Enterprise
edition, and offers support for Windows XP and Max OS X for the first
time. The enterprise tools have been beefed up to feature better
directory integration and configuration management.
http://www.theregister.co.uk/content/55/28413.html
----------------------------------------------------
[4] Virus payloads bigger, nastier
'Experienced programmers switching to virus writing'
Darren Greenwood, Auckland
Virus specialist Daniel Zatz is hoping love blossoms for an 18-year-old
Dutch woman and that the economies of Eastern Europe pick up.
Zatz, a Sydney-based security consultant for Computer Associates, warns
that more serious viruses are on the cards for 2003 following a lull
this year.
About 250 viruses a month have appeared in 2002, compared with 400 last
year, he says, but the latest ones have been more damaging, with the
Klez virus, now in its eighth variant, proving the most prevalent of
all.
http://www.idgnet.co.nz/webhome.nsf/UNID/57F452030DFA2A88CC256C830004435
A!opendocument
----------------------------------------------------
[5] Barbarians at the Gate: An Introduction to Distributed Denial of
Service Attacks
by Matt Tanase
last updated December 3, 2002
Introduction
Recently, major news outlets reported that a coordinated attack designed
to disable several of the Internet's root name servers had taken place.
The attack, described as sophisticated and complex, is known as a
distributed denial of service (DDoS). Although no serious outages
occurred, it was a hot topic in the security world - again. Again?
Similar attacks first made headlines in February 2000. Although
discussed in security circles for some time before that, this was the
first prolonged example of a DDoS, and prevented legitimate traffic from
reaching major sites for several hours. Yahoo, eBay, Buy.com, and CNN
were but a few mjor sites who were inaccessible to their customers for
extended periods of time. Now, almost three years later, can it be that
we're still vulnerable? Unfortunately the answer is yes. This article
will explain the concept of DDoS attacks, how they work, how to react if
you become a target, and how the security community can work together to
prevent them.
http://online.securityfocus.com/infocus/1647
----------------------------------------------------
[6] NetNames cock-up blamed for eBay detagging
By Drew Cullen
Posted: 04/12/2002 at 10:46 GMT
Yesterday, we reported the detagging of eBay.co.uk. As we suspected, an
adminstrative error was to blame. Here is the statement released today
by NetNames, eBay's UK registrant.
We can confirm that the www.ebay.co.uk domain name was partly or totally
inaccessible for a period of about 2 1/2 hours on Tuesday, December 2 as
a result of the failure to renew the domain name. This resulted from an
administrative error on the part of NetNames for which we take full
responsibility. eBay was in no way responsible for the site access
problems. Once NetNames was alerted to the problem, we immediately took
steps to rapidly restore access to the www.ebay.co.uk address. The eBay
UK domain name and site are now fully operational.
http://www.theregister.co.uk/content/6/28419.html
----------------------------------------------------
[7] Iowa governor dismisses CIO
BY Dibya Sarkar
Dec. 4, 2002
Iowa Gov. Tom Vilsack has fired Richard Varn, the state's chief
information officer for the past four years and the leader of its
Information Technology Department, along with five other agency heads.
Varn said the recently reelected governor told him that technology would
not be a focus during his second term. Instead, He said Vilsack would
focus on economic development, education and health care.
http://www.fcw.com/geb/articles/2002/1202/web-varn-12-04-02.asp
----------------------------------------------------
[8] OMB finds security leverage
The Bush administration uses security law and funding threats to push
agencies to offer security solutions
BY Diane Frank
Dec. 2, 2002
Two years ago, if someone brought up information security in a meeting
of agency managers, the most likely response would have been, "The
technology folks are taking care of it."
But that attitude is changing. Now, federal security experts say, even
some Cabinet-level secretaries could provide details about their
agencies' security policies.
Not every top government executive is so well informed, but information
security clearly is a topic agency managers outside the information
technology office are discussing in detail. As a result, they are no
longer just discussing specific security strategies - they are also
planning for them and putting them into practice, said an administration
official who asked not to be named.
http://www.fcw.com/fcw/articles/2002/1202/cov-sec-12-02-02.asp
----------------------------------------------------
[9] GSA's center of activity
BY Diane Frank
Dec. 2, 2002
A long-term goal of the General Services Administration's Federal
Computer Incident Response Center has been to create a governmentwide
security data analysis center.
