Clips May 14, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips May 14, 2003

ARTICLES

Feds prep for 2005 belt tightening
Lowery named acting FBI CIO 
Budget crunch crimps TSA?s broadband plans 
New Internet bug attacks administrator/password logins 
Fake bank Web site scam reaches U.S.
Blacklists vs. Spam 
Buffalo Spammer Arrested 
Net lags in health use 

*******************************
Federal Computer Week
Feds prep for 2005 belt tightening
Projects must prove their worth
BY Judi Hasson 
May 12, 2003

Outgoing Office of Management and Budget Director Mitchell Daniels Jr. released a memo last month outlining the fiscal 2005 budget process, and it does not look good for many information technology projects.

Daniels, who announced his resignation effective in early June, warned agencies that it would be a tough year because of record spending for homeland secu-rity and the war in Iraq. He said agencies would have to justify their plans to spend money and find funds for new programs by eliminating those that have not worked.

"We should constantly look for ways to save the taxpayers' money," Daniels wrote in his memo, "but it is particularly important to restrain the growth in spending when we need to meet these new [homeland and national security] priorities during a period of unprecedented pressures on the federal budget." 

The news was no surprise to most chief information officers, who have been pressured to justify their spending under the President's Management Agenda and to develop enterprise architecture plans to eliminate redundancies and more effectively spend money.

"The importance of enterprise architecture is growing," said Barry West, CIO at the National Weather Service. "It gives us a real feel for the inventory from software to hardware to networks."

Ultimately, West said, such plans will allow agencies to cut redundancies and save money. But the policy coming from Daniels' office is far more direct, according to some CIOs.

"There is more emphasis on IT," said Linda Rosenberg, CIO at NASA's Goddard Space Flight Center. "Business cases are critical. There is more emphasis on certain components of the budget and where we are spending the money."

Rosenberg's IT budget is only about $22 million, a fraction of what many federal agencies spend. But she is facing the same critical tests for every dollar.

"Our missions have been embedded, and for the first time, we're being asked to pull it out and report it separately," Rosenberg said. "You never get all the money you want, and you never can fund everything you want."

With that kind of pressure, CIOs attending the biannual CIO Summit last week in Savannah, Ga., sponsored by FCW Media Group, said they have known that the fiscal 2005 budget cycle would be tougher than the fiscal 2004 budget, which is now making its way through Congress, or even the fiscal 2003 budget, which did not even begin providing money for projects until last month.

So Daniels' marching orders were familiar to most. In his memo, he said the President's Management Agenda remains a top priority.

"We expect agencies to meet the long-standing goal to submit budgets that align resources with performance measures," he said. "If you are seeking increases in any program, make sure [they are] offset by reductions in lower priority or inefficient programs."

Melissa Chapman, CIO at the Department of Health and Human Services, said the word to tighten spending had already filtered down to her staff in a memo from the office of HHS Secretary Tommy Thompson. 

"We've had the expectation that OMB would ask us to stretch and continue to target reductions in costs," Chapman said.

The business world is also experiencing budget woes, according to Robert Golas, executive director of business development at Oracle Federal.

If an agency does not do well on its business case, it does not get the go-ahead for the project, he said. And that puts pressure on companies who want to do business with agencies.

Nevertheless, there are some winners this year. For instance, Defense agencies are expected to get the money they need as soon as they need it.

"I'm anticipating that it won't be rough because it's defense," said Carla von Bernewitz, director of the Army's Enterprise Integration Oversight Office.

"There are always budget restraints," said David Borland, the Army's deputy CIO. "We're always on the lookout for projects not succeeding. That's no different now than it's ever been."

What is different is that no agency will be exempt from the spending priorities, even the Homeland Security Department.

By September, DHS will have its own enterprise architecture that highlights the top 20 to 25 initiatives that must be supported. That will be the road map for the agency, according to Steve Cooper, the department's CIO, who said he is comfortable with the new budget scenario.
*******************************
Government Computer News
05/14/03 
Lowery named acting FBI CIO 
By Wilson P. Dizard III 

The FBI today announced the appointment of executive assistant director W. Wilson Lowery to the job of acting CIO while the bureau conducts a nationwide search to replace CIO Darwin A. John, who is retiring. 

John is set to retire on Friday, the bureau said. He will provide consulting services to the bureau one week a month, according to his assistant, Linda Klien. John was not available for comment. 

