[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips June 27, 2002
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, Charlie Oriez <coriez@xxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, akuadc@xxxxxxxxxxx;
- Subject: Clips June 27, 2002
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Thu, 27 Jun 2002 15:39:55 -0400
Clips June 27, 2002
ARTICLES
Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say
Internet Body Proposes Reforms to Fight Web 'Squatters'
FEMA speeds up plans for new architecture and portal
Giuliani lauds IT's role in management, endorses national IDs
Publishers Sue Gator Over Web Ad Tactics
Microsoft Agrees to Alter a Special Service for Children
Spam: An Escalating Attack of the Clones
Manager of FBI computer overhaul resigns
File-sharing jamming proposed
Piracy fight gets serious
OMB takes aim at redundant IT
Military, FEMA test communications
'Tribalism' may defeat Homeland
Tech managers targeted by cyber criminals
Kiss your MP3s at work goodbye
Critical hole found in encryption program
Police database brings feature searching
****************************
Cyber-Attacks by Al Qaeda Feared
Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say
By Barton Gellman
Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police
department began investigating a suspicious pattern of surveillance against
Silicon Valley computers. From the Middle East and South Asia, unknown
browsers were exploring the digital systems used to manage Bay Area
utilities and government offices. Hsiung, a specialist in high-technology
crime, alerted the FBI's San Francisco computer intrusion squad.
Working with experts at the Lawrence Livermore National Laboratory, the FBI
traced trails of a broader reconnaissance. A forensic summary of the
investigation, prepared in the Defense Department, said the bureau found
"multiple casings of sites" nationwide. Routed through telecommunications
switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied
emergency telephone systems, electrical generation and transmission, water
storage and distribution, nuclear power plants and gas facilities.
Some of the probes suggested planning for a conventional attack, U.S.
officials said. But others homed in on a class of digital devices that
allow remote control of services such as fire dispatch and of equipment
such as pipelines. More information about those devices -- and how to
program them -- turned up on al Qaeda computers seized this year, according
to law enforcement and national security officials.
Unsettling signs of al Qaeda's aims and skills in cyberspace have led some
government experts to conclude that terrorists are at the threshold of
using the Internet as a direct instrument of bloodshed. The new threat
bears little resemblance to familiar financial disruptions by hackers
responsible for viruses and worms. It comes instead at the meeting points
of computers and the physical structures they control.
U.S. analysts believe that by disabling or taking command of the floodgates
in a dam, for example, or of substations handling 300,000 volts of electric
power, an intruder could use virtual tools to destroy real-world lives and
property. They surmise, with limited evidence, that al Qaeda aims to employ
those techniques in synchrony with "kinetic weapons" such as explosives.
"The event I fear most is a physical attack in conjunction with a
successful cyber-attack on the responders' 911 system or on the power
grid," Ronald Dick, director of the FBI's National Infrastructure
Protection Center, told a closed gathering of corporate security executives
hosted by Infraguard in Niagara Falls on June 12.
In an interview, Dick said those additions to a conventional al Qaeda
attack might mean that "the first responders couldn't get there . . . and
water didn't flow, hospitals didn't have power. Is that an unreasonable
scenario? Not in this world. And that keeps me awake at night."
'Bad Ones and Zeros'
Regarded until recently as remote, the risks of cyber-terrorism now command
urgent White House attention. Discovery of one acute vulnerability -- in a
data transmission standard known as ASN.1, short for Abstract Syntax
Notification -- rushed government experts to the Oval Office on Feb. 7 to
brief President Bush. The security flaw, according to a subsequent written
assessment by the FBI, could have been exploited to bring down telephone
networks and halt "all control information exchanged between ground and
aircraft flight control systems."
Officials said Osama bin Laden's operatives have nothing like the
proficiency in information war of the most sophisticated nations. But al
Qaeda is now judged to be considerably more capable than analysts believed
a year ago. And its intentions are unrelentingly aimed at inflicting
catastrophic harm.
One al Qaeda laptop found in Afghanistan, sources said, had made multiple
visits to a French site run by the Societé Anonyme, or Anonymous Society.
The site offers a two-volume online "Sabotage Handbook" with sections on
tools of the trade, planning a hit, switch gear and instrumentation,
anti-surveillance methods and advanced techniques. In Islamic chat rooms,
other computers linked to al Qaeda had access to "cracking" tools used to
search out networked computers, scan for security flaws and exploit them to
gain entry -- or full command.
Most significantly, perhaps, U.S. investigators have found evidence in the
logs that mark a browser's path through the Internet that al Qaeda
operators spent time on sites that offer software and programming
instructions for the digital switches that run power, water, transport and
communications grids. In some interrogations, the most recent of which was
reported to policymakers last week, al Qaeda prisoners have described
intentions, in general terms, to use those tools.
Specialized digital devices are used by the millions as the brains of
American "critical infrastructure" -- a term defined by federal directive
to mean industrial sectors that are "essential to the minimum operations of
the economy and government."
The devices are called distributed control systems, or DCS, and supervisory
control and data acquisition, or SCADA, systems. The simplest ones collect
measurements, throw railway switches, close circuit-breakers or adjust
valves in the pipes that carry water, oil and gas. More complicated
versions sift incoming data, govern multiple devices and cover a broader area.
What is new and dangerous is that most of these devices are now being
connected to the Internet -- some of them, according to classified "Red
Team" intrusion exercises, in ways that their owners do not suspect.
Because the digital controls were not designed with public access in mind,
they typically lack even rudimentary security, having fewer safeguards than
the purchase of flowers online. Much of the technical information required
to penetrate these systems is widely discussed in the public forums of the
affected industries, and specialists said the security flaws are well known
to potential attackers.
Until recently, said Director John Tritak of the Commerce Department's
Critical Infrastructure Assurance Office, many government and corporate
officials regarded hackers mainly as a menace to their e-mail.
"There's this view that the problems of cyberspace originate, reside and
remain in cyberspace," Tritak said. "Bad ones and zeros hurt good ones and
zeros, and it sort of stays there. . . . The point we're making is that
increasingly we are relying on 21st century technology and information
networks to run physical assets." Digital controls are so pervasive, he
said, that terrorists might use them to cause damage on a scale that
otherwise would "not be available except through a very systematic and
comprehensive physical attack."
'Mapping Our Vulnerabilities'
The 13 agencies and offices of the U.S. intelligence community have not
reached consensus on the scale or imminence of this threat, according to
participants in and close observers of the discussion. The Defense
Department, which concentrates on information war with nations, is most
skeptical of al Qaeda's interest and prowess in cyberspace.
"DCS and SCADA systems might be accessible to bits and bytes," Assistant
Secretary of Defense John P. Stenbit said in an interview. But al Qaeda
prefers simple, reliable plans and would not allow the success of a
large-scale attack "to be dependent on some sophisticated, tricky cyber
thing to work."
"We're thinking more in physical terms -- biological agents, isotopes in
explosions, other analogies to the fully loaded airplane," he said. "That's
more what I'm worried about. When I think of cyber, I think of it as
ancillary to one of those."
White House and FBI analysts, as well as officials in the Energy and
Commerce departments with more direct responsibility for the civilian
infrastructure, describe the threat in more robust terms.
"We were underestimating the amount of attention [al Qaeda was] paying to
the Internet," said Roger Cressey, a longtime counterterrorism official who
became chief of staff of the President's Critical Infrastructure Protection
Board in October. "Now we know they see it as a potential attack vehicle.
Al Qaeda spent more time mapping our vulnerabilities in cyberspace than we
previously thought. An attack is a question of when, not if."
Ron Ross, who heads a new "information assurance" partnership between the
National Security Agency and the National Institute of Standards and
Technology, reminded the Infraguard delegates in Niagara Falls that, after
the Sept. 11 attacks, air traffic controllers brought down every commercial
plane in the air. "If there had been a cyber-attack at the same time that
prevented them from doing that," he said, "the magnitude of the event could
have been much greater."
"It's not science fiction," Ross said in an interview. "A cyber-attack can
be launched with fairly limited resources."
U.S. intelligence agencies have upgraded their warnings about al Qaeda's
use of cyberspace. Just over a year ago, a National Intelligence Estimate
on the threat to U.S. information systems gave prominence to China, Russia
and other nations. It judged al Qaeda operatives as "less developed in
their network capabilities" than many individual hackers and "likely to
pose only a limited cyber-threat," according to an authoritative
description of its contents.
In February, the CIA issued a revised Directorate of Intelligence
Memorandum. According to officials who read it, the new memo said al Qaeda
had "far more interest" in cyber-terrorism than previously believed and
contemplated the use of hackers for hire to speed the acquisition of
capabilities.