All agency-specific incident information would be examined to detect
trends and possible incidents that were not obvious attacks when looking
only at information from one or two agencies, said Sallie McDonald,
assistant commissioner for information assurance and critical
infrastructure protection at GSA.
FedCIRC, which serves as the central point for incident warnings,
analysis and response for civilian agencies, is still working on methods
for effectively collecting information from individual agencies. This
includes using Extensible Markup Language-based forms to allow for easy
reporting of incidents, said Mark Forman, associate director for
information technology and e-government at the Office of Management and
Budget.
http://www.fcw.com/fcw/articles/2002/1202/cov-sec2-12-02-02.asp
----------------------------------------------------
[10] Cautionary tales
BY Heather Hayes
Dec. 2, 2002
Although there are plenty of benefits to partnerships with the private
sector, the decision to do so needs to be made with great care.
Connecticut and San Diego County, Calif., for example, experienced
problems after deciding to enter into large information technology
outsourcing arrangements, in large part, observers say, because they
didn't define their requirements and expectations properly.
Connecticut canceled its contract (reportedly worth $1.5 billion during
10 years) before it even got off the ground because of concerns over
whether promised cost-savings and efficiencies could be realized. And
San Diego County, which still holds a seven-year, $644 million deal with
Computer Sciences Corp. for IT and telecommunications services,
applications, networks, and desktop and data center operations, settled
a contract dispute this past summer after charging that the company
hadn't met agreed-upon milestones and service levels.
http://www.fcw.com/supplements/homeland/2002/sup4/hom-assist1-12-02-02.a
sp
----------------------------------------------------
[11] Does Research Support Dumping Linux?
Microsoft's security policies are getting better every day, even as a
new report slams open-source competitors as security nightmares. But the
easy answers aren't always the right ones.
By Tim Mullen Dec 02, 2002
Linux security is hopeless.
I don't really believe that -- I just wanted to get your attention. But
now that I have it, it is a good time to introduce you to some
researchers whose sentiments are just that. In fact, The Aberdeen Group
is calling open-source and Linux software the new "poster child" for
operating system security for the year of 2002.
In a research abstract published by Jim Hurley and Eric Hemmendinger,
(note that the site requires free registration) the two Aberdeen
analysts site CERT statistics where 16 of the 29 advisories for 2002
were for Linux/open-source issues -- over half of the total advisories.
They also make some interesting comparisons between 2001 and 2002,
noting a rise of issues with embedded systems, firewalls, and Trojan
activity.
http://online.securityfocus.com/columnists/127
----------------------------------------------------
[12] E-government bill wins praise from tech officials
By Maureen Sirhal, National Journal's Technology Daily
Privacy advocates and technology industry groups are hailing the passage
of legislation aimed at boosting online government services. They see
the measure, which President Bush is expected to sign before year's end,
as a way to cement the government's commitment to modernization and as a
boon to consumer privacy.
The bill, H.R. 2458, would establish an Office of Electronic Government
within the White House Office of Management and Budget that would be
modeled closely upon the Bush administration's current blueprint for
e-government.
But the measure also would mandate greater privacy protections by
ensuring that all federal Web sites post standard privacy policies and
establish safeguards for personally identifiable data held by the
government. And federal Web sites could incorporate the technology known
as the Platform for Privacy Preferences, which allows consumers to
choose the level of privacy they want when surfing the Internet.
http://www.govexec.com/dailyfed/1202/120202td2.htm
----------------------------------------------------
[13] Infiltrating agency ops
BY Diane Frank
Dec. 2, 2002
Including security as a basic feature of every system and program isn't
as easy as it sounds.
"Our philosophy has been - and our key objective for the cybersecurity
program - is to improve executive management of the program by
integrating [information technology] security controls into all the
major business processes of the department," said Lisa Schlosser,
assistant chief information officer for IT security at the
Transportation Department.
http://www.fcw.com/fcw/articles/2002/1202/cov-sec1-12-02-02.asp
----------------------------------------------------
[14] New opportunities for NIST
BY Diane Frank
Dec. 2, 2002
Both the Homeland Security Act of 2002 and the E-Government Act of 2002
include provisions that attempt to raise the profile of cybersecurity
initiatives. Central to each bill is a potentially larger role for the
National Institute for Standards and Technology.
NIST has developed security guidance for years, but agencies are not
required to follow it because the secretary of the Commerce Department
has rarely used the authority granted in the Computer Security Act of
1987 to make NIST's standards and guidance mandatory.