FBI director Robert S. Mueller III said that Lowery, ?having already played a major role in our successful efforts to date, gives us the ability to transition smoothly as we carefully pursue a permanent CIO.? Lowery will report to Mueller. 

John took over the job of FBI CIO last July [see story at www.gcn.com/21_19/storage/19300-1.html]. He formerly was director of information and communication systems worldwide for the Church of Jesus Christ of Latter-Day Saints. 

During John?s tenure, the bureau progressed in the creation of its Trilogy network of Web systems for FBI special agents. The network switched on in March [see story at www.gcn.com/vol1_no1/sandl/21027-1.html], and it now connects about 700 sites where agents work, using about 22,000 PCs. 

The bureau also worked to activate an information sharing data mart during John?s tenure in office, under Lowery?s leadership. 

The FBI continued to have a complex relationship with the CIA and the Homeland Security Department, however, and took a secondary place in the merging of homeland security intelligence information [see story at www.gcn.com/vol1_no1/daily-updates/21262-1.html]. 

revised 5/14, 2:30 pm
*******************************
Government Computer News
05/14/03 
Budget crunch crimps TSA?s broadband plans 
By Nancy Mosquera 

Two of the nation?s airports now have broadband connections under the Transportation Security Administration?s three-phase IT plan to improve security and customer service for the traveling public. 

But a tight federal budget is slowing down TSA?s wide rollout of IT improvements, CIO Patrick Schambach said yesterday at a management panel sponsored by Unisys Corp., which is building an advanced IT infrastructure for the agency. 

Under the first phase of the plan, security offices at all 429 major commercial airports now have bare-bones mobile IT equipment, such as notebook PCs and cell phones, and dial-up access to a virtual private network. 

TSA has called its three-phase implementation the Red, White and Blue Plan, with each phase establishing a more advanced IT infrastructure. 

The agency has completed advanced connectivity at Charlotte International Airport in North Carolina and Dallas Love Field in Texas, the test airports for the white phase, Schambach said. At those airports, Unisys has built a LAN and connected to the TSA WAN. TSA is analyzing how the installations measure up and what adjustments need to be made before five more airports are wired for advanced connectivity, he said. 

All airports were originally expected to have broadband connections next year. ?The budget?s going to be a squeeze for the foreseeable future, forcing some tough decisions and some trade-offs to be made,? Schambach said. 

TSA is in a unique position. Building an agency infrastructure from the bottom up eliminates the need to operate with legacy systems. Under the managed-services contract, Unisys and its partners are providing IT and telecommunication services, including hardware and software, help desk, network security and business process services. But Schambach said it has also been a curse because he had no foundation on which to build to support 60,000 employees. Budget restrictions further complicate the IT rollout. 

Schambach said he has to remind staff to focus on outcomes and the requirements needed to get there. ?I want TSA to be dragged forward to the best practices,? he said. Service-level contracts and shared accountability and planning are examples, he said. 

The contract also contains incentives for Unisys for good performance if TSA achieves its goals and the vendor meets or exceeds its service levels.
*******************************
Government Computer News
05/14/03 
New Internet bug attacks administrator/password logins 
By Carlos A. Soto 

A new virus called Nick has begun infecting the registries of computers with login settings established as Administrator and passwords set as Password. Once inside, the virus establishes a File Transfer Protocol site for spam relay and storage. 

The name of the bug appears to be Nick because that word appears frequently in the script files. 

The virus initiates when a user clicks X or OK to close a spam box that randomly opens on screen. To see whether your Microsoft Windows system is infected, go to Windows Registry Edit, or regedit, from the Start-Run menu options. 

Under regedit, click on software, Microsoft, Windows, current version, Run. Delete all Hidden 32 files. 

These steps were tested in a Windows 2000 Advanced Server environment and might need adjustment depending on your Windows operating system. 

*******************************
Computerworld
Fake bank Web site scam reaches U.S.
By David Legard, IDG News Service
MAY 14, 2003

Bank of America Corp. has warned its customers to be aware of a scam that attempts to get them to log into a fake Web site that then captures their personal financial details. 
The scam was attempted recently via e-mail and is similar to ones recently perpetrated in Australia on Commonwealth Bank, Westpac Bank, and Australia and New Zealand (ANZ) Bank. 