"I don't think they are capable of bringing a major segment of this country
to its knees using cyber-attack alone," said an official representing the
current consensus, but "they would be able to conduct an integrated attack
using a combination of physical and cyber resources and get an
amplification of consequences."
Counterterrorism analysts have known for years that al Qaeda prepares for
attacks with elaborate "targeting packages" of photographs and notes. But,
in January, U.S. forces in Kabul, Afghanistan, found something new.
A computer seized at an al Qaeda office contained models of a dam, made
with structural architecture and engineering software, that enabled the
planners to simulate its catastrophic failure. Bush administration
officials, who discussed the find, declined to say whether they had
identified a specific dam as a target.
The FBI reported that the computer had been running Microstran, an advanced
tool for analyzing steel and concrete structures; Autocad 2000, which
manipulates technical drawings in two or three dimensions; and software
"used to identify and classify soils," which would assist in predicting the
course of a wall of water surging downstream.
To destroy a dam physically would require "tons of explosives," Assistant
Attorney General Michael Chertoff said a year ago. To breach it from
cyberspace is not out of the question. In 1998, a 12-year-old hacker,
exploring on a lark, broke into the computer system that runs Arizona's
Roosevelt Dam. He did not know or care, but federal authorities said he had
complete command of the SCADA system controlling the dam's massive floodgates.
Roosevelt Dam holds back as much as 1.5 million acre-feet of water, or 489
trillion gallons. That volume could theoretically cover the city of
Phoenix, down river, to a height of five feet. In practice, that could not
happen. Before the water reached the Arizona capital, the rampant Salt
River would spend most of itself in a flood plain encompassing the cities
of Mesa and Tempe -- with a combined population of nearly a million.
'Could Have Done Anything'
In Queensland, Australia, on April 23, 2000, police stopped a car on the
road to Deception Bay and found a stolen computer and radio transmitter
inside. Using commercially available technology, Vitek Boden, 48, had
turned his vehicle into a pirate command center for sewage treatment along
Australia's Sunshine Coast.
Boden's arrest solved a mystery that had troubled the Maroochy Shire
wastewater system for two months. Somehow the system was leaking hundreds
of thousands of gallons of putrid sludge into parks, rivers and the
manicured grounds of a Hyatt Regency hotel. Janelle Bryant of the
Australian Environmental Protection Agency said "marine life died, the
creek water turned black and the stench was unbearable for residents."
Until Boden's capture -- during his 46th successful intrusion -- the
utility's managers did not know why.
Specialists in cyber-terrorism have studied Boden's case because it is the
only one known in which someone used a digital control system deliberately
to cause harm. Details of Boden's intrusion, not disclosed before, show how
easily Boden broke in -- and how restrained he was with his power.
Boden had quit his job at Hunter Watertech, the supplier of Maroochy
Shire's remote control and telemetry equipment. Evidence at his trial
suggested that he was angling for a consulting contract to solve the
problems he had caused.
To sabotage the system, he set the software on his laptop to identify
itself as "pumping station 4," then suppressed all alarms. Paul Chisholm,
Hunter Watertech's chief executive, said in an interview last week that
Boden "was the central control system" during his intrusions, with
unlimited command of 300 SCADA nodes governing sewage and drinking water
alike. "He could have done anything he liked to the fresh water," Chisholm
said.
Like thousands of utilities around the world, Maroochy Shire allowed
technicians operating remotely to manipulate its digital controls. Boden
learned how to use those controls as an insider, but the software he used
conforms to international standards and the manuals are available on the
Web. He faced virtually no obstacles to breaking in.
Nearly identical systems run oil and gas utilities and many manufacturing
plants. But their most dangerous use is in the generation, transmission and
distribution of electrical power, because electricity has no substitute and
every other key infrastructure depends on it.
Massoud Amin, a mathematician directing new security efforts in the
industry, described the North American power grid as "the most complex
machine ever built." At an April 2 conference hosted by the Commerce
Department, participants said, government and industry scientists agreed
that they have no idea how the grid would respond to a cyber-attack.
What they do know is that "Red Teams" of mock intruders from the Energy
Department's four national laboratories have devised what one government
document listed as "eight scenarios for SCADA attack on an electrical power
grid" -- and all of them work. Eighteen such exercises have been conducted
to date against large regional utilities, and Richard A. Clarke, Bush's
cyber-security adviser, said the intruders "have always, always succeeded."
Joseph M. Weiss of KEMA Consulting, a leading expert in control system
security, reported at two recent industry conferences that intruders were
"able to assemble a detailed map" of each system and "intercepted and
changed" SCADA commands without detection.
"What the labs do is look at simple, easy things I can do to get in" with
tools commonly available on the Internet, Weiss said in an interview. "In
most of these cases, they are not using anything that a hacker couldn't
have access to."
Bush has launched a top-priority research program at the Livermore, Sandia
and Los Alamos labs to improve safeguards in the estimated 3 million SCADA
systems in use. But many of the systems rely on instantaneous responses and
cannot tolerate authentication delays. And the devices deployed now lack
the memory and bandwidth to use techniques such as "integrity checks" that
are standard elsewhere.
In a book-length Electricity Infrastructure Security Assessment, the
industry concluded on Jan. 7 that "it may not be possible to provide
sufficient security when using the Internet for power system control."
Power companies, it said, will probably have to build a parallel private
network for themselves.
'Where Their Crown Jewels Are'
The U.S. government may never have fought a war with so little power in the
battlefield. That became clear again on Feb. 7, when Clarke and his
vice-chairman at the critical infrastructure board, Howard A. Schmidt,
arrived in the Oval Office.
They told the president that researchers in Finland had identified a
serious security hole in the Internet's standard language for routing data
through switches. A government threat team found implications -- for air
traffic control and civilian and military phone links, among others -- that
were more serious still.
"We've got troops on the ground in Afghanistan and we've got communication
systems that we all depend on that, at that time, were vulnerable," Schmidt
recalled.
Bush ordered the Pentagon and key federal agencies to patch their systems.
But most of the vulnerable networks were not government-owned. Since Feb.
12, "those who have the fix in their power are in the private sector,"
Schmidt said. Asked about progress, he said: "I don't know that we'd ever
get to 100 percent."
Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb. 19
and accused industry leaders of spending more on coffee than on information
security. "You will be hacked," he told them. "What's more, you deserve to
be hacked."
Tritak, at the Commerce Department, appealed to patriotism. Speaking of al
Qaeda, he said: "When you've got people who are saying, 'We're coming after
your economy,' everyone has a responsibility to do their bit to safeguard
against it."
New public-private partnerships are helping, but the government case
remains a tough sell. Alan Paller, director of research at the SANS
Institute in Bethesda, said not even banks and brokerages, considered the
most security-conscious businesses, tell the government when their systems
are attacked. Sources said the government did not learn crucial details
about September's Nimda worm, which caused an estimated $530 million in
damage, until the stricken companies began firing their security executives.
Experts said public companies worry about the loss of customer confidence
and the legal liability to shareholders or security vendors when they
report flaws.
The FBI is having even less success with its "key asset initiative," an
attempt to identify the most dangerous points of vulnerability in 5,700
companies deemed essential to national security.
"What we really want to drill down to, eventually, is not the companies but
the actual things themselves, the actual switches . . . that are vital to
[a firm's] continued operations," Dick said. He acknowledged a rocky start:
"For them to tell us where their crown jewels are is not reasonable until
you've built up trust."
Michehl R. Gent, president of the North American Electric Reliability
Council, said last month it will not happen. "We're not going to build such
a list. . . . We have no confidence that the government can keep that a
secret."
For fear of terrorist infiltration, Clarke's critical infrastructure board
and Tom Ridge's homeland security office are now exploring whether private
companies would consider telling the government the names of employees with
access to sensitive sites.
"Obviously, the ability to check intelligence records from the terrorist
standpoint would be the goal," Dick said.
There is no precedent for that. The FBI screens bank employees but has no
statutory authority in other industries. Using classified intelligence
databases, such as the Visa Viper list of suspected terrorists, would mean
the results could not be shared with the employers. Bobby Gillham, manager
of global security at oil giant Conoco Inc., said he doubts his industry
will go along with that.
"You have Privacy Act concerns," he said in an interview. "And just to get
feedback that there's nothing here, or there's something here but we can't
share it with you, doesn't do us a lot of good. Most of our companies would
not [remove an employee] in a frivolous way, on a wink."
Exasperated by companies seeking proof that they are targets, Clarke has
stopped talking about threats at all.
