[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips 3/7/02
- To: "Ruchika Agrawal":;
- Subject: Clips 3/7/02
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 07 Mar 2002 13:54:44 -0500
Los Angeles Times
U.S. to Curb Computer Access by Foreigners
Government: To boost security, some Defense Department work will be done only
by citizens.
By CHARLES PILLER
Times Staff Writer
March 7 2002
Sparked by heightened security concerns since the Sept. 11 terrorist attacks,
the Defense Department has begun laying the groundwork to ban non-U.S. citizens
from a wide range of computer projects.
The planned policy--slated for adoption within 90 days--extends restrictions on
foreign nationals handling secret information to "sensitive but unclassified
positions," which include the swelling numbers of contract workers who process
paychecks, write software, track supplies and maintain e-mail systems.
The move comes amid a growing awareness of the vulnerability of government
computer systems in an era when software espionage and malicious hacking have
become commonplace.
The Defense Department's proposal, covering a work force that accounts for
one-third of federal civilian employees, would represent the most sweeping
implementation of the government's restrictions on foreign technology workers.
The much-smaller Justice Department instituted little-noticed restrictions in
July, and the Treasury Department has had a ban on noncitizens working on its
communications systems since 1998.
Officials said the restrictions are needed to get a handle on the proliferation
of foreign nationals who work on government computer systems, but the plan has
raised concerns that the government is being xenophobic and shortsighted.
Experts said barring foreign nationals from certain computer projects opens the
prospect that key jobs will go unfilled because of a shortage of qualified
citizens--a situation exacerbated by the relatively small number of U.S.
students who pursue advanced technology degrees. Costs may also rise sharply as
higher-paid U.S. citizens replace foreign workers.
"You can easily create a critical manpower shortage," said Annalee Saxenian, a
professor of city and regional planning at UC Berkeley who has studied the
effect of immigrants on the technology industry. "There's probably no company
in Silicon Valley that doesn't have from 10% to 40% of their work force who are
foreign nationals. . . . [Defense Department officials may be] boxing
themselves into a situation where they will lose the best talent."
Even Richard A. Clarke, top cyber-security advisor to President Bush, views the
restrictions as a misguided priority.
"Rather than worry about what country somebody was born in, we ought to focus
on the design and the architecture of our information systems," he said, adding
that he supports the use of background checks, automatic recorders that log
keystrokes by programmers and stricter rules on individuals changing data.
"In general, trying to restrict the [information technology] professional that
we use to American citizens is not going to be an effective approach," Clarke
said. "The United States does not produce enough American citizens who are
IT-security-trained to operate our networks."
Computer Security Is Long-Standing Problem
Analysts long have warned about lax security in government computer systems.
"These [software] systems are wide open," said Ed Yourdon, an independent
expert in technology security policy. "The vast majority of bad things done on
computer systems are done by insiders--not teenage hackers in Moscow."
Two years ago, the General Accounting Office, the investigative arm of
Congress, studied the use of foreign contractors by federal agencies working to
fix year 2000 software problems. It found foreign nationals working on 85
contracts for "mission-critical" software. Yet several of the agencies
investigated lacked even rudimentary controls over contractors' work.
The Navy sent software or data associated with 36 mission-critical systems to a
foreign-owned contractor yet "could not readily determine how the code and data
were protected during and after transit to the contractor facility," the GAO
report said.
"In many instances, the [Defense Department] was not aware when some programming
changes were being done by a contractor who used foreign nationals," said David
L. McClure, who led the GAO study.
The Health and Human Services Department used software engineers from Pakistan,
Russia and Ukraine without performing background checks.
Similar lapses were found in the departments of Energy, Agriculture and State,
as well as NASA and other federal agencies. None of those agencies is
considering new restrictions in the use of foreign nationals, although some
require regular employees to be citizens.
The Defense Department previously had been developing a system of security
restrictions for foreign nationals working on unclassified computer operations,
but Sept. 11 prompted plans for more restrictive measures.
IT Work Routinely Given to Foreigners
"The IT business has become largely contractual, with programming and data work
being farmed out to areas where there is cheap labor," Pete Nelson, the Defense
Department's deputy director for personnel security, wrote in an e-mail to The
Times. "If this trend does not simultaneously take into consideration security
requirements, there would be reason for concern. Some foreign nationals--those
in the most sensitive position--may not be permitted to remain."
Nelson said no details of the policy would be made public until it becomes
final.
The Defense Department had no estimate of how many noncitizens it has as
employees or contractors but acknowledged that the shift could prove costly.
Some major defense technology contractors also said they could not readily
estimate how many of their employees are foreign nationals. Industry experts
believe that thousands of jobs could be involved.
Major technology contractors, such as Science Applications International Corp.
in San Diego and Computer Sciences Corp. in El Segundo, said they can meet any
new Defense Department requirements.
Smaller contractors may have more difficulty doing so.
Indus Corp., a 300-employee technology contractor in Vienna, Va., that works
with the military and other government agencies, fulfills military contracts
without tapping its 40 to 45 employees who are not U.S. citizens, said Chief
Executive Shiv Krishnan.
"In the future, there may be opportunities we can't bid on because of the
dearth of available talent," said Krishnan, who came to the U.S. from India to
study and gained American citizenship 12 years ago.
Dan Kuehl, a professor of cyber-security at the National Defense University in
Washington, said any move to restrict unclassified tasks to U.S. citizens could
create a logistical nightmare.
Despite the high-tech recession, the country faces chronic shortages of
professionals who can manage the complex computer systems, databases and
networks prevalent in government agencies. The high-tech industry relies
heavily on Indian, Chinese and other Asian workers--a group that long has
complained about being unfairly targeted on issues of U.S. loyalty.
Those shortages prompted Congress to create a special visa program through the
Immigration Act of 1990 known as H-1B, which permitted more than 163,000 highly
skilled foreign workers to take jobs in this country last year. Many are
employed by defense contractors.
A move away from using foreign nationals also could increase contracting
costs--building pressure on managers to make do with fewer tech professionals,
which would itself be a security liability, said John Pescatore, a security
analyst with GartnerGroup Inc.
Relatively few U.S. students are being trained to fill the gap, while foreign
student enrollment in technology programs at U.S. universities has soared. From
1991 to 2000, 46% of U.S. doctoral degrees in computer science were awarded to
foreign students, the National Science Foundation said.
"The same security concerns are being expressed about the entire critical
infrastructure"--both government and private, Yourdon said. "We have foreign
nationals working in systems that control electrical power or move billions of
dollars around the financial systems or control trades on the Nasdaq."
But banning noncitizens from sensitive jobs may offer little assurance of
security, he said. Three of the most damaging espionage cases in U.S.
history--those of the CIA's Aldrich Ames, the FBI's Robert Philip Hanssen and
the Navy's Walker family spy ring--involved U.S. citizens who were direct
employees of the government and had access to classified computer systems.
**************
Davis: Feds shift 508 responsibilities
BY William Matthews
March 6, 2002Printing? Use this version.
Email this to a friend.
Ever since new rules took effect that made federal agencies responsible for
buying accessible office technology, procurement officials have devised several
ploys to try to shift that responsibility to product vendors, a Virginia
congressman charges.
The rules, which took effect eight months ago and are spelled out in Section
508 of the Rehabilitation Act, require federal agencies to ensure that people
with disabilities can use the information technology products agencies buy. And
the rules make it possible for federal employees and members of the public to
sue agencies that fail to comply.
But government contracting officials have been trying to shift liability from
the agencies that are buying products to the vendors that sell them, according
to Rep. Tom Davis (R-Va.).
Davis said some federal agencies are pressuring vendors to "certify" that their
products are "508-compliant." Others insist on "government-unique contract
clauses" that vendors must sign, assuring that their products comply with
Section 508.
"[A few agencies] have been contemplating requiring contractors to submit to
mandatory third-party testing as a condition for bidding on government
contracts," Davis said.
"All of the above violate the letter and spirit of the accessibility
standards," said Davis, chairman of the House Government Reform Committee's
Technology and Procurement Policy Subcommittee. Section 508 makes it clear that
federal agencies ? not vendors or their products ? are responsible for
complying with the accessibility standards, he said.
Davis spelled out his complaints in a letter to Stephen Perry, head of the
General Services Administration. GSA oversees government procurement practices
in general and advises agencies on Section 508.
Davis said GSA has warned agencies that they are not authorized to require that
vendors certify or warrant that their products comply with Section 508. He
asked Perry to "disseminate guidance reiterating the prohibition" on
certifications, warranties and third-party testing.