The fraud works by sending a spoof e-mail to bank customers asking them to click on a link to a fake site resembling the real bank site, where customers are asked for their account name and password. Fewer than 75 customer accounts were compromised in the latest scam; the bank has helped those customers change their passwords and protect their accounts. The fraudulent site was shut down within 13 hours, and details about the e-mail distribution and its source are under investigation, Bank of America said. 

Bank of America urged its customers to take precautions when making transactions online, including the following: 


Review a Web site's URL to check its legitimacy, seeing whether the spelling is correct or appears suspicious. 

Be careful before providing personal information, Social Security numbers, and account or credit card information over the telephone, in person or on the Internet. 

Notify the bank of suspicious phone or e-mail inquiries, such as those asking for account information to verify a statement or award prizes.
The Australian scams also failed to cause any serious damage, with only 50 customers at ANZ needing their accounts set up again. 

A wider form of online bank fraud proliferating worldwide is "419," or advance-fee scams, which are perpetrated by Nigerian gangs who have set up several dozen fake bank Web sites that have no relation to any actual bank. In this scam, the gangs use e-mail to try to persuade victims to help them make multimillion-dollar transfers out of Nigeria in return for a percentage of the money (see story). 

Victims are encouraged to set up an online bank account with the fake bank, where the money duly appears. The victim is then asked to pay the fraudsters some fake charges or taxes by another method such as Western Union, at which point their account at the fake bank disappears. 

These fake bank sites are operated freely in Amsterdam, giving the fake bank credibility it wouldn't have if it were based in Nigeria, according to a group that monitors these frauds. "When the crime crosses borders, the police of other nations [apart from Nigeria] have a chance to get involved. But anecdotal evidence suggests that this is rare," the Chaos Project antifraud group wrote in an advisory. "The authorities in some countries place a fiscal limit on getting involved -- you have to have lost quite a lot of money before they will bother investigating." 

The antifraud Web site Scamorama and other security organizations have compiled lists of over 50 fake banks set up and used by the Nigerian 419 fraudsters. A partial list is available online < http://www.scamorama.com/bankscam.html>
*******************************
Washington Post
Blacklists vs. Spam 
A Powerful Tool for Defeating Junk E-Mail Has Its Detractors 
David McGuire
Wednesday, May 14, 2003; 7:10 AM 

Bennett Haselton didn't realize at first that his e-mail wasn't being delivered. While doing some routine maintenance, the First Amendment activist noticed in September 2000 that not only were his outgoing e-mail messages being blocked, but his Web site, Peacefire.org, was unreachable by many Internet users.

Three years later, Haselton knows firsthand that the war against the wave of unsolicited commercial e-mail -- spam -- that is paralyzing computer networks worldwide is a messy one. It's a war waged not just by the corporate giants who own the computer networks that make up the Internet's backbone, but by little-known guerilla groups equally opposed to junk e-mail. It's a war with lots of unintended consequences, as Haselton found out when he learned that his e-mail problems were the result of his organization being blacklisted.

Blacklists, also referred to as "block lists" or "blackhole lists," are compilations of Internet addresses associated with known spammers. Many are publicly available online, and system administrators often use the lists to block all incoming e-mail from those addresses. Like black holes, they are powerful and poorly understood -- and escaping their grasp can be impossible. This has made them one of the most effective yet controversial weapons in the crusade against unsolicited e-mail.

Haselton found out that his organization had been placed on the Mail Abuse Prevention System (MAPS) list because of complaints that his Internet service provider, Media3 Technologies, refused to cut off service to companies suspected of doing business with spammers. MAPS blacklisted a group of Media3's addresses, and ISPs using the MAPS list blocked e-mail coming from those addresses -- including Haselton's.

Blacklist operators call this "collateral damage," admitting that it is an unfortunate side effect. But for people like Haselton, who can go unaware for weeks that their messages are dissolving into the ether, collateral damage can seriously hinder someone's ability to communicate via the Internet.

One problem that the unintended victims of blacklists frequently encounter is that the people who compile them often keep a low profile. As a result, it's hard for people whose service providers get blacklisted to appeal. Sometimes, the only option for someone who gets blacklisted is to change ISPs.

Even the most ardent spam opponents worry that the cure could be worse than the disease.

"If you have a block list that stops 100 percent of spam and 75 percent of legitimate mail, you've solved the spam problem, but you've created another problem," said Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial Email (CAUCE).