"It doesn't matter whether it's al Qaeda or a nation-state or the teenage
kid up the street," he said. "Who does the damage to you is far less
important than the fact that damage can be done. You've got to focus on
your vulnerability . . . and not wait for the FBI to tell you that al Qaeda
has you in its sights."
Staff researcher Robert Thomason contributed to this report.
****************
Reuters Internet Report
Internet Body Proposes Reforms to Fight Web 'Squatters'
BUCHAREST (Reuters) - The organization that oversees Internet ( news -
external web site) domain names floated two proposals on Thursday to help
businesses and individuals fight extortion by speculators, known as cyber
squatters.
ICANN ( news - web sites), or the Internet Corporation for Assigned Names
and Numbers, said at its quarterly meeting that it was close to adopting a
new system to give owners of domain names extra time to renew their
contracts and to establish a waiting list for coveted domains that become
newly available to the public.
The two measures could be ratified by the ICANN board on Friday.
The first proposal, which would establish a 30-day grace period for current
owners to renew their contracts, received widespread approval.
"ICANN receives a large number of complaints for inadvertently deleted
domains...it affects churches, schools, businesses," Daniel Halloran, an
ICANN employee assigned to the grace period task force, told Reuters. "This
would be a safety net."
The measure seeks to address the recurring problem of cyber squatters
registering coveted expired domains before the original owners renew their
contracts.
Halloran explained the four-year-old ICANN never formalized a procedure by
which domain name registrants could renew contracts, which typically run on
annual basis.
"We get a lot of complaints from people who wake up to find their domain
has expired and now has porn on it, or it's linked to a casino site," he
said. "Then, they'll ask for a ransom to get it back."
The waiting-list proposal, again designed to improve the odds for
legitimate parties to claim an available domain, may have more difficulty
passing.
Under the proposal by dominant U.S.-based domain registration firm
VeriSign, a bidder would pay a fee to get first dibs on any newly available
domains.
VeriSign has proposed charging other domain registrars as much as $28 for
the service. A number of registrars have argued the price is too high.
A controversial vote on whether to retool the make-up of ICANN's executive
board to include more government delegates, plus security and technical
experts, is slated for Friday.
*************************
Government Computer News
FEMA speeds up plans for new architecture and portal
By Dipka Bhambhani
The Federal Emergency Management Agency expects to have the blueprint for
its new enterprise architecture finished as early as this week and the
first release of its disaster information portal in August.
"We'll have the initial framework done next week," FEMA CIO Ronald Miller
said today at the E-Gov conference in Washington. The current architecture
will not support the agency's new plans, he said. "We want to start fresh."
The agency also is planning to develop Disasterhelp.gov, a disaster
information portal that will be attached to the FirstGov.gov Web site and
link to other federal agencies' disaster information sites.
Meanwhile, the agency is collecting contingency plans from agencies in the
disaster response community to get an idea of the type and amount of
content to which they'll have to link.
The initial August launch of Disasterhelp.gov will be on the FirstGov site
and link to only a few agencies. But Miller plans to expand the number of
links.
Right now, he said, someone at a call center acts as a middleman during a
crisis. "There are ways to take that person out of the process," he said.
"I know that technology can do it."
***********************
Government Computer News
Giuliani lauds IT's role in management, endorses national IDs
By Susan M. Menke
Former New York City mayor Rudolph Giuliani called technology "a real help"
in reducing crime. He said his administration's daily collection of
statistics about crime, health and welfare led to cutting the number of
welfare recipients from 1.1 million (out of 8 million residents) down to
about 650,000 and the number of prisoners in jails from 14,000 down to
about 11,000.
"Paying attention to small things," such as daily statistics from the
city's 76 police precincts, was the key, said Giuliani, who spoke today at
the E-Gov conference in Washington.
"To say the city was unmanageable and ungovernable really was an excuse for
unaccountability," he said. "E-government can go a long way to change that
perception. We let people pay their parking tickets over the Internetwe
needed the money. We put applications for city permits online and made all
the permit-granting agencies into one virtual agency."
Current mayor Michael Bloomberg has continued the statistical reporting by
neighborhood under the Citywide Accountability Program, at
http://home.nyc.gov/portal/index.jsp?pageID=nyc_stat_reports&catID=1724.
Giuliani, who received a standing ovation after ceremonial bagpipers played
"God Bless America," said he and city officials for years held tabletop
exercises and drills to deal with various emergencies. "We play-acted a
plane crash in Queens," he said. But when he was called to the World Trade
Center on Sept. 11, he saw people jumping from the highest floors without a
hope of rescue. Although the previous disaster planning didn't fit the
scope, at least it prepared the first responders and hospitals, he said.
Giuliani called a national ID card "something we have to work toward. We
need a more efficient way to identify people, but there's a tradeoff
between individual privacy and protection of others." A national ID card,
he said, "would not be an erosion of fundamental freedoms."
"A lot of people feel that America is more dangerous today than it was
before," Giuliani said. "The reverse is true. I think it's remarkable how
America has handled its worst attack. We are the most vital and interesting
society in history."
***********************
Washington Post
Publishers Sue Gator Over Web Ad Tactics
By Leslie Walker
A group of Web publishers filed suit in federal court this week against the
scrappy Internet ad network Gator Corp., charging that Gator sells ads on
their Web sites without authorization and pockets the proceeds.
"Gator Corp. is essentially a parasite that free rides on the hard work and
investment" of the publishers, said the lawsuit, filed Tuesday by a dozen
large publishers in U.S. District Court in Alexandria.
The irate publishers include The Washington Post Co., the New York Times
Co., Dow Jones & Co., Tribune Interactive, Gannett Co., Knight Ridder
Digital, Condenet and American City Business Journals Inc.
Their complaint is the latest in a series of legal scrapes involving Gator,
which offers consumers free software and, in exchange, displays ads on the
screens of their computers.
In a similar court action earlier this month, one of Gator's advertisers,
DietWatch.com, was ordered to stop displaying ads that appeared when Gator
users visited rival site WeightWatchers.com. The court ordered DietWatch to
pay $25,000 to Weight Watchers.
The complaints reflect growing turmoil in the Internet advertising
industry, which increasingly has embraced intrusive, flashy and
experimental ad tactics as online advertisers try harder to lure customers.
Among the most confusing ad tactics are pop-ups, in which a browser window
suddenly opens to display a commercial message. Often consumers can't tell
where the ad originated; they assume it came from whatever page they are
viewing.
The publishers charge that Gator takes advantage of this confusion and
offers to sell ads that appear when Gator users visit specific Web sites,
even though those Web sites haven't authorized the ads. Gator accomplishes
that with its own software, which displays ads, the suit says.
Gator, based in Redwood City, Calif., did not return repeated e-mail
messages and phone calls yesterday.
Terence Ross, the lawyer representing the publishers, said the placement of
pop-up ads on the publishers' Web sites "alters the display of the Web
site, which constitutes copyright infringement." The suit alleges that
Gator's pop-ups also represent trademark infringements and misappropriation
of the news.
They also represent unfair competition, the suit says, because Gator's
competing offer to advertisers makes it harder for publishers to sell their
own ads.
Gator ranked as the 15th most heavily trafficked Web property in April,
according to Nielsen/NetRatings, with nearly 16 million people being
exposed to its Web sites or software.
Gator offers a "digital wallet" that stores people's addresses and credit
card numbers and allows people to fill out forms quickly. When users
install the wallet, they get a special "OfferCompanion" that displays ads
on their screens. The OfferCompanion, a type of software known as spyware
or adware, also is installed when people download the popular file-sharing
program KaZaa and a music program called AudioGalaxy.
Gator has wrangled in court with the Interactive Advertising Bureau, an
Internet ad trade group, but agreed six months ago to work toward a
settlement. Gator had sued the IAB after the trade group threatened to
complain to federal regulators about its ad tactics.
*************************
New York Times
Microsoft Agrees to Alter a Special Service for Children
By JOHN MARKOFF
SAN FRANCISCO, June 26 Microsoft said today that it had agreed to make
changes in a children's version of its Passport authorization software
after an advertising industry watchdog group challenged the service over
issues of parental control and privacy.
The company, based in Redmond, Wash., has promoted Passport as a
convenience feature that would permit computer users to sign on only once
to use multiple Web sites and online services.
But critics have said Passport could potentially be used to collect
personal information on consumers and have suggested that the company might
try to sell the information for marketing purposes. Microsoft has responded
that it has established stringent privacy guidelines to protect the user
information.
The group, the Children's Advertising Review Unit of the Better Business
Bureau, said today that it had begun investigating the Passport service
earlier this year.