Davis' concerns mirror those of the Information Technology Association of
America, a trade organization that represents technology manufacturers and
sellers. Companies in the organization are worried about liability problems
they could face if forced to offer warranties and compliance certifications.
They also worry about the potential cost and stifling effect of third-party
testing, according to Michael Mason, an attorney with the firm Hogan and
Hartson LLP and a federal contracting specialist.
If third-party testing is permitted, companies will be pressed to build
products designed to pass the test, but not necessarily designed to best
provide accessibility, he said.
But agencies aren't alone in trying to turn Section 508 to their advantage,
said Doug Wakefield, an accessibility expert for the U.S. Access Board, which
developed the standards. Vendors have also tried to use the law as leverage.
For example, vendors protested when the Social Security Administration required
a specific type of video card for computers. "People complained that's not a
508 requirement," Wakefield said.
But the video cards worked best with the SSA's assistive technology, and the
agency was right ? and within its rights ? to require them, he said.
**************
Federal Computer Week
SSA testing biometric tech
BY Colleen O'Hara
March 6, 2002Printing? Use this version.
Email this to a friend.
The Social Security Administration is considering using biometric technology to
help it protect people's Social Security numbers and prevent identity theft.
Three SSA field offices are testing different biometric technology, such as
photographs and fingerprints, that the agency could use to tie a person to his
or her Social Security number, said William Gray, deputy commissioner for
systems at SSA.
The biometric information would be stored in a database ? not on the card
itself ? and would help prevent identity theft, Gray said, speaking this week
at the Information Processing Interagency Conference in Orlando, Fla.
The tests will help SSA decide where the use of biometrics is most beneficial,
and also help it decide what type of biometric technology works best, Gray
said.
If the pilot program is successful, it would be used broadly when people apply
for Social Security cards, Gray said.
SSA also is looking into what types of Social Security cards would be harder to
counterfeit than today's paper cards, Gray said.
This testing process shows SSA's incremental approach to launching services.
For instance, it has established an electronic technology center so it can test
and evaluate new technology such as biometrics before it rolls it out for
testing in a real-life situation, Gray said.
SSA also has a usability center that helps it "design applications that meet
users needs," Gray said.
*****************
Reuters Internet Service
Palm, FTC Reach Settlement on Marketing Claims
Wed Mar 6, 1:35 PM ET
WASHINGTON (Reuters) - The Federal Trade Commission said on Wednesday it had
reached a settlement with Palm Inc. over charges the company misled consumers
about the wireless capabilities of its handheld computers.
Under the terms of the settlement, the FTC said, the handheld computer company
would be required to clearly disclose when consumers have to buy additional
equipment, such as a modem, and to obtain advertised services like access to
e-mail or the Internet.
In its complaint, the FTC said that Palm claimed that its handheld devices
could access the Internet and run Microsoft Word and Excel programs, when in
fact most models required separate modems or software to perform such
functions.
In addition, the company did not disclose that users needed to subscribe to its
proprietary Internet service at additional cost for wireless access, the FTC
said.
Palm will be required to clearly explain that additional products are needed to
perform such functions in the future, the FTC said, and explain that its
wireless Internet service does not cover the entire United States.
A Palm spokeswoman said the company believed it had not misled customers in the
past, but that it would comply with the terms of the settlement.
"We are happy to make disclosures in larger type or more explicit language, or
both," said Palm spokeswoman Marlene Somsak.
The company will be liable for penalties of up to $11,000 per count if it
violates the agreement.
******************
Cyberspace copyright protection reinforced
By Frances Williams in Geneva
Published: March 5 2002 17:51 | Last Updated: March 6 2002 07:27
A landmark international treaty reinforcing the protection of copyright in
cyberspace comes into force on Wednesday amid controversy in the US and Europe
over whether tougher copyright rules stimulate or inhibit creativity on the
Internet
The copyright treaty, negotiated by the World Intellectual Property
Organisation (Wipo) in 1996, and a sister treaty protecting sound recordings
that comes into effect in May update copyright law for the digital age.
They have added some controversial features, which have already led to a string
of legal challenges in the US, one of the first countries to introduce
implementing legislation.
The treaties outlaw attempts to circumvent encryption and other techniques
designed to prevent unauthorized copying and ensure royalties are paid.
Wipo and the copyright industries distributing books, software, music and films
say the new rules will encourage copyright owners to put their works online, by
giving them clearer enforcement rights against piracy. Dr Kamil Idris, Wipo
director-general, said the treaties provided a platform for creators to further
exploit the Internet with confidence.
The music industry, which claims to be losing billions of dollars a year in
royalties from illegal downloading of CDs from the Internet, says better
copyright protection will provide the legal basis needed for record companies
to introduce a range of online services from "listen-only" to the downloading
of permanent copies.
But civil liberties advocates claim the restrictions curb freedom of speech and
expression on the Internet, a view that has so far won little sympathy in the
US courts.
Napster, which allowed free music copying, was closed down and last November -
in a victory for the Hollywood film studios - a US federal appeals court upheld
a ruling barring a hacker website from publishing or linking to software used
to break encryption codes preventing copying of DVDs (digital versatile discs).
The International Publishers Association, based in Geneva, said the Wipo
copyright treaty provided a balanced legal framework to protect content on the
Internet and urged other countries to join the 34 that have already ratified.
The European Union and the 15 member states are expected to ratify together
after the necessary implementing legislation has been passed in each country.
Wipo received a record 104,000 international patent applications last year
under its patent co-operation treaty, which eases the process of filing patent
claims in multiple countries.
Wipo said the applications, up 14 per cent in 2001, were equivalent to millions
of national filings, with many international applications covering all or most
of the 115 states that are parties to the treaty.
US inventors and industry headed the list for the 11th consecutive year with
38.5 per cent of all applications. Developing countries account for just 5 per
cent of applications overall.
**************
Congressional Committee Web Site Exposed Internal Database
By Brian McWilliams, Newsbytes
WASHINGTON, D.C., U.S.A.,
06 Mar 2002, 3:38 PM CST
The U.S. House of Representatives committee leading the investigation into
Enron's collapse temporarily will take its Web site offline this evening to
perform a security audit, a spokesman said.
The review follows the discovery today that an internal database owned by the
House Energy and Commerce Committee was left exposed to anyone with a Web
browser.
Prior to being locked down this afternoon by administrators, the improperly
secured IBM Lotus Domino database contained documents such as correspondence,
transcripts and staff directories dating back to 1998.
According to committee spokesman Ken Johnson, the exposed database did not
contain any sensitive documents, such as those related to the Enron inquiry or
to the committee's investigation of drug maker ImClone Systems, or to
legislative matters such as the recent bioterrorism bill authored by committee
Chairman W.J. "Billy" Tauzin, R-La., and Ranking Democrat John Dingell, D-Mich.
"Admittedly, we did have a glitch in the system, but to the best of our
knowledge there were no serious privacy breaches," said Johnson. The exposed
database was discovered by Kitetoa, a group of French computer security
enthusiasts that has also identified glitches at Web sites operated by several
high-profile companies including DoubleClick, Veridian, ChoicePoint and Groupe
Bull.
Database vulnerabilities of the sort affecting the House committee site have
been familiar to computer security experts for several years. In October 1998,
a group of hackers known as the L0pht published an advisory describing how Web
users can retrieve sensitive data in many Domino-based Internet applications.
Last month, a French court fined Kitetoa's leader, Antoine Champagne, 1,000
euros (US$865) for probing and publicizing security holes he found at Tati.fr,
the homepage of a Paris-based clothing retailer. The court suspended the fine
on the condition that Champagne avoid any other convictions for the next five
years.
Johnson said the committee "appreciated" Kitetoa's work in identifying the
vulnerability at its site.
"This has been a learning process for us and we are going to tighten some of
our security procedures. Fortunately it appears it was discovered by someone
whose intent was to help us and not hurt us," Johnson said.
The committee's site recently received a Golden Mouse Award from Congress
Online, a non-profit organization promoting Internet communication between
members of Congress and the public.
The House Energy and Commerce Committee is at http://energycommerce.house.gov .
Kitetoa is at http://www.kitetoa.com .
The L0pht advisory on Domino is at
http://www.l0pht.com/research/advisories/1998/domino3.txt .
****************
MSNBC
Stolen card data surfaces on Web site
A year after cards are canceled, victims face privacy concerns
March 6 On a lark last Friday, ?Donna? entered her name into the Google search
engine. Only one hit came back, a link to a Russian Web site. But when she
clicked on it, she found her name address, phone number, and Citibank credit
card listed there, along with about 200 others. An MSNBC.com investigation
unveiled hundreds of others, apparently all canceled Citibank cards, with the
account numbers listed in nearly sequential order and as of late Wednesday,
the information was still posted on the Internet.