But harried system administrators, desperate to prevent spam from crippling their networks, are more supportive of blacklists. They're the ones who hear the complaints when their customers are buried in spam, and it's their budgets that are tapped to foot the bill for the extra bandwidth and computer space needed to house reams of unwanted e-mail.

The spam problem is so bad that every network administrator uses some sort of blacklist to sort good e-mail from bad, according to Nate Shue, a senior network engineer at Vienna, Va.-based software firm Industrial Medium LLC. 

Shue said the lists are more useful than spam filters because they block offending e-mails before they reach the network. Blacklists are a more efficient option than e-mail filters, which can keep most offensive e-mail out of recipients' inboxes, but only after those e-mails have entered a company's network. By the time the filter does its job, the recipient has already paid the price of handling the message.

"The fact that someone has to hit the delete key is not what I'm concerned with. You've already suffered the damage at that point," Shue said.

Big e-mail hosts like America Online, Microsoft and Yahoo can afford to develop their own blacklists, but smaller organizations typically rely on lists published by groups like MAPS, Spamhaus and SpamCop.

Some administrators take those lists and install them directly at the borders of their networks, while others, like Shue, use the lists in conjunction with their own research to determine who gets blocked.

MAPS published its first blacklist in 1998, and dozens of groups have released their own since then. Many are small-scale, volunteer-based operations that let system administrators use the lists for little or no charge.

One popular list created by SpamCop is compiled automatically based on complaints submitted by e-mail users. To get off the list, e-mailers must appeal to SpamCop founder Julian Haight. Haight acknowledged that the system isn't foolproof. He deletes improper listings, but it's a time-consuming process for one person.

One list -- the Spam Prevention Early Warning System, or "SPEWS" -- has especially enraged e-mail marketers.

It is unknown who runs SPEWS, and the Web site -- spews.org -- offers few answers. The site's registration information at various Internet WHOIS databases is deliberately false, with the e-mail contact listed as not@xxxxxxxxxxxxxx

The SPEWS site recommends that people who think they've been falsely included on its blacklist direct their complaints to a newsgroup available through Google. The site also makes it clear that posting to the newsgroup won't help disgruntled bulk e-mailers get off the list. "Only the discontinuation of spam and/or spam support will," the site says.

SPEWS is a popular target of blacklist critics, whose greatest concern is the lack of accountability among list operators.

"If you're occasionally wrong and you're handling other peoples' mail, then you have to have very clear, very useful, very accessible tools for correction," Electronic Frontier Foundation (EFF) Legal Director Cindy Cohn said.

Cohn fears that blacklists could be used by individuals or political groups to stifle opposing views, since many operators rely at least in part on customer complaints to compile their lists.

The left-leaning MoveOn.org has struggled to keep its addresses off blacklists, despite the fact that it only sends its bulk messages to people who have signed up to receive them, said President Wes Boyd. Boyd suspects that some of MoveOn's ideological opponents sign up for the MoveOn list, then complain to blacklisters that they're being spammed. The group has seen its messages bounced from some ISPs in what appears to be the result of blacklisting.

Everett-Church of CAUCE said that some blacklists indeed become "little more than tools for people's personal vendettas."

America Online maintains a 24-hour toll-free number for e-mailers to call if they feel they've been improperly blocked, but smaller list operators don't have those resources.

For all the controversy surrounding blacklists, nobody envisions them disappearing anytime soon. E-mailers and ISPs have lately begun suing specific block lists for defamation. The outcome of those cases could have an impact on how the lists are used, but few would argue that the lists are illegal.

The Federal Trade Commission, which has led government efforts to address spam, takes no position on blacklists, FTC staff attorney Brian Huseman said. In fact, the agency uses them to protect its own e-mail network.

It took Bennett Haselton more than a year to get off the MAPS list. In the meantime, the ISPs that were using the list to block Peacefire.org restored access and his own service provider allowed him to route outgoing e-mail through another machine.

The tech-savvy Haselton said another user in his position might not have been so lucky.

"The biggest problem I have, by far, with any of it, is that [administrators who use blacklists] hide the fact that any of it's going on so that their users won't know and therefore won't complain," Haselton said.

Earlier this month, Haselton tried to send e-mail to a reporter at a Seattle television station only to have the message bounced back by the station's blacklist. Apparently Peacefire.org had landed on a different list of "known spammers," leaving Haselton to begin another climb out of the black hole.
*******************************
Washington Post
Buffalo Spammer Arrested 
Reuters
Wednesday, May 14, 2003; 1:48 PM 

NEW YORK (Reuters) - The man known as the "Buffalo Spammer," who has allegedly sent 825 million unwanted e-mails, has been arrested and arraigned, New York Attorney General Eliot Spitzer said on Wednesday.