Officials of the group said today that Microsoft had said that use of the
Kids Passport service would help protect children's safety and privacy
online and had given the impression that sites and services accessible as
part of the service were "children's sites." The agency, however, said it
had discovered that there were no special privacy-protection provisions
taken and that the sites were actually general consumer sites used by
people of all ages.
One of the group's concerns, officials said, was that many of the Microsoft
Kids Passport sites in fact offered chat rooms and other public forums that
were designed to allow users to communicate and exchange information like
names, e-mail addresses and phone numbers.
As a result of the group's investigation, Microsoft has made a number of
changes, including no longer representing the Kids Passport service as
aiding parents in protecting online privacy; noting that the Kids Passport
service sites are not designed specifically for children; posting a
specific children's privacy statement for its Passport service; and
agreeing to revise its MSN Statement of Privacy to inform parents of how
its MSN service collects and discloses children's personal information.
Although the Children's Advertising Review Unit was originally created by
the advertising industry to combat deceptive advertising practices, the
agency has broadened its scope as a result of the emergence of interactive
technologies like the World Wide Web.
"In the offline world there was a chance for mediation, and the parent
could say no to an advertiser," said Elizabeth Lascoutx, director of the
review unit. "But when the child was sitting at a keyboard it became a real
issue."
A Microsoft executive said today that the company had been working with the
group to bring its software into compliance with the group's
Self-Regulatory Guidelines for Children's Advertising.
"They identified a bunch of places where we could do better, and we think
that's great," said Adam Sohn, Microsoft product manager for .Net strategy,
a software service that includes Passport. "We entered into a productive
dialogue and we're pretty pleased we could come to this agreement."
Microsoft never intended to mislead anyone, he said.
**************************
MSNBC
Bank crime data theft on the rise
At state banking convention, frustration is obvious
By Bob Sullivan
GLENEDEN BEACH, Ore., June 26 Ski-mask wearing, gun-brandishing thieves
dashing out of banks with cash-stuffed moneybags are good theater. But the
truth is, bank robbers are a dying breed. Only 2 percent of mounting bank
crime losses are now from physical robberies, according to the Oregon
Bankers Association. Today's crooks now hide safely in another city, state,
or halfway around the world while they commit their crimes. And often, it's
not even the bank's money they want.
HAVING ESCAPED TO the rocky, still-chilly, nearly tourist-free
Oregon coast, and staying in a town that sports Eden in its name, one might
expect to find tranquil bankers pleasantly discussing loan rates before
hitting the links. But executives attending the association's annual
convention here found their peace disturbed by fraud expert Rob Douglas,
who said the nation's banking system has become a playground for
criminals and now, terrorists who know how to turn stolen financial data
into steady income.
"Your concern is no longer a teller walking out the door with
cash," said Douglas. "Your concern is information walking out the door.
That's the new currency. You've got to think: information equals cash."
Bank crime rarely involves traditional robberies any more, said
Oregon Bankers Association Chairman Mike Foglia. Instead, money and
information are stolen remotely, via electronic and paper fraud. There is
almost no risk to the criminal, who can't be spotted by security cameras,
but can steal the money from the other side of the world.
Privately, bankers at the conference expressed dismay at the amount
of fraudulent financial wire transfers that are completed after a
fast-talking criminal tricks a bank employee during a single phone call.
Other frauds are even easier depositing a fraudulent "convenience check"
from a credit card company, then withdrawing the money; or skimming ATM
card numbers right from the machine.
How much is virtually slipping out the door? Bankers wouldn't talk,
but Foglia admits loss of "seven figures" at the various Wells Fargo
branches he manages near Portland. And he concedes fraud is on the rise at
all banks.
IDENTITY THEFT HAVEN
But frequently, the initial crime doesn't even involve money. It
starts as a simple phone call, and a request for information, such as bank
account balances. From there, the data is resold and reused, leading to
crimes from simple credit card fraud to full-blown identity theft resulting
in car loans or even equity loans.
Where the fraud receipts eventually end up is anyone's guess, but
there is evidence terrorist groups used stolen credit cards and other bank
fraud techniques to support the Sept. 11 attacks and other terrorism
activities.
From the heavy sighs and drawn faces, it was clear that Douglas
was, at least in part, preaching to the choir. Oregon has already suffered
one of the nation's worst-ever information leaks. Last year, police acting
on a tip found computer disks with the state's Department of Motor Vehicle
records all of them in a suspect's apartment. The suspect, Jody Gene
Oates, pleaded guilty last month to identity theft and was sentenced to 4
and one-half years in prison.
Many Oregon banks use state drivers' licenses to verify the
identity of a new account holder.
"How can you trust that as verification now?" Douglas asked.
But Oregon's troubled bankers are hardly alone. Just last week,
Bank of America kicked off a new ad campaign "Invasion of the ID snatchers"
with the National Consumers League warning customers about the hazards of
ID theft. The campaign is a response to an incident earlier this year when
a criminal set up a fake Bank of America Web site and stole customer
information. During an interview with the American Banker, bank privacy
officer Robin Warren said ID fraud losses at the firm are rising, and the
February incident was "a big wake-up call."
PHONE CALL TRICKERY
Douglas takes his shock therapy to banking groups around the
country, telling executives that the banking system has become a convenient
database for criminals.
He played secretly-taped phone conversations with information
brokers, who regularly call banks pretending to be depositors, tricking
customer service representatives into giving out private information. Bank
records, for example, can be obtained for as little as $50.
"She didn't even ask for my name," bragged the broker on the tape,
who had gotten a customer's account balance information armed only with a
Social Security number. "You wouldn't believe how easy it is. ... You have
to talk fast. You can't give people a chance to think. That's the key."
Another tactic used, Douglas said, is acting belligerent if the
conversation starts to go poorly. Also, since Sept. 11, many criminals have
taken to impersonating the FBI, he said, knowing that many bank employees
are all too eager to help the war on terrorism.
Surrendering private financial information was declared a federal
crime in 1999 by the Gramm-Leach-Bliley Act. But while thousands of
companies still operate in the seedy information area, not a single one has
faced prosecution, Foglia said.
While he admitted that both identity theft and electronic fraud in
general are on the rise, and conceded banks "could do more," he said the
lack of prosecutions was the real problem.
"We have cases we tie up with a bow and give them to (federal
authorities), and we can't get them interested unless the loss is at least
$50,000," Foglia said. Criminals know this, he said. They know they can
risk a $10,000 fraud with almost no fear of jail time.
"What if we could take all the millions we have lost in fraud in
the past year and hire some prosecuting attorneys?" he asked
hypothetically. "The fact that there are no prosecutions is deplorable,
particularly when we know this stuff funds terrorism."
Douglas, who often ends his talks showing a video about stalking
victim Amy Boyer hunted by her killer with the help of an information
broker said there is frustration around the country with the lack of
prosecutions connected to Graham-Leach-Bliley or other bank frauds. Even if
the initial crime seems neat, clean, perhaps even victimless, the ultimate
consequences are severe.
"This is not about being able to steal a $50 pair of Reeboks (with
a stolen credit card) any more," said Douglas. "It's about terrorism,
stalking and murder now."
******************
New York Times
Spam: An Escalating Attack of the Clones
SAN FRANCISCO -- AT 2 a.m., the red squiggle begins to rise. Sharply.
The workers sitting in the dimly lighted room barely look up at the white
screen on the wall that tracks the deluge of unwanted e-mail to millions of
In boxes. They already know it's happening.
Their computer monitors are filled with e-mail meant to appeal to the
lonely and insecure: Free XXX video. Debt consolidation. Breast
enhancement. Viagra. Work from home. Beat cellulite.
It is the middle of the night on the West Coast, but spam attacks e-mail
messages sent to multiple addresses often lumped together as "undisclosed
recipients" are bubbling up from all corners of the Internet. Spam doesn't
sleep.
Click and type. Cut and paste. Save. Export. That is how spam filters are
created in the round-the-clock war room run by Brightmail, a company that
performs filtering for Internet service providers like Earthlink, MSN and
AT&T Worldnet as well as companies trying to keep their e-mail systems
unclogged.
In the war room, the steady pulse of keyboard and mouse clicks is
punctuated by brief declarations.
"I got the Viagra," calls out one 20-something employee as he clicks to
create a simple filter.
"I need help on the breast enhancement," announces another.
Spammers are like fruit flies. They multiply. They are elusive. Worst of
all, they evolve quickly. The most aggressive spammers have become very
sophisticated, constantly varying subject lines, "from" addresses and body
text.