Underscoring the importance of security, the e-government bill reaffirms
that authority and "a lot of us hope that the secretary will use that
authority more extensively than in the past," said Franklin Reeder,
chairman of the federal Computer Systems Security and Privacy Advisory
Board.
http://www.fcw.com/fcw/articles/2002/1202/news-home1-12-02-02.asp
----------------------------------------------------
[15] Traveler smart card poses security concerns
BY Megan Lisagor
Dec. 2, 2002
While garnering support from stakeholders, the Transportation Security
Administration's proposed registered traveler program could create new
aviation vulnerabilities, the General Accounting Office found.
The program would allow certain credentialed and pre-screened passengers
to speed through security checkpoints in airports using smart cards. The
goal would be to reduce long waits and better target resources to those
travelers who might pose greater risks.
"GAO concluded that a registered traveler program is one possible
approach for managing some of the security vulnerabilities in our
nation's aviation systems," office officials wrote in highlights of the
November 2002 report. "However, decisions concerning key issues are
needed before developing and implementing such a program."
http://www.fcw.com/fcw/articles/2002/1202/web-tsa1-12-02-02.asp
----------------------------------------------------
[16] Wennergren named Navy CIO
BY Matthew French
Dec. 3, 2002
Moving quickly after the Department of Navy's chief information officer
said he will be retiring, Navy Secretary Gordon England announced Dec. 2
that David Wennergren will become the department's new information
technology leader.
The move gives the department some stability. Wennergren has been
serving as the Department of Navy's deputy CIO for enterprise
integration and security for the past several years.
Dan Porter, who had been DON CIO since September 1998, officially
retired Dec. 1 to become senior vice president for strategic development
at Vredenburg Inc., a small professional services company in Reston, Va.
http://www.fcw.com/fcw/articles/2002/1202/web-doncio-12-03-02.asp
----------------------------------------------------
[17] ISS Goes Public With Vulnerability Disclosure Guidelines
By Dennis Fisher
Internet Security Systems Inc. on Monday released to the public the
vulnerability disclosure guidelines that its internal X-Force research
team uses in identifying flaws and notifying vendors and the public.
The guidelines are fairly standard and include a provision that is
becoming more and more common among security vendors that also do
vulnerability research. The clause informs vendors that ISS customers
who subscribe to the company's X-Force Threat Analysis Service will be
told about any new vulnerabilities one business day after ISS notifies
the affected vendor. Customers will also get information on any
countermeasures that may be available.
http://www.eweek.com/article2/0,3959,741332,00.asp
----------------------------------------------------
[18] Firewalls face next challenge
November 27, 2002
Deep Packet Inspection: Next Phase of Firewall Evolution
By Richard Stiennon
Enterprises must ensure that their firewalls perform deep packet
inspection at wire speeds, and apply security policies based on
application content as well as source, destination, and port, to
effectively block cyberattacks.
What you need to know
Deep packet inspection firewalls that have rich feature sets and high
throughput will lead the way to better network security and return on
investment. Enterprises that are deploying Web services should ensure
that their firewalls can handle the security requirements that these
services demand.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2898730,00.h
tml
----------------------------------------------------
[19] Vendors complete tougher ICSA 4.0 firewall tests
By ComputerWire
Posted: 04/12/2002 at 10:24 GMT
ICSA Labs, which provides one of the most important certifications
firewall vendors strive for, said yesterday it has completed the first
wave of tests of product against version 4.0 of its certification
criteria, writes Kevin Murphy.
For the first time, ICSA has also split its certification into three
categories and is awarding three different certification logos - for
residential, small and medium business, and corporate firewall products.
"Firewall vendors didn't want a firewall that costs $100,000 to buy to
have the same certification as one costing $200," said ICSA Labs program
manager Brian Monkman. "The one-size-fits-all criteria doesn't work any
more."
http://www.theregister.co.uk/content/55/28417.html
----------------------------------------------------
_____________________________________________________________________
The source material may be copyrighted and all rights are
retained by the original author/publisher.
Copyright 2002, IWS - The Information Warfare Site
_____________________________________________________________________
Wanja Eric Naef
Webmaster & Principal Researcher
IWS - The Information Warfare Site
<http://www.iwar.org.uk>
---------------------------------------------------------------------
To subscribe - send an email to "[EMAIL PROTECTED]" with "subscribe
infocon" in the body
To unsubscribe - send an email to "[EMAIL PROTECTED]" with
"unsubscribe
infocon" in the body
---------------------------------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