?IT?S REALLY SCARY,? Donna said. The card number she found had actually been
canceled last year after someone had charged thousands of dollars in computer
equipment and had it sent to somewhere in Russia. But there it was, along with
hundreds of other numbers.
Donna was willing to let MSNBC.com use her name in this story. However,
MSNBC.com decided to withhold her last name otherwise, criminals would have an
easy time retracing her steps to the Web pages with the card numbers.
?Being a consumer that was touched personally with these fraudulent charges,
I am absolutely appalled that my private information is out there on the Web
for anyone to see,? Donna said. ?I wasn?t searching for it; I actually stumbled
on it by accident. Luckily, my card has been canceled, and the info is no
longer good, but that may not be the case with all these other people that were
on this long list.?
Citibank spokesperson Maria Mendler said the company believes most, if not
all, of the cards have long since been canceled. The format of the data
suggests the information was stolen from a merchant, she said, though she
didn?t know which one.
Citibank learned of the Web pages a few days ago and is working with law
enforcement agencies to have them removed. She conceded, however, that their
efforts have been stymied by the fact that the data sits on computers outside
the United States.
So nearly a week after Donna spotted her name, the site can still be viewed
by anyone surfing the Web.
?The site is still available, and even though I know that our card is
canceled, it is still a very unsettling feeling that the information is out
there,? Donna said. ?And how can I be sure our replacement card information is
not out there somewhere else??
How the account information got on the apparently Russian Web page is a
mystery.
Since the cards are all canceled, there?s no longer a risk of false charges
but the incident reveals there are lingering impacts on consumers when their
data is stolen.
?It?s like having cancer. The best you can do is hope for lifetime
remission,? said Bruce, another former Citibank credit card fraud victim who
had canceled his Citibank card nine months ago because of fraud. ?Ten years
from now I?ll still worry about my credit and my name. It?s something I?ll be
thinking about and be concerned about for a long time.?
The only other distinguishing characteristic of the Web site where the numbers
are posted is this: The phone numbers are typed in a variety of formats, some
with hyphens, some with parentheses, suggesting the data wasn?t downloaded from
a database, but rather hand copied from somewhere.
MSNBC.com found about 600 accounts this way, but the records were numbered,
with the final record retrieved by MSNBC.com being 1185, suggesting there were
at least that many stolen.
Mendler didn?t know where the stolen data came from, but she said the format
was consistent with that collected by merchants. She wouldn?t speculate on why
the data represented only Citibank accounts, but added that hackers who steal
wide swaths of data can easily sort by bank and resell the stolen data that
way.
*********************
The New York Times
March 7, 2002
Making Losers of Auction Winners
By JENNIFER 8. LEE
IT'S hard to resist a good Internet bargain, especially when it seems too good
to be true.
Crystal Nordberg of Tulsa, Okla., and her fiancé, Jonathan Williams, had
planned on buying a high- end digital camera for their honeymoon in Europe this
May. The couple set aside money from gifts and work bonuses to buy a Sony
(news/quote) Mavica.
Then, in late December, Ms. Nordberg saw a Mavica offered at Yahoo (news/quote)
Auctions by a seemingly trustworthy seller who went by the name McGooch2002.
She cautiously bid $700, far less than the $1,000 she would have paid for a
Mavica in a store.
When she won, she quickly wired the money, thinking she had clinched a bargain.
Instead Ms. Nordberg had become the victim of an elaborate scheme by the
seller, whose trustworthiness, it turned out, was based on a record of
fictitious transactions. And she was not alone: she was one of 20 people who,
in the same week, bought a total of $20,000 worth of laptop computers,
camcorders, cameras and hand-held organizers from McGooch2002 that were never
delivered.
Fraud has been a problem since the first online auctions were conducted in the
mid-1990's and has expanded as auction sites like eBay (news/quote) and Yahoo
have become some of the most successful sites on the Internet. Auction sites
function primarily on a kind of honor system, with "feedback" ? comments by
each participant in a transaction about the other's behvior ? playing a
critical role. It is a system that can be abused, and auction sites try to
ferret out criminals by using special software and other techniques to track
suspicious activity like shill bidding, in which sellers inflate prices through
accomplices who bid up items. Law enforcement agencies have also expanded their
efforts to investigate online auction fraud.
But as episodes like Ms. Nordberg's experience show, the criminals are trying
just as hard to stay ahead, becoming more technologically and financially
sophisticated and moving beyond garden-variety fraud like the misrepresentation
and nondelivery of goods.
Defrauders now switch computers so their usage patterns cannot be as easily
detected and build flashy Web sites to give their businesses the sheen of
legitimacy. They steal credit card numbers to set up e-mail accounts on
Internet service providers like America Online and then use them to set up
fraudulent auctions.
Fraud has even entered the automated stage. Over the last two months, eBay
says, it has seen the emergence of software "bots" that scan accounts and then
try to gain access to them by systematically guessing passwords. The goal is to
hijack a trusted seller's account and use it to make fraudulent transactions.
"You are definitely seeing a new sophistication," said Kevin Pursglove, a
spokesman for eBay. "And five years down the road they are going to be even
more sophisticated."
Auction fraud is now the most prevalent computer- related crime, according to
the Internet Fraud Complaint Center, a joint program of the F.B.I. and the
National White Collar Crime Center. Last year the center referred 7,193
complaints of auction fraud involving a total loss of $5.4 million for
investigation.
Yet the center estimates that less than 10 percent of victims report their
losses, in some cases because they are embarrassed and often because they do
not know where to turn. And many of the cases that are reported to law
enforcement agencies are not pursued vigorously because the investigative costs
far outweigh the victims' financial losses. The rate of complaints is gradually
rising, and the assessment of the losses has sharply increased as criminals
focus on high-tech, big- ticket items. The fraud complaint center says that the
median dollar loss per auction fraud was $225 in the first half of 2001 but
jumped to $489 in the second half of the year.
While less than 1 percent of Internet auctions are fraudulent, according to the
auction sites and F.B.I. statistics, that statistic offers little comfort to
the victims. "It sure doesn't feel like 1 percent when you are in the middle of
it," Ms. Nordberg said.
Traditional offline financial fraud is being integrated into the online auction
world, with a twist. Fraudulent sales were formerly dominated by hard-to-trace
transactions involving cash or money orders. Now investigators say that
perpetrators are increasingly using identity theft to set up bank accounts that
allow wire transfers or transactions involving third-party online payment
services like PayPal.
Ms. Nordberg, for example, had been asked by McGooch2002 to wire money to a
bank in Nashville. Another victim of McGooch2002 had been asked to send the
money by PayPal. McGooch2002 told buyers that his name was Maurice Gooch and
that he lived in Nashville.
But when Ms. Nordberg tracked down a Maurice Gooch in Nashville, Mr. Gooch said
he had never been involved in an online auction. Investigators suspect that the
bank account set up in his name was a case of identity theft. Yahoo Auctions
said that it did not comment on specific fraud cases but that it was doing its
best to cooperate with law enforcement agencies.
While fraudulent sales involve everything from handmade Apache knives to
vintage motorcycles, the greatest concentration of dollar losses is in sales of
high-tech items like laptop computers, video game consoles and games, cameras
and camcorders. Such fraud typically runs from $1,000 to $2,000.
Some of the biggest fraudulent sales to date did not involve electronics items.
In 2000, an eBay user in the Netherlands bid $135,805 for a painting that the
bidder believed was by Richard Diebenkorn and whose price had been inflated
through a shill-bidding scheme. Two men pleaded guilty to fraud charges in
connection with that auction and those of other paintings on eBay. Another
defendant, Kenneth Fetterman of Placerville, Calif., is at large.
In the Diebenkorn painting case, prosecutors said, the sellers created
artificial feedback ratings to increase their credibility. Ms. Nordberg, too,
had been reassured to learn that 12 happy customers had given McGooch feedback
like "a true Santa Claus online" and "Grade A+++."
But after the auction, Ms. Nordberg carefully reviewed the feedback and
realized that all of it was submitted by users who created accounts around the
same time and had reported no purchases other than the ones from McGooch2002.
In other words, the 12 users were probably fictional creations of the person
who created McGooch2002.
McGooch2002 started his account six months in advance, built a clean reputation
though such nonexistent auctions and then began a series of auctions of
high-end merchandise in the last week of December that all ended around the
same time. "It seems like it was planned out, very methodical in nature," Ms.