Joe Long, a war room employee, remembers when times and spam were
simpler. Two years ago, he and his colleagues would sometimes be able to
parry all the attacks and clear their to-do list. "That never happens now,"
Mr. Long said.
For in addition to becoming more sophisticated, spammers have become more
prolific. These days, more and more junk e-mail is finding its way into In
boxes.
Brightmail says the volume of spam it encounters has almost tripled in the
last nine months. The company adds that 12 to 15 percent of total e-mail
traffic is spam; a year ago, that figure was closer to 7 percent.
Brightmail, which maintains a network of In boxes to attract spam, now
records 140,000 spam attacks a day, each potentially involving thousands of
messages, if not millions.
Statistics like these are supported by anecdotal evidence from computer
users, who report that they are seeing more unwanted e-mail every time they
log on. Hounded by spam, some computer users have simply abandoned e-mail
addresses.
No one knows precisely why spamming has increased so much. One reason may
be that it is an inexpensive form of marketing favored in a slumping economy.
Another may be that it is relatively simple to do it is not much harder to
send one million e-mail messages than it is to send one.
But some analysts say that the increase may also result, paradoxically,
from the efforts to curb spam. A kind of arms race may have developed,
those analysts say: the more efforts are made to block unwanted e-mail, the
more messages spammers send to be sure that some will get through.
Whatever the reasons, individual complaints about e-mail are echoed by
Internet service providers, some of which say that 50 percent of incoming
e-mail traffic is spam.
Consumer advocates and politicians are complaining too, and proposing new
laws to fight spam. Governmental agencies are also announcing new
initiatives in the battle.
Clearly, spam is a part of electronic communications that everyone loves to
hate. But it is also something that no one, it seems, can do much about.
Here are the reasons.
Regulation
The Federal Trade Commission currently receives 40,000 spam complaints a
day at its Web site, www.ftc.gov/spam. It has an e-mail address,
uce@xxxxxxx ("uce" stands for "unsolicited commercial e-mail"), to which
people can forward spam e-mail that they receive. To date, the commission
has collected more than 12 million such messages, which are kept in what is
affectionately known as the refrigerator, a computer database in the
commission's Internet lab.
But the commission cannot and does not regulate unsolicited commercial
e-mail. There are currently no federal laws against spam.
Spam is a form of commercial speech. While commercial speech enjoys some
protection under the First Amendment, it is also subject to regulation but
such regulation needs to be established by legislation.
So in a majority of spam cases, the trade commission's hands are tied. Even
pornographic spam (including that sent to children) falls outside its mandate.
"We can only do what our statute allows us to do," said Brian Huseman, who
coordinates spam issues for the commission. And that statute empowers the
commission to fight fraudulent and deceptive marketing practices.
So the F.T.C. is focusing on the spammers that do fall under its
jurisdiction. To date it has filed 32 spam-related fraud cases, including
one against a company that sells nonexistent ".usa" domain names and
another against a company that distributed programs that forced computer
modems to dial international calls.
Only a fraction of spam is outright fraud; most spam e-mail is aimed at
selling legitimate products. Brightmail categorizes only 4 percent of spam
attacks as intentionally fraudulent.
The trade commission has tried to extend its definition of "fraudulent" to
encompass more than the most blatant fraud. The commission is investigating
whether businesses that sell bulk e-mailing tools and lists have deceptive
marketing practices. The goal is to cut off spammers' resources.
The commission also recently sent warning letters to companies that have
nonworking "remove me" options at the bottom of their e-mail messages. (A
commission survey showed that 63 percent of "remove me" options either did
not work or resulted in even more e-mail.)
However, the F.T.C.'s definition of what constitutes fraud is very
specific. For example, a false subject line ("As you requested" or "Human
Resource Policy changes") or a false return address does not legally
constitute fraud. The e-mail's content must actually be misleading in a way
that affects consumers.
"Just because it's false doesn't mean it's deceptive under our statute,"
Mr. Huseman said.
Federal Legislation
Ideally, consumer advocates want the spam equivalent of the 1991 federal
Telephone Consumer Protection Act, which prohibited prerecorded
telemarketing calls and junk faxes. The trade commission was also given
power to enforce the legislation.
A broad anti-spam law has been approved in Europe. On May 30, the European
Parliament passed a ban on unsolicited commercial messaging. Electronic
marketing can be aimed only at consumers who have given prior consent.
In contrast, more than a dozen spam-related bills have been introduced in
Congress over the last two years, and most of them have languished. Of the
handful that have made progress, the most recent is the Controlling the
Assault of Non-Solicited Pornography and Marketing act (a contorted title
that yields the acronym Can Spam), which was unanimously approved by the
Senate Commerce Committee last month. The Can Spam bill would, among other
things, let the F.T.C. impose civil fines up to $10 per unlawful message,
require valid "remove me" options on all e-mail and authorize state
attorneys general to bring lawsuits.
Now it must be voted upon by the full Senate, and two other independent
spam bills are moving slowly through the House of Representatives. But
interest groups are lobbying to tone down the strongest aspects of spam
legislation.
Those lobbyists are not spammers. They are some of the country's largest
corporations and commercial associations: Citicorp, Charles Schwab, Procter
& Gamble, the National Retail Federation, the Securities Industry
Association and the American Insurance Association. The groups argue that
many of the bills would unfairly restrict e-mail marketing and put
electronic commerce at a disadvantage.
"We would like the bill narrowed so only pornographic, fraudulent and
deceptive spam are targeted," said John Savercool, the vice president of
federal affairs for the American Insurance Association. "We think that is
where the consumer angst is."
But Senator Conrad Burns of Montana, a Republican sponsor of the Can Spam
bill, says that consumer frustration goes beyond pornography and fraud. "I
get enough applications for credit cards, offers to consolidate my debt and
advertising for Viagra in my mailbox," he said. "I don't need it on my
computer too."
Litigation
With little happening in Congress on anti-spam legislation, 25 state
governments have taken the lead and passed a variety of spam-related laws.
They range from Delaware's 1999 outright ban on unsolicited commercial
e-mail to more indirect limitations. Most states ban false return e-mail
addresses, require "remove me" provisions or demand labels on sex-related
messages.
But laws, whether federal or state, may serve as a deterrent only when they
are enforced. And enforcement of these state anti-spam laws is more the
exception than the rule. Despite hundreds of thousands of consumer
complaints to state agencies, only Washington State has filed a lawsuit
based on anti-spam legislation. Other states that do not have anti-spam
laws, like New York, have sued or charged spammers by using laws on
deceptive marketing and computer hacking. The cases are pending.
Legal experts say the problems with local spam laws are manifold. First of
all, most do not prohibit spam. "Even if the laws were enforced
effectively, they wouldn't address most of the spam problem," said David E.
Sorkin, a professor at the John Marshall Law School in Chicago who runs a
site called Spamlaws.com. "The implied message is that if you weren't lying
about it, it would be O.K. to spam people."
Second, spam transcends state (and national) boundaries, and many of the
state laws stipulate that they take effect only if a spammer can
"reasonably know" that the recipient is a resident of a particular state.
Third, spammers are elusive. Lawsuits generally need to nail down a
physical presence to proceed. When the F.T.C. sent warning letters to
spammers with false "remove me" options, more than 20 percent of the
letters came back because the addresses registered with the domain names
were false. Telemarketers are easier to identify because telemarketing is
expensive and as a result, such companies need assets. All a spammer needs
for business is a computer, an Internet connection and an inexpensive CD
containing spamming software and tens of millions of e-mail addresses.
"Most of the spammers are not wealthy people," said Stephen Kline, a lawyer
for the New York State attorney general's office. "It's tough if you are
going after someone with very few assets to get restitution for consumers
or justify the costs."
So most spam-related lawsuits have been brought by companies and
individuals motivated more by a sense of a crusade than by the prospect of
a financial reward. In March, Morrison & Foerster, a California law firm,
filed a lawsuit against Etracks, an e-mail marketer, for sending e-mail to
its servers. Etracks says that it works with permission-based marketing, a
contention that Morrison & Foerster disputes.
Some I.S.P.'s, including CompuServe and AOL, have filed suit against
spammers to prevent them from sending unsolicited e-mail to users of those
services. But using lawsuits to combat spammers is like trying to catch
swarming fruit flies by hand. For every one you manage to catch, there are
10 more undeterred ones pestering you.
Technology
To date, the most effective weapon against spam is technology. "Spam
requires a technology solution because it is a technology problem," said
Ken Schneider, chief technology officer at Brightmail.
But even technology is limited, since spam is e-mail and e-mail is designed
to flow easily. Only 5 percent of all enterprises will be able to filter 90
percent of spam in 2002, said Joyce Graff, research director at Gartner
Research.