Howard Carmack, a 36-year-old resident of Buffalo, New York, entered not guilty pleas before a Buffalo City Court judge and bail was set at $20,000, the Attorney General's office said in a statement.

"We believe Carmack is one of the largest (spammers) and believe there are a significant number of them," Spitzer said in a conference call. "Spammers who forge documentation and steal identities of others to create their e-mail traffic will be prosecuted."

Spam, or unwanted e-mail hawking everything from herbal sexual stimulants to mortgages, has become a growing issue as it now comprises as much as 75 percent of online messages.

About two-thirds of the spam that jams up in-boxes contains deceptive information such as false return addresses or pitches for miracle cures and work-at-home schemes, according to a recent analysis by the U.S. Federal Trade Commission.

The Attorney General's office said in a statement its Internet bureau receives more complaints about spam than about any other Internet-related issue.

"Spam itself is not -- of itself -- a crime," Spitzer said. "What makes this criminal conduct is the intersection of spamming with forgery and identity theft."

Carmack was charged with: stealing the identity of two residents to open Internet access accounts with EarthLink Inc. ; falsifying the business records of EarthLink; forging the headers of e-mail sent from the EarthLink accounts; and possessing a software program designed to create the forged e-mails, the Attorney General's office said in a statement.

Spitzer said his office worked with the Federal Bureau of Investigation and EarthLink, the nation's No. 3 Internet service provider. Last week EarthLink won a $16 million settlement and injunctive relief against Carmack in U.S. district court in Atlanta after a year-long investigation.

"He cost EarthLink more than $1 million," Spitzer charged. "And he opened in excess of 343 e-mail accounts using stolen identities."

The prosecution is the first by Spitzer under New York's identity theft statute, which was enacted in November.

Carmack's public defender was not immediately available for comment. The next court date is May 19.

Spitzer said more arrests in this case are not expected at the moment, but the investigation continues as Carmack's computer has been seized. He said investigations into other spammers are underway but declined to comment further.

The arrest comes as Louisiana Republican Rep. Billy Tauzin plans to introduce an anti-spam bill this week that is expected to move quickly through Congress.
*******************************
USA Today
Net lags in health use 
By Rita Rubin, USA TODAY
May 13, 2003

Only about a fifth of American adults turned to the Internet for health care information in 2001, survey results suggest today.

That's a smaller share than previous studies have reported, but not insignificant, the authors say in the Journal of the American Medical Association.

"We hope this study suggests that, at least as of 2001, there was still room for improvement in making the Internet the kind of thing a lot of people would want to use," says lead author Laurence Baker, associate professor of health research and policy at Stanford University. 

In December 2001 and January 2002, Baker and his co-authors used the Internet to survey a nationally representative sample of U.S. adults 21 years or older. They received responses from 8,935, or about 70% of those surveyed.

About 40% of the respondents said they had used the Internet for health information in the previous year. Previous research had reported that as many as 75% to 80% of American adults with Internet access sought health information online, Baker and his co-authors say. About half of U.S. adults have Internet access, they report.

In 2001, for example, a survey by Harris Interactive found that 75% of adults with Internet access reported having gone online to "look for information about health topics." Spokeswoman Nancy Wong notes that the Harris survey did not restrict the question to Internet use in the previous year.

Still, 40% is "nothing to sneeze at," Baker says. Based on Census findings, it's comparable to the proportion of U.S. adults who play games or shop online and more than twice the share who pay bills online or access chat rooms or listservs, the authors say.

Concerns about the accuracy of health information on the Internet might dissuade some potential users, Baker says.

"I hope that's something that's improving over time," he says.

Though the Internet in general has become more useful since 2001, Baker doubts that the proportion of Americans who turn to it for health information in 2003 is dramatically higher than his survey found.

Only 5% of the survey respondents said they had bought a prescription drug online in the previous year. "We heard over and over that the Internet is a really up-and-coming place for selling (prescription) drugs," Baker says. "We were quite surprised actually by the low numbers that we found."

And only 6% of respondents said they had used e-mail to communicate with a health care professional in 2001, which was comparable to previous studies' findings, the researchers report.
*******************************