Nordberg said.
Indeed, sophisticated criminals invest months in creating believable
characters. "Fifty percent of the success of the scam is information about the
seller ? his feedback, his purchase history," said a 24-year-old Romanian who
lives in the United States and admitted taking part in auction fraud. He spoke
on condition of anonymity.
"These guys are smart," he said. "They know how to build a character. They have
patience to make it look solid."
But he said he was also struck by the level of trust that people were willing
to invest in an unknown seller. "I'm amazed at the stupidity that some people
show when they buy something," he said.
Some criminals have turned to hijacking users' accounts and their good feedback
instead of building their own identities. The way is eased by the fairly
transparent passwords that many people use.
Rob Chesnut, who leads fraud investigation for eBay, said: "Sometimes users
have a very short password or one that is easy to guess such as `ebay,'
`password' or `123.' Those are the types of things that will make an account
vulnerable."
Passwords can be illegally obtained by sending e-mail to users informing them
that they need to provide their eBay passwords to complete a transaction. Some
messages request a credit card number or even a driver's license number. Users
who supply the data usually find fraudulent charges to their credit cards or
discover that their accounts have been hijacked.
Automated software that tries to crack user accounts by entering thousands of
passwords is a common tool. EBay is trying to devise strategies to guard
against such programs, like making it harder to try rapid, repeated log-ins to
the same account.
Last fall, Brian Murphy, an eBay user who lives outside Minneapolis, had his
eBay identity stolen and used to set up fraudulent auctions. Winning bidders
were told that Mr. Murphy had to leave the country on business and were asked
to send the money via Western Union to the Ukraine.
It was an unusual request, but bidders were reassured by Mr. Murphy's high
positive feedback. "I basically believed him because of his record," said Jerry
Auerbach of Englewood, N.J. "Had I looked more deeply, I would have noticed he
didn't sell computers. He sells baseball cards."
Mr. Murphy is not sure how his account was stolen. Making matters worse, he
said, his eBay and e-mail passwords were the same, and both accounts were
compromised. His case is counted among the estimated 10 percent of auction
fraud cases that originate overseas and are hard for local officials to
investigate.
But even when the wrongdoing originates in the United States, auction fraud
investigations face legal and logistical obstacles. Victims are generally
scattered around the country and seldom reside in the same place as the
fraudulent seller. Since individual crimes often amount to only a few hundred
dollars, a local government may find that it is not worth the cost to pursue
the defrauder across state lines. Many police departments are not equipped to
investigate Internet crime, and federal enforcement agencies must often focus
on more pressing issues.
"The cost to send two police officers down to Nashville would be thousands of
dollars for a crime that was $700," said James Raymond, a detective in
Fitchburg, Mass., who is pursuing McGooch2002 on behalf of a victim in his
area. "This is over state lines, so it leaves me personally high and dry unless
we get a lot of help from the Tennessee authorities or the federal agencies."
"Even $20,000 on the federal level is considered next to nothing," he added.
Yet scattered complaints can be part of a pattern worth pursuing, since such
criminals rarely prey on only one victim.
"Often these complaints are just the tip of the iceberg," said John Kane, a
research manager with the Internet fraud center. "Suddenly you don't have one
victim with a $200 loss; you have 10 victims and $3,000 in losses."
The Internet Fraud Complaint Center serves as a clearinghouse for complaints
partly so that it can glean patterns from the reports. In aggregate, some of
the cases may be significant enough to attract a federal investigation. Federal
law enforcement officials began several nationwide inquiries over the last
year, including one that resulted in criminal charges against 90 people and
companies. Those fraud schemes, which extended beyond online auctions, bilked
over 56,000 people of more than $117 million.
As Ms. Nordberg helps the police try to track down McGooch2002, she says she
has cooled on Internet auctions. A few weeks ago her fiancé saw a Sony Mavica
camera offered on eBay, but she refused to let him bid. "After I got burned
*****************
Reuters Internet Report
Computer Spy Methods Discovered in LED Lights
Thu Mar 7, 1:43 AM ET
By Elinor Mills Abreu
SAN FRANCISCO (Reuters) - By monitoring the flashes of LED lights on
electronics equipment and the indirect glow from monitors, scientists in the
United States and the United Kingdom have discovered ways to remotely eavesdrop
on computer data.
Optical signals from the little flashing LED (light-emitting diode) lights,
usually red and dotting everything from modems to keyboards and routers, can be
captured with a telescope and processed to reveal all the data passing through
the device, Joe Loughry, a computer programmer at Lockheed Martin Space Systems
in Denver, told Reuters on Wednesday.
"It requires little apparatus, can be done at a considerable distance, and is
completely undetectable," he writes in his paper, "Information Leakage from
Optical Emanations." "In effect, LED indicators act as little free-space
optical data transmitters, like fiber optics but without the fiber."
Not every LED-enabled device is at risk, though. Affected is equipment used in
low-speed, long-distance networks typically found in proprietary networks, such
as ATM (automated teller machines) at banks, as opposed to corporate local area
networks or home Internet connections, Loughry said.
He said he was able to collect a strong optical signal from about 22 yards,
using optical sensor equipment.
"It is interesting to walk around downtown at night in a large city and look up
at the glass windows and you see a lot of computers," Loughry said. "I've seen
racks of equipment with LEDs on them visible from the street. That's kind of
what got me to pursue this."
Loughry began his research on LEDs in 1994 when he was a graduate student at
Seattle University. Asked how computer researchers could have overlooked for so
long something that literally stares them in the face, he said: "I guess nobody
ever looked at it before.
"I was working very late one night and waiting for a long file transfer to
complete and I was just staring at these lights on the front of the modem and
started to wonder if there was anything there," said Loughry.
The solutions are easy -- locate equipment away from windows, put black tape
over LEDs or de-activate them when not in use. Equipment manufacturers also can
modify the devices.
The paper is scheduled to be published later this year in the scientific
journal for the Association for Computing Machinery, called "ACM Transaction on
Information and System Security."
His co-author is his former professor, David Umphress, now a software
engineering professor at Alabama's Auburn University.
**************
ZDNET
Klez worm's a no-show
By David Becker
Special to ZDNet News
March 6, 2002, 2:50 PM PT
URL: http://zdnet.com.com/2100-1105-853923.html
The Klez.e worm packed a miniscule punch after it activated Wednesday, with
antivirus companies reporting little or no damage from the pest.
The worm, which began spreading through e-mail messages in early February, is
set to activate on infected PCs on the sixth day of odd-numbered months,
potentially triggering a barrage of activity that would destroy many common
types of PC files.
By late Wednesday morning, however, antivirus-software company Symantec had no
reports of PCs being damaged by the worm, said Sharon Ruckman, senior director
of the company's Security Response center.
Reports of the worm spreading via e-mail had increased in the past few days,
though, prompting Symantec to boost the threat rating for Klez.e on Wednesday
from Level 2 to 3, on a scale of 5.
The assessment was similar from antivirus-software maker Trend Micro, which
ranked Klez.e as the 12th most active worm on the Internet, well behind more
robust pests such as the Sircam and Nimda worms.
"Apparently, it's pretty much a no-show," said David Perry, public education
director for Trend Micro.
Klez.e's weak punch was largely attributed to there being almost a full month
between the time the worm appeared and when it went active, allowing people
plenty of time to update their antivirus software and stomp out the pest.
"The more time we have, the better it is," Ruckman said. "People have more of a
chance to get updated."
Perry added that Klez.e was fairly unsophisticated for a modern e-mail worm,
enabling a more thorough response. "For this kind of thing, we have much better
protection than a year ago."
Perry noted that Wednesday's Klez.e scare occurred 10 years to the day after
the first major virus panic of the PC era, the Michelangelo virus that sent PC
owners into a tizzy on March 6, 1992. "It's kind of nostalgic for those of us
in the antivirus field," he said.
Meanwhile, a new worm that poses as a Microsoft security update was showing
little signs of spreading. The Gibe worm arrives attached to an e-mail message
supposedly from Microsoft with the subject "Internet Security Update."
Recipients are instructed to open the attached file--named "Q216309.exe"--to
install patches for recently discovered security holes in Microsoft products.
In reality, the file creates programs that help the worm spread via e-mail and
leave the infected PC vulnerable to hackers.
Symantec had received reports from fewer than a dozen users infected by the
Gibe worm as of midday Wednesday, leading it to categorize the pest as a Level
2 threat.
*************
Reuters Internet Report
Report: Half Billion People Have Home Net Access
Thu Mar 7, 4:45 AM ET
HONG KONG (Reuters) - Nearly half a billion people around the world had access
to the Internet from their homes by the end of last year, Nielsen/NetRatings
said Thursday.
The Internet measurement firm said some 498 million people could surf the web
from home by the end of 2001, a jump of 5.1 percent from the figure in
July-September.
People in Asia continued to hook up faster than anywhere else, with home web
access growing 5.6 percent in the last three months of the year from the
previous quarter.
Europeans were next, with connections up 4.9 percent, followed by computer
users in Latin America and the United States, which had respective growth rates
of 3.3 and 3.5 percent.
North America continued to have the largest share of the global Internet
audience at 40 percent. Europe, Middle East and Africa accounted for 27 percent
and Asia 22 percent. Of the eight countries the company monitors in Asia,
Singapore had the highest access rate. Some 60 percent of households in the
island-state of four million people could log on to the Net.
South Korea and Hong Kong ranked second and third at 58 and 56 percent,
respectively.
India ranked last with only seven percent of households enjoying Internet
access. India's Internet subscriber base is not growing quickly because
relatively few people can afford personal computers and access costs can be
high.
"In Asia, homes headed by men with university degrees are most likely to have
Internet access, while age is not a determining factor," said Hugh Bloch,
managing director of Nielsen/NetRatings Asia.
He said the trend was different in Europe and Latin America where household
access to the Internet is skewed toward homes where the head of household is 35
or younger.
************
Federal Executive
March 6, 2002
Bill would reform cybersecurity management
By Joshua Dean
jdean@xxxxxxxxxxx
Legislation introduced Wednesday by Rep. Tom Davis, R-Va., would reform the way
cybersecurity is managed in federal agencies. The bill would also strengthen
the National Institute of Standards and Technology?s role in creating security
standards for federal agencies.
The Federal Information Security Management Act, H.R. 3844, would make the 2000
Government Information Security Reform Act permanent. GISRA required agencies
and their inspectors general to conduct program reviews and audits of
information security practices and to submit their results to OMB. OMB sent its
overview of the security gaps agencies reported to Congress on Feb.13. OMB is
now working with agencies to ensure that the weaknesses exposed in the reports
are fixed. FISMA would make this a yearly process.
FISMA also increases NIST?s role in creating cybersecurity standards for the
federal government. A spokesman for Davis said the 1987 Computer Security Act
and GISRA allow agencies to obtain waivers, effectively freeing them from
following NIST?s recommendations. FISMA would require agencies to follow NIST?s
cybersecurity guidance without exception.
In testimony before the House Government Reform Subcommittee on Government
Efficiency, Financial Management and Intergovernmental relations Wednesday,
Davis stressed that governmentwide IT initiatives such as electronic
procurement, telecommuting, information sharing and e-government are all
vulnerable to cybersecurity threats. Since these initiatives are vital to
strengthening the federal government?s performance, cybersecurity protections
must become institutionalized, he said.
?[My] concerns regarding the pervasive and persistent weaknesses in federal
information security management, infrastructure and accountability remain
strong,? he said.
****************
Government Executive
March 6, 2002
Bush administration creates computer security panel
From National Journal's Technology Daily
The Bush administration's Critical Infrastructure Protection Board is
assembling a committee to focus on information-systems security in the
executive branch and formalizing the panel's responsibilities. The move is
aimed at helping the board and the White House Office of Homeland Security
focus on steps necessary to protect the government's computer systems.
The committee will consist of members from federal agencies that have a role in
security and will be chaired by the Office of Management and Budget.
The administration's e-government chief, Mark Forman, told a House subcommittee
on Wednesday that most of the committee's work will be performed by individual
issue groups that will be dissolved once their work is completed.
The National Institute of Standards Technology (NIST) is one agency that will
be added to the committee "soon," NIST Director Arden Bement said during the
hearing.
****************
Government Executive
March 6, 2002
FEMA outlines e-government goals
By Liza Porteus, National Journal's Technology Daily
The technology chief of the Federal Emergency Management Agency on Wednesday
outlined several initiatives that his department is working on to aid the
implementation of the Bush administration's e-government plan.
The White House has identified 24 e-government initiatives for the Office of
Management and Budget to spearhead under the president's management agenda. OMB
has directed federal agencies to streamline their programs and use technology
to make their government services more accessible.
The Sept. 11 terrorist attacks underscored the need for the federal government
to provide fast and easy access to disaster-related information to citizens,
FEMA Chief Information Officer Ron Miller said at a conference sponsored by
E-Gov. He noted that FEMA's Web site received 3.5 million hits soon after the
attacks.
To better aid the public, FEMA has established Disasterhelp.gov, a site designed
to serve as a one-stop portal for citizens to obtain disaster-relief
information and assistance, Miller said.
FEMA has specific e-government projects it must finish to reach its government
management goals. They include modernizing the National Emergency
Management Information System, establishing publicly accessible map services on
the Web, and placing registration and information forms for Bush's Citizen
Corps program on the Web. Enhancing distance-learning programs also is part of
the agenda. Disasterhelp.gov will consolidate federal and other disaster-relief
programs under one portal and provide links to state and local
emergency-management groups.
The site will require a secure network for information sharing and an automated
transaction-processing system to deal with disaster-relief transactions. It
also will require a database to serve as an information repository.
Miller stressed that FEMA does not want to put large batches of personalized
information into a centralized database--an idea that privacy advocates heavily
criticized during debates over a national identification system tied to such a
database.
Meanwhile, Eligibility Assistance Online, a program currently under FEMA's
purview that aids in citizens' disaster benefits, will be moved to the Labor
Department.
Miller said state and local CIOs will work with FEMA on various e-government
initiatives to aid the homeland security effort. Such initiatives include
online loan applications, e-grants and e-authentication, the latter being a
requirement for most e-government initiatives underway in all agencies, Miller
said, given the vast amounts of information being put on the Web.
"There are a lot more privacy issues out there than there were before so many
government services were online," Miller said.
A key priority for FEMA Director Joe Allbaugh, Miller said, is creating a
public-safety wireless network, which is the "single-most critical information
technology need." "First responders" to emergencies and government officials
have said they need access to a priority network to effectively communicate
with each other during emergencies.
"Whatever the solution is, we've got to solve it and solve it now," Miller
said.
**************
The Washington Post
Russian Spies, They've Got Mail
Thursday, March 7, 2002
By Sharon LaFraniere,
Washington Post Foreign Service
MOSCOW ? Nail Murzakhanov, an Internet provider in Volgograd, knew he might
lose his business license four years ago when he told the Federal Security
Service, Russia's domestic intelligence agency, that he would not give it
access to the e-mail traffic of his 1,500 subscribers.
When the Communications Ministry suspended his license for failure to cooperate
with the intelligence agency, known as the FSB, Murzakhanov filed suit.
Surprisingly, in August 2000, he got his license back. "In the end, I was left
in peace," he said in a phone call from an office filled with brightly colored
computer games.
The standoff was surprising not so much because Murzakhanov won, but because it
occurred at all. Typically, Internet providers in Russia say they do all they
can to satisfy the state security services, even if it means turning over the
password of every client.
That is one telling barometer of the security services' continuing power in
Russia's 11-year-old democracy. In theory, Russians are entitled to as much
privacy in their communications as Americans. Both the Russian constitution and
a 1995 law prohibit law enforcement agencies from monitoring phone calls, pager
messages, radio transmissions, e-mails or Internet traffic without a court
order.
But in practice, critics say, court orders are little more than legal niceties
in Russia. An obscure set of technical regulations issued in the late 1990s
permits total access without ever approaching a judge.
The regulations are known as SORM, the Russian acronym for System for
Operational-Investigative Activities. They require Internet providers to give
their local FSB office whatever hardware, software and fiber-optic lines may be
needed to tap into the provider's system and all its users.
While U.S. law is based on the premise that law enforcement agencies must be
held in check, Russian civil rights advocates say the premise of SORM is that
Russian law enforcement can be trusted to keep itself in check.
"They have all the conditions to abuse their power," said Yuri Vdovin, who
heads Citizens' Watch, a St. Petersburg human rights organization funded by the
Ford Foundation. "The system is on purpose constructed in such a way that there
is no way anyone can control them. A Russian citizen is not protected at all."
Internet providers don't like the system, especially since they promise clients
in their contracts that their e-mail will be kept confidential. But a decade
after perestroika, Russia is still a country where people are not inclined to
fight city hall, much less what was once the secret police.
Eugene Prygoff is the former marketing director of Kuban.net., an Internet
provider in the southwestern Russia city of Krasnodar. He said the vast
majority of providers are simply not willing to risk their licenses to test the
principle of privacy. "They see no sense in putting up resistance. So they work
out a deal with the FSB," he said.
And compared with their counterparts in the West, civil rights organizations
are still scarce and often too weak to challenge the state. Citizens' Watch,
for instance, is working with a group of Russian lawyers to prepare a legal
complaint against SORM. At the same time, the group's 12 employees are working
on issues of freedom of the press, racial discrimination, juvenile crime,
military reform and state secrecy.
Not every provider ends up installing a direct line to the local FSB office,
according to Mikhail Yakushev, head of the legal department at Global One, an
international firm andone of Moscow's biggest Internet providers. Each one
works out its own confidential agreement with the security service, he said. He
stressed that his comments reflected the views of an Internet providers
association, where he heads the legal working group, not Global One.
"In practice SORM is not as abusive as it could be, because the FSB doesn't
have enough qualified staff or special equipment to be as active as they
could," he said.
"But then again, who knows what will happen next year, or next month? The
biggest problem is no one to control them. If there is a line, and equipment
that allows them access, then no one can track them."
Until a Supreme Court ruling in late 2000, the FSB was not even required to
tell providers that its agents were tapping the system. The complaint in that
case was filed by a 26-year-old St. Petersburg journalist, who said he got
tired of waiting for civil rights groups or providers to protest.
Murzakhanov, now 36 and the director of Bayard-Slavia Communications in
Volgograd, 575 miles south of Moscow, is the only provider to publicly raise a
fuss. Murzakhanov said that in 1998, a year after the company opened, FSB
agents presented the firm with a plan to hook up the local FSB offices.
Besides $100,000 worth of hardware, software and computer lines, Murzakhanov
said, the FSB wanted all the tools that he had, as the administrator of the
system. "They could very easily have read all the clients' passwords. And once
they learned the passwords, they could have controlled online all the e-mail
traffic," he said. "They could have read or rewritten an e-mail even before the
receiver got it, and the user would never know."
His refusal to sign the FSB's plan brought untold headaches. He said his
business was audited or inspected at least 15 times for compliance with fire,
epidemiological, sanitation, labor protection and tax codes.
The FSB also switched off his main data transmission line, he said, forcing him
to rely on low-quality, dial-up channels. His business license was suspended
for six months. Only after Communications Ministry officials failed to show up
for four court hearings did he recover it.
Murzakhanov said the ministry deliberately punted. "They didn't want to expose
the entire system of pressuring providers. They decided it was better to lose
and to keep the cover on the system."
So far, no other provider is eager to follow the Volgograd example, said
Anatoly Levenchuk, an Internet expert in Moscow who first revealed the SORM
requirements.
"They all say his case shows all the trouble you can have if you try to oppose
the authorities," he said.
*************
The Washington Post
Charges Of the Site Brigade
By Leslie Walker
Thursday, March 7, 2002; Page E01
Hold on to your wallet: This may go down in Internet history as the year
millions of people started paying for online content. My digital radar shows a
blip of activity in electronic subscriptions, enough to make me think real
online businesses are finally being born.
In case you hadn't heard, fee replaced free as the Internet's rallying cry last
year after advertising sales hit the skids. Hundreds of Web sites slapped
subscription gates on their content or began charging for premium services.
Advertising-supported content did not totally disappear. Rather, it
increasingly coexists with paid services.
But the trend raises two huge questions -- how much people are willing to pay,
and who will be the chief money collectors for new media.
Analysts are watching closely to see whether some content owners will be able
to bypass America Online, Yahoo and other Internet networks to collect
subscription fees directly from consumers, as magazines and newspapers do. The
outcome has major implications for both traditional media and the
telecommunications industry, which controls the Internet transmission pipes.
It seems every day another company announces plans to charge for all or part of
its Web content. This week the British-based newspaper Financial Times said it
will soon stop giving away much of its online edition. As part of a redesign of
its Web site, FinancialTimes.com plans to ask users to pay as much as $140
annually for access to its best content, including detailed analyses and
reports on particular industries and countries.
"It's a critical piece of our revenue plan for 2002," said Zach Leonard, chief
operating officer for FinancialTimes.com.
The company will not go to a fully paid model, in part because ad revenue
jumped 26 percent at the site last year, despite the global decline in
advertising. "With advertising being so critical to us, it would be risky
business to put the entirety of the site behind the veil," Leonard said.
Indeed, several American newspapers saw a drop in traffic to their sites after
they started charging for access.
Tulsa World, an Oklahoma daily, reports that nearly 3,000 non-print subscribers
have signed up for its $45-a-year Web subscriptions. But traffic to its Web
site dropped 25 percent after it switched to paid access last summer, according
to online publisher Dilene Crockett. The Albuquerque Journal made a similar
move and reported a Web traffic drop of about 40 percent.
At larger news sites that still rely on advertising, the prevailing trend is to
add premium content. The New York Times Digital, for example, collected $1.4
million last year from special Web products such as bundles of articles and
electronic crosswords, which have 35,000 subscribers. Another 2,200 people are
paying to receive an electronic edition that visually replicates the printed
New York Times. (So far, washingtonpost.com, the Web edition of this newspaper,
doesn't offer premium content.)
CNet Networks, a technology news publisher, plans to start charging soon for
some of its e-mail newsletters and Web games.
"One of the surprises now is that you are seeing the beginning of traction
around providing paid content and services," said Shelby Bonnie, chief
executive of CNet Networks.
Who would have guessed, for example, that 900,000 people would ante up $12 for
the privilege of sending e-mail greetings? That's how many people American
Greetings Corp. says have bought annual subscriptions to one of its three
sites, BlueMountainArts.com, AmericanGreetings.com and eGreetings, since they
began charging for some greetings last fall.
The four largest online portals -- America Online, Microsoft's MSN, Yahoo and
Terra Lycos -- have been adding paid services of their own to supplement their
revenue from advertising and Internet access. AOL, MSN and Yahoo now offer one
of the two new Internet music subscription services, MusicNet and PressPlay,
with monthly prices ranging from $10 to $25. MSN, meanwhile, reports that
300,000 people are already paying extra for its premium services, such as the
$12 a year it charges for e-greetings, $6 a month for bill payments and $20 a
year for extra storage at Hotmail.com.
Perhaps more interesting than the paid content at the portals, though, is a new
subscription service from streaming-media pioneer RealNetworks. Few analysts
would have guessed that RealNetworks would get half a million people to pay $10
to $20 a month to watch the streaming music and video service it rolled out in
December. One of the most closely watched experiments, the RealOne bundle
features video clips from major-league baseball, entertainment news, FoxSports,
CNN news and commercial-free versions of ABC's World News Tonight. RealNetworks
reported last month that its paid subscriptions had broken the half-million
mark.
"This is a watershed moment for the growth of video on the Internet," said
Bernie Gershon, general manager of ABCNews.com, citing improvements in the
quality of Internet video and the increasing willingness of people to pay for
video on demand.
To make sure its paid video is exclusive, ABC News recently yanked the free
video footage it had been distributing through Yahoo.com. While Yahoo pays
little or nothing to license content, RealNetworks is paying content providers
in a subscription-sharing model that is based partly on usage and resembles the
model for cable TV.
Fox Sports made a similar move, stripping free video off its Web site to
enhance the likelihood that people would pay for it. Even CNN, until now the
leader in distributing free news video online, announced this week that it,
too, will remove most of its free video from CNN.com so it will be exclusive to
paid services such as RealOne.
All of this must disappoint those who believe the Internet's essence is about
the free sharing of information. The reality is the Internet affects almost
every imaginable human activity -- research, personal communication, education,
medicine, government and, of course, the money-obsessed corporate world. That
makes it highly unlikely any one financial model will prevail.
*********************
Los Angeles Times
IN BRIEF / TECHNOLOGY
Computer Virus Hits UBS PaineWebber
Bloomberg News
March 7 2002
UBS PaineWebber's computer network was infected with a virus that has hindered
brokers' ability to execute trades and retrieve client data.
The firm said it was working to repair the problem and was investigating how
the virus made its way into the internal browser-based system, blocking access
to data and trade execution methods. The virus forced brokers to use back-up
systems and phone trades to the NYSE.
If you want other stories on this topic, search the Archives at
latimes.com/archives. For information about reprinting this article, go to
www.lats.com/rights.
********************
USA Today
Official: U.S. studying Cuba's ability to disrupt Net
WASHINGTON (AP) ? The Bush administration has begun a review of Cuba policy
that will include an assessment of whether Cuba can disrupt U.S. military
communications through the Internet, a senior official says.
That issue will be examined along with others to determine Cuba's potential to
damage U.S. interests, the official said.
The senior official, asking not to be identified, said Cuba's involvement in
international terrorism also will be part of the review.
In addition, the administration is examining the possibility of seeking an
indictment against President Fidel Castro in the 1996 shootdown by MiG jet
fighters of two Miami-based private planes near Cuban air space, the official
said.
Thus far, the centerpiece of President Bush's Cuba policy has been support of
the U.S. embargo against Cuba. But the official's comments suggested the
administration has a more proactive agenda in mind for countering Castro.
A year ago, Vice Adm. Thomas Wilson, director of the Defense Intelligence
Agency, told a congressional hearing that Cuba has the potential to use
"information warfare or computer network attack" to disrupt "our access or flow
of forces to the region."
Wilson declined to discuss the matter further in open session, and the
administration has not commented publicly on the subject since then. The senior
official said Cuba's ability to engage in cyberattacks is part of the policy
review. Castro has dismissed Wilson's comments as "craziness."
Richard Clarke, the White House technology adviser, said in testimony in
February before a Senate Judiciary subcommittee, that the United States could
respond militarily against a foreign government in the event of a cyberattack.
"We reserve the right to respond in any way appropriate: through covert action,
through military action, any one of the tools available to the president,"
Clarke said.
He said Iran, Iraq, North Korea, China, Russia and other countries already have
people trained in Internet warfare. He did not mention Cuba.
Cuba is on the State Department terrorist country list, a designation based on
ties Cuba maintains with other countries on the list, including Iraq, and the
haven Cuba provides for foreigners linked to alleged terrorist organizations.
As a result of the policy review, the Cuba section of the next State Department
terrorism report, due next month, may add to the rationale for keeping Cuba on
the list.
Castro argues that Cuba has been the victim of a Miami-based terrorism campaign
that dates back 40 years and has claimed, he says, thousands of lives.
As for the embargo, Bush has said he will oppose "any effort to weaken
sanctions against the Cuban government until it respects Cubans' basic human
rights and civil rights, frees political prisoners and holds free and
democratic elections."
But there is strong sentiment in Congress to lift restrictions on travel by
Americans to Cuba. The worst nightmare of pro-embargo stalwarts is the specter
of Americans filling Cuba's tourist hotels and, in the process, leaving behind
hundreds of millions in dollars for Cuba's cash-starved government.
The senior official raised the possibility of a presidential veto if the travel
restrictions are eased. At present, travel is permitted by journalists and some
other categories of Americans who have a professional interest in Cuba. But
tourism has been barred for years.
*****************
USA Today
Digital cinema still a galaxy away
By Andy Seiler, USA TODAY
LAS VEGAS ? Rick McCallum knew he had the hottest ticket at the ShoWest movie
industry convention when he hosted a showing of exclusive Star Wars footage at
the ShoWest convention Tuesday night. So McCallum, who produced Episode II:
Attack of the Clones, wasted no time in making his pitch.
George Lucas shot this film digitally, without film, McCallum told the crowd of
theater owners and operators. It's the best way, and theater owners need to
switch.
"Does anyone think we would be reckless enough to use $100 million of our own
money" unless it were the wave of the future? he asked. McCallum's remarks were
later called a defining moment in the history of movies.
Yet theater owners were not relishing it. Some said they couldn't see why they
should switch and wondered who would pay for what could be the biggest change
since the movies learned to talk.
With digital distribution, movies would be sent by satellite, the Net or on
high-definition DVDs instead of on film, eliminating cumbersome reels and high
shipping costs. Proponents also say the technology would result in
crystal-clear pictures that would remain pristine week after week. Seems like
an obvious improvement, but there are obstacles.
"There are a host of questions on digital cinema that have prevented a massive
roll-out," says John Fithian, president of the National Association of Theater
Owners, which sponsors ShoWest. "The need for uniform global technical
standards" is one problem, he said. "We can't have incompatible,
non-interoperable systems."
Quality is another issue. "It is very good, some say it is as good as
35-millimeter film," he says. "So what? It has to be better. There's no reason
to make the biggest transition in the history of the theater business unless
the quality is better."
And there's the cost. "A top-of-the-line film projector costs $30,000 and will
last 20 years," he says. A digital film projector costs $150,000 and will last
for two "until the next generation comes out."
Even McCallum says he has no idea who will pay for a digital switch. Some have
suggested that the movie studios, coming off their best year ever, should chip
in and help the financially strapped theater chains, some of which are emerging
from bankruptcy protection.
Will digital cinema arrive before the final installment of Star Wars in another
two years? It doesn't seem likely.
Fithian says it will happen ? but in good time.
"We at NATO have been accused of trying to stall the onset of digital cinema,"
he says. "This one ticks me off. We just want to get it right."
***************
Federal Computer Week
Agencies outline security changes
BY Diane Frank
March 7, 2002Printing? Use this version.
Email this to a friend.
Federal agencies are reviewing old security programs and kicking off new ones
in response to the deficiencies discovered during the self-assessments required
by Congress, officials testified March 6.
Energy and Defense department officials outlined several major changes in their
information security policies and practices as they testified before a hearing
of the House Government Reform Committee's Government Efficiency, Financial
Management and Intergovernmental Relations Subcommittee.
The changes include new system certification, employee training and policy
compliance programs.
At Energy, that means increasing security education and awareness programs to
ensure that "every member of the department's infrastructure is aware that
cybersecurity is an integral part of his or her job," said Karen Evans, the new
chief information officer at Energy.
The department also is developing new programs, such as a departmentwide
certification and accreditation process for all of its unclassified systems to
complement the process already in place on the classified side, she said.
All of these programs are being developed by a working group made up of
officials from every portion of the department to ensure buy-in at all levels,
she said.
The DOD assessment found that while the department has good security policies,
practices and procedures, it does little verification of compliance despite
initiatives such as the DOD Information Technology Security Certification and
Accreditation Program (DITSCAP), said Robert Gorrie, deputy director of the
Defensewide Information Assurance Program.
The problem will not be solved by stricter audits and enforcement of the
DITSCAP, he said. Instead "non-compliance is more a symptom of the complexity
of that process and the clarity of its implementing policy," Gorrie said.
So now the DITSCAP is undergoing a "dramatic modification in policy as well as
implementation," he said. The department is also looking at possible automated
tools to ease the documentation burden on security and system administrators,
he said
************
Federal Computer Week
USPS cancels secure e-mail biz
BY William Matthews
March 7, 2002Printing? Use this version.
Email this to a friend.
The U.S. Postal Service has decided to get out of the secure e-mail business
and is pulling the plug on its PosteCS service.
Unable to make money on the service or find a buyer for it, USPS will
discontinue the e-mail initiative, said Postal Service spokeswoman Sue Brennan.
PosteCS is a Web-based service designed to deliver digital files that are too
large for some commercial e-mail services and to deliver electronic documents
that require timely receipt and assurance against tampering. Documents could be
stamped with an electronic postmark to verify the time, date and place of
origin and receipt.
The service was intended mainly for commercial customers such as those who
transfer sensitive legal documents or large graphic files. But it never
generated revenue.
"The issue of profitability is a huge issue for us now," Brennan said.
During 2001, the Postal Service experienced $1.7 billion in operating losses
and faces an additional $5 billion in losses because of the October anthrax
attacks and the Sept. 11 terrorist attacks.
As a result, the Postal Service is re-evaluating all of its e-commerce
initiatives, Brennan said. They include an online store that sells stamps,
T-shirts, coffee cups and other souvenirs; an online billing and bill-paying
service; an electronic greeting card store; and a money transferring service.
PosteCS was launched in May 2000, at a time when Internet industry analysts
were predicting an explosion of online commerce, Brennan said. Instead, they
were confronted with the dot-com meltdown.
"Demand has changed," Brennan said.
"We are pleased that they are discontinuing it," said Jason Mahler, vice
president of the Computer and Communications Industry Association. The CCIA has
been critical of the Postal Service, the Internal Revenue Service and other
government entities that have ventured into online services that compete with
commercial ventures.
However, it is questionable whether PosteCS actually competed with the
commercial sector. "We were somewhat befuddled that they were trying to make a
go of this business because we didn't foresee any significant demand for
electronic postmarks," Mahler said. "There are various other means of verifying
that kind of information if you are desirous of doing so."
************
Federal Computer Week
DOD advancing high-tech projects
BY Dan Caterinicchia
March 6, 2002Printing? Use this version.
Email this to a friend.
The Defense Department has approved funding for 15 new technology projects,
ranging from miniscule unmanned aerial vehicles to homeland security
coordination among the nation's first responders, as part of a program designed
to rapidly field these advanced concepts.
Sue Payton, deputy undersecretary of Defense for advanced systems and concepts,
announced the Advanced Concept Technology Demonstration (ACTD) projects for
fiscal 2002, and said about 30 past ACTD products are supporting the nation's
counterterrorism initiatives.
"The primary role of my team at the Pentagon is to rapidly transition
technologies from the defense and commercial developers into the hands of the
warfighter," she said during a March 5 Pentagon briefing.
One new program that will be tested soon is a homeland security package
designed to coordinate the efforts of state and local first responders with DOD
personnel.
The ACTD homeland security project will provide secure, interagency network
connectivity to ensure that emergency workers don't face the radio, telephone
and digital communications breakdowns that occurred after the Sept. 11
terrorist attacks, Payton said.
"This is basically a communications project, but it's also about getting data
together for situational awareness," Payton said. She added that a
demonstration would take place next month in New Orleans with assorted
government agencies responding to a terrorist attack scenario.
Three ACTDs selected for initiation in fiscal 2002 are classified, but Payton
identified three others as being the most likely to be fielded in the next six
months to a year:
* Micro Air Vehicle An autonomous 6- to 9-inch disposable vehicle designed to
provide small ground combat units with situational awareness of enemy activity,
which could be especially useful in urban areas.
* Pathfinder An integration of unattended ground vehicles, unmanned air
vehicles and smart sensors in a mobile network providing enhanced situational
awareness, command, control and communications to commanders and assault forces
for urban reconnaissance.
* Agile Transportation A system that shows transportation requirements and
assets, similar to the commercial capabilities of companies like Federal
Express.
The remaining information technology-intensive ACTD projects include:
* Coalition Information Assurance Common Operational Picture Details the
information system security status of all mission-critical systems on a near-
or real-time basis in support of commander-in-chief and coalition missions.
* HYCAS A hyperspectral collection and analysis system with sensors integrated
onto operational platforms and into existing architectures in support of
deception intelligence operations.
* Joint Explosive Ordnance Disposal-Knowledge and Technology Operational
Demonstration A system that provides a new integrated capability for joint and
coalition explosive ordnance disposal forces and will include an always-on
telelink from field officers to experts via a handheld device.
* Language and Speech Exploitation Resources A system that automates the
translation of spoken or written languages, for quickly translating documents,
debriefing witnesses and supporting communication in coalition operations.
The total funding for the 15 approved ACTD projects is $159 million from the
advanced systems and concepts office but will significantly increase when the
military services decide what their contributions will be, Payton said.
******************
Federal Computer Week
New fiber net may be lifesaver
BY Dibya Sarkar
March 5, 2002
Had the new 100-mile high-speed fiber-optic network been in place in Arlington
County, Va., on Sept. 11, communications in response to the attack on the
Pentagon would have been smooth and effective, said the county's chief
information officer, Jack Belcher.
"On Sept. 11, we were totally disorganized from a communications standpoint,"
said Belcher, referring to phone congestion problems. But with I-Net, which
stands for Institutional Network, the county's infrastructure can handle voice,
video and data 650 times faster than it could before, and it is redundant and
secure.
"When will this network be saturated? Regrettably, we won't be alive to see
it," he said.
The network is so fast, said Barry Kane, executive vice president for Signal
Corp., that it takes only 11 seconds to transmit 11M of information, something
that would have taken 11 minutes on the old network.
The system, which has been in development since 1998, was created through a
partnership of Signal, Verizon Communications, Cisco Systems Inc. and Comcast
Corp. Kane said such an arrangement is unusual for such a large project, where
a prime contractor usually subcontracts work out to other companies. "I had my
doubts, but it's worked extremely well," he said, adding it could serve as a
model for how other projects are done in the future.
So far, all the county's fire stations have been connected. By July, the county
hopes to connect all 41 county buildings and 39 school buildings, Belcher said,
adding that the county also is reaching out to hospitals and the public health
community. Discussions also are under way to connect to the Ronald Reagan
Washington National Airport. The cost to link up all county facilities is
estimated at $2.4 million.
Last week, the county demonstrated the network's possibilities with a mock
bioterrorism scenario, Belcher said. Several county officials spoke with one
another in real time from different locations through "theater quality"
videoconferencing, supplied by Norway-based Tandberg LLC, he said. If a patient
in a hospital had a suspicious lesion on his or her arm, hospital personnel
could convey that image in real time through videoconferencing to experts in
other parts of the country, he explained.
Users also could use the network for Internet telephony, saving the county
about $2 million a year in leased T1 lines and annual telephone fees. In an
emergency, Belcher said the system would not be congested.
We're going to "enable government in ways unimagined before," said Belcher.
"I have not yet found a jurisdiction that approaches the capacity that we have
laid down," he said.
**************
Federal Computer Week
County targets enterprisewide GIS
BY Brian Robinson
March 4, 2002
Will County, one of the fastest-growing counties in Illinois, will use
geographic information systems to build a virtual network of geographical data
users and producers that will not only include the government's departments and
agencies but, eventually, all of the county's towns and municipalities.
SD.I, a Chicago-based IT consulting firm, is conducting a needs assessment that
could be delivered to the county's executive council by July. It also will
develop an implementation plan that will lay out a three- to five-year program
for deploying the system.
"We've had a base map of the county prepared for a long time, and our
departments have been chomping at the bit to use [countywide GIS]," said Bruce
Freifeld, executive special assistant to the executive council. "But we need to
get data into the system, and there's been no overall architectural plan about
how to develop it to meet those needs."
The county also will develop a cost and data-sharing program between all of the
system's users.
The enterprisewide GIS likely will be a distributed system rather than one
organized around a central database, said Doug Roberts, the SD.I project
manager, because government departments and other organizations have indicated
they would like to keep their own GIS databases. Power uses would be linked to
the system directly through desktop computers, he said, and "light" userswill
access it via the Web.
A menu of user privileges will decide who has the ability to write to and
manipulate the GIS data layers.
GIS has become "such a dominant player" that Freifeld believes it could
eventually consume other information technology and management information
systems functions and become the major driver for technology development in the
county.
*****************
Federal Computer Week
States round up 511 resources
BY Dibya Sarkar
Eight states, from Alaska to Maine, are pooling resources and expertise to
develop a 511 voice-enabled phone service for travelers.
Led by the Iowa Department of Transportation (www.dot.state.ia.us), the
multistate consortium received $700,000 from the Federal Highway Administration
to help pay for system design and software development. Each state also is
providing a 20 percent matching fund that should boost total funds to nearly
$900,000.
John Whited, the Iowa DOT's project manager of advanced transportation
technology, said the participating states currently deliver traveler
information in various forms, including via the Internet and telephone hot
lines.
He said the states would use Voice XML (Extensible Markup Language) standards
and technology to create a voice-enabled traveler service similar to what Utah
unveiled in December. Once connected with that system, callers find information
by speaking keywords instead of punching numbers.
Whited added that by outsourcing calls to call centers in participating states
? thus spanning several time zones ? high call volumes during peak times can be
shifted throughout the system, reducing congestion and costs.
In addition to Iowa, the participating states are Alaska, Kentucky, Maine,
Minnesota, New Hampshire, New Mexico and Vermont. Kentucky, which has
established a 511 system in the northern part of the state ? in the Cincinnati
metropolitan region ? joined the consortium most recently.
In 1999, Iowa was among four states ? Minnesota, Missouri and Washington were
the other ? that formed a partnership to develop the Condition Acquisition and
Reporting System. CARS gives access to data on road conditions, work zones and
incident management information collected via the World Wide Web. He said the
511 consortium was built on that initial partnership and is always seeking new
members.
Iowa, which currently offers a toll-free telephone number and a Web site for
road conditions and construction, plans to unveil a 511 system next winter,
Whited said. He added that the system also could provide information on special
events, trip planning and local tourist sites. He said each state would deploy
the 511 service in some form within a year. The Federal Communications
Commission designated 511 as a traveler's information number in July 2000, but
it allowed each state to develop its own system. The FCC plans to review the
national progress of 511 in 2005.
In related news, Virginia recently launched 511 service in the western part of
the state, providing traffic and road condition updates from both landline and
wireless phones. The system eventually will be deployed statewide.
Virginia's system is built on an Internet-based telecommunications network by
Tellme Networks Inc., which helped develop Utah's voice-enabled 511 system.
***************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711