Businesses have tried to throw up all types of defenses. Many reject mail
coming from computers that are known to have been hijacked for spam. Some
I.S.P.'s reject e-mail sent in bulk. That often results in the rejection of
legitimate noncommercial messages sent to addresses on mailing lists.
Other technological approaches limit e-mail to preapproved senders or
senders who respond with a password approaches that slow down the
transmission of e-mail. Users can also buy personal In box protectors.
Brightmail, which has one of the most sophisticated services, says the best
spammers are always a step ahead of its defense mechanism. They evade
Brightmail filters by randomizing the characteristics that filters look for.
"It's very difficult to fight," said Mr. Long, the war-room worker. "You
get entrenched fighting it one way, and they go put a new tool against you."
Spam may be an inescapable element of online existence. "Is spam going to
be something we will all learn to live with, like increased airline
security?" asked Enrique Salem, chief executive of Brightmail. "Or will it
disappear?"
For spam to disappear, a combination of coordinated international
regulatory action, aggressive enforcement, software and human oversight is
needed, Mr. Salem said.
The bad news is that until that magic combination comes about, spam will
continue to clog In boxes. The good news is that it could help you look
younger, feel more virile, become debt-free and get a college degree at
home. Really.
******************
USA Today
Manager of FBI computer overhaul resigns
By Kevin Johnson, USA TODAY
The executive in charge of overhauling the FBI's antiquated computer system
has resigned.
The FBI said Robert Chiaradio is leaving to take a job at financial
consulting giant KPMG. He was elevated in December to one of the bureau's
top four administrative positions.
Former IBM executive W. Wilson Lowery Jr., will replace Chiaradio,
officials said.
Outdated computer systems have been blamed for several internal bureau
problems, including the FBI's failure to turn over thousands of documents
to lawyers representing Oklahoma City bomber Timothy McVeigh. The foul-up
caused a month-long delay of McVeigh's execution last year.
****************************
San Francisco Chronicle
File-sharing jamming proposed
Entertainment companies could legally launch electronic attacks against
Internet file sharing networks under a proposed law previewed Tuesday by a
Southern California congressman.
U.S. Rep. Howard Berman, D-North Hollywood, plans to introduce a law to
legalize the use of electronic countermeasures to thwart copyright
infringement on popular peer-to-peer networks such as KaZaa and Morpheus,
where millions of music and movie files are traded.
Berman, whose district stretches from North Hollywood to the San Fernando
Valley, said the law would legalize actions -- like flooding peer-to-peer
networks with decoy files -- that now might violate laws like the federal
Computer Fraud and Abuse Act.
"We see this as a very technology friendly bill," said Gene Smith, Berman's
chief of staff. "Copyright owners should be able to develop technological
responses to the technological piracy of their property."
But Steve Griffin, whose Tennessee firm distributes Morpheus, called
Berman's proposal "a declaration of cyberwarfare on consumers."
"It gives . . . media companies the right that even the U.S. government
doesn't have, to go into people's computers," said Griffin, chief executive
of StreamCast Networks Inc.
*************************
BBC
Piracy fight gets serious
Record makers could win the right to carry out hack attacks on music
sharing services if a US proposal becomes law.
Californian congressman Howard Berman has drawn up a bill that would
legalise the disruption of peer-to-peer networks by companies who are
trying to stop people pirating copyrighted materials.
If his idea becomes law, record companies will be able to carry out a
variety of attacks on the sharing services to make them unusable or so
irritating to use that people abandon them.
Existing legislation makes it an offence for anyone to carry out many of
the attacks mooted in the proposal.
Better blockers
So far, music companies have used legal action to stop people spreading
pirated pop through net-based peer-to-peer networks, such as Napster, Kazaa
and Audiogalaxy.
Their attempts have largely been successful.
Napster has declared itself bankrupt and is trying to relaunch itself as a
subscription service; Kazaa has run out of money to pay its mounting legal
bills; and Audiogalaxy has agreed to remove copyrighted material from its
network that it does not have permission to share.
However, legal action can take a long time to work and now Howard Berman, a
democrat congressman for California, has proposed legislation that will let
music makers act much more quickly.
Spoof tracks
His proposal would let the record makers carry out hacking-type attacks on
sharing networks to protect copyrighted works.
If it became law, record companies would win the right to place spoof
tracks on sharing services, block downloads, redirect people to
non-existent files and launch attacks that disrupt the smooth running of
the networks.
Some record labels have already been known to seed some networks with spoof
tracks or adverts to try to stop people getting hold of music they have not
paid for.
The law would also allow the record companies to place programs on the
machines of peer-to-peer networks to let them trace who is pirating pop.
*************************
Federal Computer Week
OMB takes aim at redundant IT
The Office of Management and Budget is taking action to cut down on
redundant information technology investments with plans to redeploy funding
this year and head off funding requests in coming years, Norm Lorentz,
OMB's chief technology officer, said June 25.
OMB has written "Clinger-Cohen letters" for projects under many of the 24
initiatives under the Bush administration's E-Government Strategy, Lorentz
said. Those letters, for perhaps the first time on such a wide scale,
exercise a section of the Clinger-Cohen Act of 1996 that gives the White
House the authority to shut down or redeploy funding for under-performing
or redundant programs, he said.
Because the 24 initiatives are aimed at consolidating common IT investments
across government, these letters are a necessary step, Lorentz said. Mark
Forman, OMB's associate director for IT and e-government, and the affected
deputy secretaries who make up the President's Management Council, should
release the programs that are receiving the letters soon, he said.
For future investments, OMB plans to work with agencies to stop redundancy
before it happens.
On July 18, OMB will release the final current version of the federal
enterprise architecture business reference model. The model will be
available on a Web site accessible only by agency personnel, although parts
of it likely will be released over time for the public, Lorentz said.
OMB expects agencies to use the business reference model as the basis for
planning their fiscal 2004 budget requests and their submissions under OMB
Circular A-11, which sets the requirements for all investments. Officials
should check their investment plans against the model before submitting
requests to OMB, he said.
It is only the first of five reference models that will make up the entire
federal enterprise architecture plan. The others including models for
performance, data, applications and technology are at various points of
development, and will be released in the coming months, he said.
************************
Federal Computer Week
Military, FEMA test communications
As part of a month-long communications exercise focused on interoperability
among U.S. armed forces and the Federal Emergency Management Agency, an
Army Reserve unit on June 24 successfully completed a video teleconference
with FEMA personnel halfway across the country.
Grecian Firebolt, which began June 1 and is scheduled to conclude today,
has been testing interoperability among the Army, the Air Force and FEMA's
Mobile Emergency Response communications teams. It includes reserve and
active Army units, and Army and Air National Guard units connecting more
than 30 sites throughout the United States and Puerto Rico.
The 311th Theater Signal Command (TSC), an Army Reserve unit headquartered
at Fort Meade, Md., led this year's exercise, which was designed, in part,
to test the communications piece of a homeland defense scenario, said Maj.
Gen. George Bowman, commander of the unit.
The homeland defense scenarios have included dealing with such things as
potential mail bombs and protestors attempting to foil activities and
influence soldiers, said Lt. Col. Thomas Chegash Jr., communications
systems control element branch chief in the 311th TSC.
Those scenarios did not include attacks against communications or
information technology systems, but did include reports of real-world
situations, like virus updates, that participants had to deal with on the
fly, said Maj. Anthony Britton, an action officer at Joint Forces Command,
who was on hand to observe the exercises and the joint communications
capabilities of the Army and Air Force.
The 311th TSC conducted a video teleconference with a FEMA office in
Denton, Texas, as part of an exercise to ensure that the agency "has the
bandwidth available in case we're faced with another" Sept. 11, said Ozzie
Baldwin, FEMA's telecommunications manager of information processing in Denton.
Baldwin said that Grecian Firebolt has also helped FEMA establish
procedures for communicating via e-mail on both secure and nonsecure
networks with the Defense Department in a homeland defense scenario.
"We have established the procedures, and now they will be published and
used in any deployment," he said. "In case of incident, we can immediately
exchange e-mails," and that includes a Secret Internet Protocol Router
Network (SIPRNET) connection between FEMA headquarters and DOD that was
recently installed and tested during the exercise.
"Now, we can say for the next incident, we are ready," Baldwin said.
Grecian Firebolt, which cost more than $1.2 million to execute, focuses on
the oversight and management of the tactical and strategic networks the
Army and its partners use to communicate during a homeland security
mission. It includes satellite links, line-of-sight tools, e-mail and
videoteleconferencing (VTC), Chegash said.
"Overall, our base goal is training," Chegash said, adding that
establishing the VTC link was one of the most difficult challenges in the
exercise. "We have been troubleshooting for days. The equipment we have is
old, not operator-friendly and difficult to set up."
***********************
Federal Computer Week
'Tribalism' may defeat Homeland
It was only a matter of days after President Bush unveiled his plan to take
pieces from various federal agencies to create a Homeland Security
Department that officials began to buttonhole Rep. Tom Davis, presenting
him with lists of reasons why their agencies shouldn't be moved.
They received a frosty reception from the Virginia Republican, however,
said Davis aide Melissa Wojciak.
Davis, who heads the House Government Reform Committee's Technology and
Procurement Policy Subcommittee, staunchly supports Bush's plan, Wojciak
told a gathering of technology experts June 25.
But the almost instinctive effort to undermine the president's plan
illuminates what is likely to be the biggest problem for the Homeland
Security Department "tribalism."
While the administration's senior policymakers wrestle with problems such
as information sharing, interoperability and database integration, rank and
file government workers grapple with fear of change, said organizational
psychologist Joyce Doria.
"People choose the familiar even the dysfunctional over change," she
said. Wojciak and Doria spoke at E-Gov's Homeland Security 2002 conference
in Washington D.C.
Since the Sept. 11 terrorist attacks, it has become clear that among them,
various government agencies had information and warnings that, if shared,
might have alerted them to the terrorist danger.
Much discussion since then has focused on how to get agencies to share
information and better communicate with one another.
It will take technology to solve some of the problems, but "the technology
does exist," said Doria, who is a vice president at the consulting firm
Booz Allen Hamilton. "The hurdles are more bureaucratic than technical."
Developing workable plans to use technology to improve teamwork among
agencies will be the easy part. Getting agencies to accept them will be the
real challenge, she said.
"Change is painful," and those who plan for significant change typically
underestimate the difficulty of getting workers and managers to accept
change, she said. "Man is by nature tribal," and convincing people to
accept outside ideas, leaders and ways of doing things is difficult.
"Tribal ways will beat change every time if you're not careful," Doria said.
***********************
BBC
Tech managers targeted by cyber criminals
The head of the UK's cyber police unit has warned that tech managers could
become victims of kidnappers and organised crime.
Len Hynds, from the National Hi-Tech Crime Unit (NHTCU), has told Computing
magazine that computer bosses could be vulnerable to attack in the same way
as bank managers were targeted in the past.
Mr Hynds said that the NHTCU had already seen cases of criminal gangs
blackmailing companies after discovering weaknesses in their computer systems.
The next step could well be physical risk to technology managers, he said
Tech recruits
"Organised criminals will intimidate people with access to information," he
told Computing.
He warned companies to improve recruitment and to be careful about the
people they employed in positions with access to computer data.
Criminal gangs were also likely to start hiring more people with
technological know-how as computers increasingly become an important tool
in crime, he said.
Computer forensic firm Datasec conducts investigations of criminal or
industrial computer crime and has had cases in which individuals within
organisations have been targeted for their knowledge about sensitive data.
Distributed responsibility
Managing director Adrian Reid believes employees with responsibility for
technology should exercise caution when talking about their work.
"If someone was going to target the IT manager, he or she will find out as
much about that individual as they can," he said.
"Employees in sensitive areas need to be careful about what they say about
themselves and what information about them is in the public arena," he said.
Nearly three-quarters of UK companies have sensitive data on their computer
networks and they too must do more to make sure that one person does not
have sole responsibility for such information.
"Companies should consider distributing responsibilities," said Mr Reid.
"It is harder to corrupt a group of people than it is one individual."
*************************
Government Executive
House passes law enforcement information-sharing bill
By Drew Clark, National Journal's Technology Daily
The House on Wednesday passed a bill that would permit federal law
enforcement authorities to share information about potential terrorist
attacks with state and local authorities.
Passed by a vote of 422-2, the bill, H.R. 4598, would require the president
to promulgate guidelines for sharing classified and sensitive intelligence
information, as well as information obtained through wiretaps or grand-jury
investigations.
House Intelligence Terrorism and Homeland Security Subcommittee Chairman
and bill sponsor Saxby Chambliss, R-Calif., said the measure seeks to get
information about "potential acts of terrorism declassified and redirected
to people on the front lines."
"We do a great job of getting information," he said, as he acknowledged
weaknesses within the CIA and FBI. "But we don't do a great job of sharing
information."
Rep. Anthony Weiner, D-N.Y., added that a key impetus for the bill came
when New York City officials learned information about a threat from Time
magazine rather than from FBI officials. He called the bill an attempt to
rationalize existing laws that currently bar federal agents from
communicating sensitive and classified information with local police.
"This is an effort to empower local officials upon whose real estate future
attacks may occur," said Jane Harman, ranking Democrat of Intelligence
subcommittee. "Homeland security is a bottom-up problem and not a top-down
problem. It is not about the best arrangement of deck chairs but about
getting the 'first responders' the information they need."
In a policy statement, the Bush administration expressed support for the
goals of the legislation, saying that it "seeks to balance and reconcile
the needs of state and local personnel to have access to timely and
relevant homeland security information to combat terrorism, with the need
to protect and safeguard both classified and sensitive but unclassified
information."
Although the bill would require the president to decide upon procedures for
sharing information within a year, it would empower him to set them. Among
the options it suggests include: boosting the number of security
clearances, deploying non-disclosure agreements or increasing the use of
joint terrorism task forces with the FBI.
But the policy statement also raised two specific concerns: that the
definition of "homeland security information" includes census information
"that has been collected solely for statistical purposes under a pledge of
confidentiality," and that provisions regarding the dissemination of
foreign intelligence information could limit the administration's
flexibility under the anti-terrorism law Congress passed in October.
Several members of the House Judiciary Committee raised privacy concerns
about the bill but said they were largely satisfied by amendments adopted
in committee.
"For public-safety information, we need to be able to communicate what is
known," said Rep. Bobby Scott, D-Va. "But it must be limited just to those
who need it, and is not spread around on the Internet where everyone can
see it."
Rep. Sheila Jackson-Lee, D-Texas, said the law needs to ensure that
information from whistleblowers is shared, but she withdrew her amendment
to make such a change on the floor.
*********************
MSNBC
Kiss your MP3s at work goodbye
Companies crack down on employees using streaming media
By Lisa M. Bowman
June 27 Stash those headphones and trash that file-swapping software:
Companies are cracking down on employees who use streaming media and swap
MP3s at work.
COMPANIES INCREASINGLY ARE blocking access to Internet music and
video at firewalls and are issuing sweeping initiatives that ban workplace
media usage. The trend is a result of two developments: media usage hogging
enormous amounts of corporate bandwidth and threats of legal liability as
the entertainment industry aggressively pursues copyright scofflaws.
The Recording Industry Association of America is beginning to train
its legal guns on companies it thinks are aiding copyright theft by
allowing workers to trade free music and movies at work.
In April, the RIAA announced a settlement with an Arizona company
that allegedly let employees trade MP3 files over an internal network.
Integrated Information Systems (IIS) agreed to settle the case for $1
million. And more companies will be facing similar charges, according to
RIAA President Cary Sherman.
"We'd very much like corporations to think about their obligations
to respect the intellectual property rights of our artists and labels," he
said. "Some of these corporations, we are told, have their own little
networks that is very clearly illegal."
Typically, the RIAA receives tips about alleged illegal file
swapping through its anonymous tip line. It then threatens legal action and
asks companies to stop. So far, the tactics may be working.
The IIS incident, along with the RIAA's punishment of file-swapping
networks such as Napster and Kazaa, has prompted companies to examine their
own usage policies to make sure they're not running afoul of copyright law.
"I think that got people's attention," Ross Blanchard, director of
marketing at online song database Gracenote, said of the IIS settlement.
NETWORK HOGS
Then there's the bandwidth strain.
Companies are slowly realizing that their sluggish networks may not
be the result of a flurry of e-commerce transactions or an influx of
training videos. Instead, employees may be slowing the system simply to get
their hands on a copy of the latest "Star Wars" movie.
"There's just so much broader use of networks than what they were
intended for," said Wilson Craig, the public relations manager for
Packeteer, which makes products to manage network traffic.
Craig said companies will come in with complaints about sluggish
networks, thinking newly installed corporate software is to blame, only to
discover that 40 percent of their bandwidth is being taken up by music
downloads.
People are more likely to use their work computers than home
computers to swap media files or listen to streaming audio or video,
according to research firm Nielsen/NetRatings. That's probably because
their office computers are connected to higher-speed networks than their
home machines. Some studies have estimated that as many as one in five work
computers contains file-swapping software.
Even companies in the business of protecting corporate networks
from abuse and strain aren't immune from the problem. NetReality, which
makes network management software, saw its system grind to a halt one day.
The cause: Someone in the Israeli office was downloading a copy of "The
Lion King."
It's not an unusual discovery, as more media become available to
wreak havoc on corporate networks, surprising companies large and small
with their popularity. The availability of swapping sites and digital music
and movies has never been greater, despite Hollywood's attempts to restrict
them.
The number of "peer-to-peer" Web sites has increased fivefold in
the past year, according to Websense, a company that makes software to
monitor and block employee Web usage. What's more, Websense says, the
number of sites containing streaming media, such as online movie theaters,
has jumped fourfold in the past year to 400,000 Web pages.
"I DON'T WANT TO WAIT"
Companies can use several tactics to stem the flow of unwanted
media files on their networks, including blocking access or simply telling
employees there's a ban. But determined workers and developers, it seems,
are finding ways around such obstacles. For example, some file-swapping
technology can trick a network into allowing it in by disguising itself as
a mundane piece of software.
And as Napster and its underground offshoots have shown, people
will find ways to collect movies and music. An employee of
Entertainment Weekly who asked not to be identified said he regularly
obtains music from file-swapping sites, despite a ban on the practice by
his employer, AOL Time Warner. The media giant owns one of the major record
labels that's successfully cracked down on such sites.
Although the company doesn't have an internal network and prohibits
use of major file-swapping sites, the employee said AOL Time Warner has yet
to block some smaller, more obscure sites where he can find music.
"If I like a song and I want to hear it, I don't want to wait for
the next hour or more to hear it on the radio," the employee said, adding
that he doesn't fear he'll be punished for securing tunes, as long as he
gets his work done.
"I get the impression they just turn the other way," said the
employee, who estimated that he buys about three CDs a month in addition to
obtaining music via the Web.
Others haven't been so lucky. Carla Tomino, a secretary at
Northwestern University, said she was fired last summer for violating a
policy prohibiting personal use of company equipment by storing 2,000 MP3
files on her computer.
Although firing may be an extreme case, Tomino is not alone in
being punished. According to Websense, about 35 out of 250 companies
surveyed in a recent poll had disciplined or reprimanded employees for
downloading songs.
But technological tricks or stringent corporate policies aren't
likely to stop the practice. As the Entertainment Weekly employee said, "If
you want it bad enough, you can find it."
JUST LIVE WITH IT
IT workers say the same thingthat the songs are already out of the
proverbial jewel box. Like universities, companies may have to learn to
live with a certain amount of media on their networks.
Frank Gillman, director of technology for the law firm Allen
Matkins Leck Gamble & Mallory, said streaming media and MP3s are only the
latest ways for employees to waste time and corporate resources.
"Every month brings something new that people will do," he said.
"Today's MP3 is just yesterday's Internet surfing, which was yesterday's
sending e-mail to relatives, which was yesterday's putting the book under
the table and reading."
Gillman said his company tries to block media files with Websense,
but he knows some of them still get through. Gillman said one of the most
effective deterrents is educating people and making it personaltelling
employees, for example, that even something as seemingly benign as
downloading a movie can cause major network problems for their buddy or
work group in the next cubicle.
"What you really want to do is protect people from themselves," he
said.
**********************
News.com
Critical hole found in encryption program
By Vivienne Fisher
Staff Writer, CNET News.com
June 27, 2002, 10:30 AM PT
A popular open-source program for encrypted communications has a serious
flaw that could let Internet attackers slip into servers running the
software, said its creators and a security company this week.
The program, Open Secure Shell (OpenSSH), is included in many widely used
operating system distributions, such as OpenBSD 3.0, OpenBSD 3.1 and
FreeBSD-Current, all open-source variants of the Unix OS. Such operating
systems appear on networking equipment and security appliances, among other
things.
The flaw affects versions 3.0 to 3.2.3 of the software, said Grant Slender,
principal consultant for Australasia at network protection company Internet
Security Systems, which first discovered the vulnerability.
Slender said the flaw involves OpenSSH's inadequate handling of "buffer
overflow" attacks, in which a message sent to a program is much longer than
the program is designed to expect. Attackers exploit such holes by flooding
programs with more characters than they can accommodate and running the
excess characters as executable code.
Because of the flaw, "it is possible for a remote (off-site) attacker to
send a specially crafted (message) that triggers an overflow," according to
the ISS advisory. "This can result in a remote denial-of-service attack on
the OpenSSH daemon." A denial-of-service attack overloads a server with
requests for information, tying up the machine indefinitely.
The advisory also said that hackers exploiting the hole would enter a
server at the highest level of access. "The OpenSSH daemon runs with
superuser privilege, so remote attackers can gain superuser access by
exploiting this vulnerability," it said.
ISS has been criticized recently for its handling of another security alert
involving a flaw in the popular open-source Apache Web server. ISS alerted
the public to the Apache hole the same day it warned the Apache developers,
giving the programmers no head start on fixing the flaw. This time, the
company gave notice.
Slender said ISS notified OpenSSH's senior developer, who had created a
patch. "In this case, we did contact the senior developer and, with his
coordination, we worked toward making sure the (programming) community was
ready to have the vulnerability announced," he said.
ISS is advising system administrators to disable unused OpenSSH
authentication mechanisms.
It's also possible for administrators to remove the vulnerability by
disabling the challenge-response authentication parameter within the
OpenSSH daemon configuration file, according to the advisory. Slender also
said people should upgrade.
Information about the vulnerability has been posted on security mailing
lists such as Bugtraq and Debian.
Staff writer Vivienne Fisher reported from Sydney. News.com's Robert Lemos
contributed to this report.
************************
ZDNET
Police database brings feature searching
By Reuters
In Arizona and Los Angeles, police are replacing law enforcement mainstays
such as mug shots and lineups of suspects with technology some call Mr.
Potato Head.
The photographic database and facial recognition systems, called Crime
Capture and CrimeWeb, allow investigators to pick different types of facial
features to search databases for criminals. It's not unlike the toy famous
for allowing kids to change body parts on a potato, police said.
"We've named it Mr. Potato Head in Arizona," said Cyndy Pellien,
administrative services officer for the Arizona Department of Public Safety.
"You can pick different types of eyes and hair," or even search for a
specific tattoo, she said. "If there is a missing child, we have the
ability to scan their school photo in the system and do flyers to notify
people statewide immediately."
The software from ImageWare Systems replaces the paper records that can
often take days or weeks to find or send to other agencies.
Officials around the United States are using the system to take digital
photos of faces, tattoos, scars and other identifying features of people
arrested.
The photos, combined with fingerprints, names and other personal
information, are aggregated into a database that can be accessed by other
law enforcers.
"Before, if you were booked, your picture was taken on real film. Then it
was sent to a lab and developed," said Sgt. Larry Bryant of the L.A. County
Sheriff Department's records and identification bureau, where officials
arrest about 30,000 people a month.
"The police agency right next door never knew that a booking photo
existed," he said. "They would have to send a letter to the crime lab
requesting a copy, and that could take a week to two weeks to process."
The database is easily searchable, allowing its users to quickly find faces
that are similar to a witness' description. For example, officials in Los
Angeles County can use a composite sketch to search on its database of 1.5
million faces and get a list of faces that most closely match, Bryant said.
The wheels of law
The system also can help identify cars, allowing officials to search on
different makes, models and types and even add dents and pin stripes, said
Jim Miller, chief executive of ImageWare Systems, based in San Diego.
ImageWare's technology is also accessible by mobile devices. Los Angeles
County is testing the system on iPac handheld computers, said Bryant.
Critics of facial recognition software, increasingly touted by law
enforcers since the attacks of Sept. 11, say the technology is unreliable
and violates individual privacy rights when used to grab images of
unsuspecting people in crowds. "People shouldn't be held as a suspect just
because a technology holds them to be that way," said Mihir Kshirsagar, a
policy fellow at the New York-based Electronic Privacy Information Center.
Miller said the technology is not relied on as the sole source of
identification, and the central repository at ImageWare is not connected
with any outside databases. "It's not a guilt or innocence tool," he said.
In the United States, about 900 police departments, including in New York
and Los Angeles, and federal agencies such as the FBI use ImageWare
technology, according to Miller.
In Las Vegas, officials use the system to automate background checks for
250,000 casino workers, while the state of New South Wales, Australia,
including the state capital Sydney, and the country of Costa Rica are also
putting it into use, he said.
**********************
Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx