[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips June 27, 2002

Clips June 27, 2002

ARTICLES

Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say
Internet Body Proposes Reforms to Fight Web 'Squatters'
FEMA speeds up plans for new architecture and portal
Giuliani lauds IT's role in management, endorses national IDs
Publishers Sue Gator Over Web Ad Tactics
Microsoft Agrees to Alter a Special Service for Children
Spam: An Escalating Attack of the Clones
Manager of FBI computer overhaul resigns
File-sharing jamming proposed
Piracy fight gets serious
OMB takes aim at redundant IT
Military, FEMA test communications
'Tribalism' may defeat Homeland
Tech managers targeted by cyber criminals
Kiss your MP3s at work goodbye
Critical hole found in encryption program
Police database brings feature searching


****************************
Cyber-Attacks by Al Qaeda Feared
Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say
By Barton Gellman

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police department began investigating a suspicious pattern of surveillance against Silicon Valley computers. From the Middle East and South Asia, unknown browsers were exploring the digital systems used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-technology crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI traced trails of a broader reconnaissance. A forensic summary of the investigation, prepared in the Defense Department, said the bureau found "multiple casings of sites" nationwide. Routed through telecommunications switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.

Some of the probes suggested planning for a conventional attack, U.S. officials said. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year, according to law enforcement and national security officials.

Unsettling signs of al Qaeda's aims and skills in cyberspace have led some government experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument of bloodshed. The new threat bears little resemblance to familiar financial disruptions by hackers responsible for viruses and worms. It comes instead at the meeting points of computers and the physical structures they control.

U.S. analysts believe that by disabling or taking command of the floodgates in a dam, for example, or of substations handling 300,000 volts of electric power, an intruder could use virtual tools to destroy real-world lives and property. They surmise, with limited evidence, that al Qaeda aims to employ those techniques in synchrony with "kinetic weapons" such as explosives.

"The event I fear most is a physical attack in conjunction with a successful cyber-attack on the responders' 911 system or on the power grid," Ronald Dick, director of the FBI's National Infrastructure Protection Center, told a closed gathering of corporate security executives hosted by Infraguard in Niagara Falls on June 12.

In an interview, Dick said those additions to a conventional al Qaeda attack might mean that "the first responders couldn't get there . . . and water didn't flow, hospitals didn't have power. Is that an unreasonable scenario? Not in this world. And that keeps me awake at night."

'Bad Ones and Zeros'

Regarded until recently as remote, the risks of cyber-terrorism now command urgent White House attention. Discovery of one acute vulnerability -- in a data transmission standard known as ASN.1, short for Abstract Syntax Notification -- rushed government experts to the Oval Office on Feb. 7 to brief President Bush. The security flaw, according to a subsequent written assessment by the FBI, could have been exploited to bring down telephone networks and halt "all control information exchanged between ground and aircraft flight control systems."

Officials said Osama bin Laden's operatives have nothing like the proficiency in information war of the most sophisticated nations. But al Qaeda is now judged to be considerably more capable than analysts believed a year ago. And its intentions are unrelentingly aimed at inflicting catastrophic harm.

One al Qaeda laptop found in Afghanistan, sources said, had made multiple visits to a French site run by the Societé Anonyme, or Anonymous Society. The site offers a two-volume online "Sabotage Handbook" with sections on tools of the trade, planning a hit, switch gear and instrumentation, anti-surveillance methods and advanced techniques. In Islamic chat rooms, other computers linked to al Qaeda had access to "cracking" tools used to search out networked computers, scan for security flaws and exploit them to gain entry -- or full command.

Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids. In some interrogations, the most recent of which was reported to policymakers last week, al Qaeda prisoners have described intentions, in general terms, to use those tools.

Specialized digital devices are used by the millions as the brains of American "critical infrastructure" -- a term defined by federal directive to mean industrial sectors that are "essential to the minimum operations of the economy and government."

The devices are called distributed control systems, or DCS, and supervisory control and data acquisition, or SCADA, systems. The simplest ones collect measurements, throw railway switches, close circuit-breakers or adjust valves in the pipes that carry water, oil and gas. More complicated versions sift incoming data, govern multiple devices and cover a broader area.

What is new and dangerous is that most of these devices are now being connected to the Internet -- some of them, according to classified "Red Team" intrusion exercises, in ways that their owners do not suspect.

Because the digital controls were not designed with public access in mind, they typically lack even rudimentary security, having fewer safeguards than the purchase of flowers online. Much of the technical information required to penetrate these systems is widely discussed in the public forums of the affected industries, and specialists said the security flaws are well known to potential attackers.

Until recently, said Director John Tritak of the Commerce Department's Critical Infrastructure Assurance Office, many government and corporate officials regarded hackers mainly as a menace to their e-mail.

"There's this view that the problems of cyberspace originate, reside and remain in cyberspace," Tritak said. "Bad ones and zeros hurt good ones and zeros, and it sort of stays there. . . . The point we're making is that increasingly we are relying on 21st century technology and information networks to run physical assets." Digital controls are so pervasive, he said, that terrorists might use them to cause damage on a scale that otherwise would "not be available except through a very systematic and comprehensive physical attack."

'Mapping Our Vulnerabilities'

The 13 agencies and offices of the U.S. intelligence community have not reached consensus on the scale or imminence of this threat, according to participants in and close observers of the discussion. The Defense Department, which concentrates on information war with nations, is most skeptical of al Qaeda's interest and prowess in cyberspace.

"DCS and SCADA systems might be accessible to bits and bytes," Assistant Secretary of Defense John P. Stenbit said in an interview. But al Qaeda prefers simple, reliable plans and would not allow the success of a large-scale attack "to be dependent on some sophisticated, tricky cyber thing to work."

"We're thinking more in physical terms -- biological agents, isotopes in explosions, other analogies to the fully loaded airplane," he said. "That's more what I'm worried about. When I think of cyber, I think of it as ancillary to one of those."

White House and FBI analysts, as well as officials in the Energy and Commerce departments with more direct responsibility for the civilian infrastructure, describe the threat in more robust terms.

"We were underestimating the amount of attention [al Qaeda was] paying to the Internet," said Roger Cressey, a longtime counterterrorism official who became chief of staff of the President's Critical Infrastructure Protection Board in October. "Now we know they see it as a potential attack vehicle. Al Qaeda spent more time mapping our vulnerabilities in cyberspace than we previously thought. An attack is a question of when, not if."

Ron Ross, who heads a new "information assurance" partnership between the National Security Agency and the National Institute of Standards and Technology, reminded the Infraguard delegates in Niagara Falls that, after the Sept. 11 attacks, air traffic controllers brought down every commercial plane in the air. "If there had been a cyber-attack at the same time that prevented them from doing that," he said, "the magnitude of the event could have been much greater."

"It's not science fiction," Ross said in an interview. "A cyber-attack can be launched with fairly limited resources."

U.S. intelligence agencies have upgraded their warnings about al Qaeda's use of cyberspace. Just over a year ago, a National Intelligence Estimate on the threat to U.S. information systems gave prominence to China, Russia and other nations. It judged al Qaeda operatives as "less developed in their network capabilities" than many individual hackers and "likely to pose only a limited cyber-threat," according to an authoritative description of its contents.

In February, the CIA issued a revised Directorate of Intelligence Memorandum. According to officials who read it, the new memo said al Qaeda had "far more interest" in cyber-terrorism than previously believed and contemplated the use of hackers for hire to speed the acquisition of capabilities.

"I don't think they are capable of bringing a major segment of this country to its knees using cyber-attack alone," said an official representing the current consensus, but "they would be able to conduct an integrated attack using a combination of physical and cyber resources and get an amplification of consequences."

Counterterrorism analysts have known for years that al Qaeda prepares for attacks with elaborate "targeting packages" of photographs and notes. But, in January, U.S. forces in Kabul, Afghanistan, found something new.

A computer seized at an al Qaeda office contained models of a dam, made with structural architecture and engineering software, that enabled the planners to simulate its catastrophic failure. Bush administration officials, who discussed the find, declined to say whether they had identified a specific dam as a target.

The FBI reported that the computer had been running Microstran, an advanced tool for analyzing steel and concrete structures; Autocad 2000, which manipulates technical drawings in two or three dimensions; and software "used to identify and classify soils," which would assist in predicting the course of a wall of water surging downstream.

To destroy a dam physically would require "tons of explosives," Assistant Attorney General Michael Chertoff said a year ago. To breach it from cyberspace is not out of the question. In 1998, a 12-year-old hacker, exploring on a lark, broke into the computer system that runs Arizona's Roosevelt Dam. He did not know or care, but federal authorities said he had complete command of the SCADA system controlling the dam's massive floodgates.

Roosevelt Dam holds back as much as 1.5 million acre-feet of water, or 489 trillion gallons. That volume could theoretically cover the city of Phoenix, down river, to a height of five feet. In practice, that could not happen. Before the water reached the Arizona capital, the rampant Salt River would spend most of itself in a flood plain encompassing the cities of Mesa and Tempe -- with a combined population of nearly a million.

'Could Have Done Anything'

In Queensland, Australia, on April 23, 2000, police stopped a car on the road to Deception Bay and found a stolen computer and radio transmitter inside. Using commercially available technology, Vitek Boden, 48, had turned his vehicle into a pirate command center for sewage treatment along Australia's Sunshine Coast.

Boden's arrest solved a mystery that had troubled the Maroochy Shire wastewater system for two months. Somehow the system was leaking hundreds of thousands of gallons of putrid sludge into parks, rivers and the manicured grounds of a Hyatt Regency hotel. Janelle Bryant of the Australian Environmental Protection Agency said "marine life died, the creek water turned black and the stench was unbearable for residents." Until Boden's capture -- during his 46th successful intrusion -- the utility's managers did not know why.

Specialists in cyber-terrorism have studied Boden's case because it is the only one known in which someone used a digital control system deliberately to cause harm. Details of Boden's intrusion, not disclosed before, show how easily Boden broke in -- and how restrained he was with his power.

Boden had quit his job at Hunter Watertech, the supplier of Maroochy Shire's remote control and telemetry equipment. Evidence at his trial suggested that he was angling for a consulting contract to solve the problems he had caused.

To sabotage the system, he set the software on his laptop to identify itself as "pumping station 4," then suppressed all alarms. Paul Chisholm, Hunter Watertech's chief executive, said in an interview last week that Boden "was the central control system" during his intrusions, with unlimited command of 300 SCADA nodes governing sewage and drinking water alike. "He could have done anything he liked to the fresh water," Chisholm said.

Like thousands of utilities around the world, Maroochy Shire allowed technicians operating remotely to manipulate its digital controls. Boden learned how to use those controls as an insider, but the software he used conforms to international standards and the manuals are available on the Web. He faced virtually no obstacles to breaking in.

Nearly identical systems run oil and gas utilities and many manufacturing plants. But their most dangerous use is in the generation, transmission and distribution of electrical power, because electricity has no substitute and every other key infrastructure depends on it.

Massoud Amin, a mathematician directing new security efforts in the industry, described the North American power grid as "the most complex machine ever built." At an April 2 conference hosted by the Commerce Department, participants said, government and industry scientists agreed that they have no idea how the grid would respond to a cyber-attack.

What they do know is that "Red Teams" of mock intruders from the Energy Department's four national laboratories have devised what one government document listed as "eight scenarios for SCADA attack on an electrical power grid" -- and all of them work. Eighteen such exercises have been conducted to date against large regional utilities, and Richard A. Clarke, Bush's cyber-security adviser, said the intruders "have always, always succeeded."

Joseph M. Weiss of KEMA Consulting, a leading expert in control system security, reported at two recent industry conferences that intruders were "able to assemble a detailed map" of each system and "intercepted and changed" SCADA commands without detection.

"What the labs do is look at simple, easy things I can do to get in" with tools commonly available on the Internet, Weiss said in an interview. "In most of these cases, they are not using anything that a hacker couldn't have access to."

Bush has launched a top-priority research program at the Livermore, Sandia and Los Alamos labs to improve safeguards in the estimated 3 million SCADA systems in use. But many of the systems rely on instantaneous responses and cannot tolerate authentication delays. And the devices deployed now lack the memory and bandwidth to use techniques such as "integrity checks" that are standard elsewhere.

In a book-length Electricity Infrastructure Security Assessment, the industry concluded on Jan. 7 that "it may not be possible to provide sufficient security when using the Internet for power system control." Power companies, it said, will probably have to build a parallel private network for themselves.

'Where Their Crown Jewels Are'

The U.S. government may never have fought a war with so little power in the battlefield. That became clear again on Feb. 7, when Clarke and his vice-chairman at the critical infrastructure board, Howard A. Schmidt, arrived in the Oval Office.

They told the president that researchers in Finland had identified a serious security hole in the Internet's standard language for routing data through switches. A government threat team found implications -- for air traffic control and civilian and military phone links, among others -- that were more serious still.

"We've got troops on the ground in Afghanistan and we've got communication systems that we all depend on that, at that time, were vulnerable," Schmidt recalled.

Bush ordered the Pentagon and key federal agencies to patch their systems. But most of the vulnerable networks were not government-owned. Since Feb. 12, "those who have the fix in their power are in the private sector," Schmidt said. Asked about progress, he said: "I don't know that we'd ever get to 100 percent."

Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb. 19 and accused industry leaders of spending more on coffee than on information security. "You will be hacked," he told them. "What's more, you deserve to be hacked."

Tritak, at the Commerce Department, appealed to patriotism. Speaking of al Qaeda, he said: "When you've got people who are saying, 'We're coming after your economy,' everyone has a responsibility to do their bit to safeguard against it."

New public-private partnerships are helping, but the government case remains a tough sell. Alan Paller, director of research at the SANS Institute in Bethesda, said not even banks and brokerages, considered the most security-conscious businesses, tell the government when their systems are attacked. Sources said the government did not learn crucial details about September's Nimda worm, which caused an estimated $530 million in damage, until the stricken companies began firing their security executives.

Experts said public companies worry about the loss of customer confidence and the legal liability to shareholders or security vendors when they report flaws.

The FBI is having even less success with its "key asset initiative," an attempt to identify the most dangerous points of vulnerability in 5,700 companies deemed essential to national security.

"What we really want to drill down to, eventually, is not the companies but the actual things themselves, the actual switches . . . that are vital to [a firm's] continued operations," Dick said. He acknowledged a rocky start: "For them to tell us where their crown jewels are is not reasonable until you've built up trust."

Michehl R. Gent, president of the North American Electric Reliability Council, said last month it will not happen. "We're not going to build such a list. . . . We have no confidence that the government can keep that a secret."

For fear of terrorist infiltration, Clarke's critical infrastructure board and Tom Ridge's homeland security office are now exploring whether private companies would consider telling the government the names of employees with access to sensitive sites.

"Obviously, the ability to check intelligence records from the terrorist standpoint would be the goal," Dick said.

There is no precedent for that. The FBI screens bank employees but has no statutory authority in other industries. Using classified intelligence databases, such as the Visa Viper list of suspected terrorists, would mean the results could not be shared with the employers. Bobby Gillham, manager of global security at oil giant Conoco Inc., said he doubts his industry will go along with that.

"You have Privacy Act concerns," he said in an interview. "And just to get feedback that there's nothing here, or there's something here but we can't share it with you, doesn't do us a lot of good. Most of our companies would not [remove an employee] in a frivolous way, on a wink."

Exasperated by companies seeking proof that they are targets, Clarke has stopped talking about threats at all.

"It doesn't matter whether it's al Qaeda or a nation-state or the teenage kid up the street," he said. "Who does the damage to you is far less important than the fact that damage can be done. You've got to focus on your vulnerability . . . and not wait for the FBI to tell you that al Qaeda has you in its sights."

Staff researcher Robert Thomason contributed to this report.
****************
Reuters Internet Report
Internet Body Proposes Reforms to Fight Web 'Squatters'

BUCHAREST (Reuters) - The organization that oversees Internet ( news - external web site) domain names floated two proposals on Thursday to help businesses and individuals fight extortion by speculators, known as cyber squatters.


ICANN ( news - web sites), or the Internet Corporation for Assigned Names and Numbers, said at its quarterly meeting that it was close to adopting a new system to give owners of domain names extra time to renew their contracts and to establish a waiting list for coveted domains that become newly available to the public.

The two measures could be ratified by the ICANN board on Friday.

The first proposal, which would establish a 30-day grace period for current owners to renew their contracts, received widespread approval.

"ICANN receives a large number of complaints for inadvertently deleted domains...it affects churches, schools, businesses," Daniel Halloran, an ICANN employee assigned to the grace period task force, told Reuters. "This would be a safety net."

The measure seeks to address the recurring problem of cyber squatters registering coveted expired domains before the original owners renew their contracts.

Halloran explained the four-year-old ICANN never formalized a procedure by which domain name registrants could renew contracts, which typically run on annual basis.

"We get a lot of complaints from people who wake up to find their domain has expired and now has porn on it, or it's linked to a casino site," he said. "Then, they'll ask for a ransom to get it back."

The waiting-list proposal, again designed to improve the odds for legitimate parties to claim an available domain, may have more difficulty passing.

Under the proposal by dominant U.S.-based domain registration firm VeriSign, a bidder would pay a fee to get first dibs on any newly available domains.

VeriSign has proposed charging other domain registrars as much as $28 for the service. A number of registrars have argued the price is too high.

A controversial vote on whether to retool the make-up of ICANN's executive board to include more government delegates, plus security and technical experts, is slated for Friday.
*************************
Government Computer News
FEMA speeds up plans for new architecture and portal
By Dipka Bhambhani

The Federal Emergency Management Agency expects to have the blueprint for its new enterprise architecture finished as early as this week and the first release of its disaster information portal in August.

"We'll have the initial framework done next week," FEMA CIO Ronald Miller said today at the E-Gov conference in Washington. The current architecture will not support the agency's new plans, he said. "We want to start fresh."

The agency also is planning to develop Disasterhelp.gov, a disaster information portal that will be attached to the FirstGov.gov Web site and link to other federal agencies' disaster information sites.

Meanwhile, the agency is collecting contingency plans from agencies in the disaster response community to get an idea of the type and amount of content to which they'll have to link.

The initial August launch of Disasterhelp.gov will be on the FirstGov site and link to only a few agencies. But Miller plans to expand the number of links.

Right now, he said, someone at a call center acts as a middleman during a crisis. "There are ways to take that person out of the process," he said. "I know that technology can do it."
***********************
Government Computer News
Giuliani lauds IT's role in management, endorses national IDs
By Susan M. Menke

Former New York City mayor Rudolph Giuliani called technology "a real help" in reducing crime. He said his administration's daily collection of statistics about crime, health and welfare led to cutting the number of welfare recipients from 1.1 million (out of 8 million residents) down to about 650,000 and the number of prisoners in jails from 14,000 down to about 11,000.

"Paying attention to small things," such as daily statistics from the city's 76 police precincts, was the key, said Giuliani, who spoke today at the E-Gov conference in Washington.

"To say the city was unmanageable and ungovernable really was an excuse for unaccountability," he said. "E-government can go a long way to change that perception. We let people pay their parking tickets over the Internetwe needed the money. We put applications for city permits online and made all the permit-granting agencies into one virtual agency."

Current mayor Michael Bloomberg has continued the statistical reporting by neighborhood under the Citywide Accountability Program, at http://home.nyc.gov/portal/index.jsp?pageID=nyc_stat_reports&catID=1724.

Giuliani, who received a standing ovation after ceremonial bagpipers played "God Bless America," said he and city officials for years held tabletop exercises and drills to deal with various emergencies. "We play-acted a plane crash in Queens," he said. But when he was called to the World Trade Center on Sept. 11, he saw people jumping from the highest floors without a hope of rescue. Although the previous disaster planning didn't fit the scope, at least it prepared the first responders and hospitals, he said.

Giuliani called a national ID card "something we have to work toward. We need a more efficient way to identify people, but there's a tradeoff between individual privacy and protection of others." A national ID card, he said, "would not be an erosion of fundamental freedoms."

"A lot of people feel that America is more dangerous today than it was before," Giuliani said. "The reverse is true. I think it's remarkable how America has handled its worst attack. We are the most vital and interesting society in history."
***********************
Washington Post
Publishers Sue Gator Over Web Ad Tactics
By Leslie Walker

A group of Web publishers filed suit in federal court this week against the scrappy Internet ad network Gator Corp., charging that Gator sells ads on their Web sites without authorization and pockets the proceeds.

"Gator Corp. is essentially a parasite that free rides on the hard work and investment" of the publishers, said the lawsuit, filed Tuesday by a dozen large publishers in U.S. District Court in Alexandria.

The irate publishers include The Washington Post Co., the New York Times Co., Dow Jones & Co., Tribune Interactive, Gannett Co., Knight Ridder Digital, Condenet and American City Business Journals Inc.

Their complaint is the latest in a series of legal scrapes involving Gator, which offers consumers free software and, in exchange, displays ads on the screens of their computers.

In a similar court action earlier this month, one of Gator's advertisers, DietWatch.com, was ordered to stop displaying ads that appeared when Gator users visited rival site WeightWatchers.com. The court ordered DietWatch to pay $25,000 to Weight Watchers.

The complaints reflect growing turmoil in the Internet advertising industry, which increasingly has embraced intrusive, flashy and experimental ad tactics as online advertisers try harder to lure customers.

Among the most confusing ad tactics are pop-ups, in which a browser window suddenly opens to display a commercial message. Often consumers can't tell where the ad originated; they assume it came from whatever page they are viewing.

The publishers charge that Gator takes advantage of this confusion and offers to sell ads that appear when Gator users visit specific Web sites, even though those Web sites haven't authorized the ads. Gator accomplishes that with its own software, which displays ads, the suit says.

Gator, based in Redwood City, Calif., did not return repeated e-mail messages and phone calls yesterday.

Terence Ross, the lawyer representing the publishers, said the placement of pop-up ads on the publishers' Web sites "alters the display of the Web site, which constitutes copyright infringement." The suit alleges that Gator's pop-ups also represent trademark infringements and misappropriation of the news.

They also represent unfair competition, the suit says, because Gator's competing offer to advertisers makes it harder for publishers to sell their own ads.

Gator ranked as the 15th most heavily trafficked Web property in April, according to Nielsen/NetRatings, with nearly 16 million people being exposed to its Web sites or software.

Gator offers a "digital wallet" that stores people's addresses and credit card numbers and allows people to fill out forms quickly. When users install the wallet, they get a special "OfferCompanion" that displays ads on their screens. The OfferCompanion, a type of software known as spyware or adware, also is installed when people download the popular file-sharing program KaZaa and a music program called AudioGalaxy.

Gator has wrangled in court with the Interactive Advertising Bureau, an Internet ad trade group, but agreed six months ago to work toward a settlement. Gator had sued the IAB after the trade group threatened to complain to federal regulators about its ad tactics.
*************************
New York Times
Microsoft Agrees to Alter a Special Service for Children
By JOHN MARKOFF

SAN FRANCISCO, June 26 Microsoft said today that it had agreed to make changes in a children's version of its Passport authorization software after an advertising industry watchdog group challenged the service over issues of parental control and privacy.

The company, based in Redmond, Wash., has promoted Passport as a convenience feature that would permit computer users to sign on only once to use multiple Web sites and online services.

But critics have said Passport could potentially be used to collect personal information on consumers and have suggested that the company might try to sell the information for marketing purposes. Microsoft has responded that it has established stringent privacy guidelines to protect the user information.

The group, the Children's Advertising Review Unit of the Better Business Bureau, said today that it had begun investigating the Passport service earlier this year.

Officials of the group said today that Microsoft had said that use of the Kids Passport service would help protect children's safety and privacy online and had given the impression that sites and services accessible as part of the service were "children's sites." The agency, however, said it had discovered that there were no special privacy-protection provisions taken and that the sites were actually general consumer sites used by people of all ages.

One of the group's concerns, officials said, was that many of the Microsoft Kids Passport sites in fact offered chat rooms and other public forums that were designed to allow users to communicate and exchange information like names, e-mail addresses and phone numbers.

As a result of the group's investigation, Microsoft has made a number of changes, including no longer representing the Kids Passport service as aiding parents in protecting online privacy; noting that the Kids Passport service sites are not designed specifically for children; posting a specific children's privacy statement for its Passport service; and agreeing to revise its MSN Statement of Privacy to inform parents of how its MSN service collects and discloses children's personal information.

Although the Children's Advertising Review Unit was originally created by the advertising industry to combat deceptive advertising practices, the agency has broadened its scope as a result of the emergence of interactive technologies like the World Wide Web.

"In the offline world there was a chance for mediation, and the parent could say no to an advertiser," said Elizabeth Lascoutx, director of the review unit. "But when the child was sitting at a keyboard it became a real issue."

A Microsoft executive said today that the company had been working with the group to bring its software into compliance with the group's Self-Regulatory Guidelines for Children's Advertising.

"They identified a bunch of places where we could do better, and we think that's great," said Adam Sohn, Microsoft product manager for .Net strategy, a software service that includes Passport. "We entered into a productive dialogue and we're pretty pleased we could come to this agreement."

Microsoft never intended to mislead anyone, he said.
**************************
MSNBC
Bank crime data theft on the rise
At state banking convention, frustration is obvious
By Bob Sullivan

GLENEDEN BEACH, Ore., June 26 Ski-mask wearing, gun-brandishing thieves dashing out of banks with cash-stuffed moneybags are good theater. But the truth is, bank robbers are a dying breed. Only 2 percent of mounting bank crime losses are now from physical robberies, according to the Oregon Bankers Association. Today's crooks now hide safely in another city, state, or halfway around the world while they commit their crimes. And often, it's not even the bank's money they want.

HAVING ESCAPED TO the rocky, still-chilly, nearly tourist-free Oregon coast, and staying in a town that sports Eden in its name, one might expect to find tranquil bankers pleasantly discussing loan rates before hitting the links. But executives attending the association's annual convention here found their peace disturbed by fraud expert Rob Douglas, who said the nation's banking system has become a playground for criminals and now, terrorists who know how to turn stolen financial data into steady income.
"Your concern is no longer a teller walking out the door with cash," said Douglas. "Your concern is information walking out the door. That's the new currency. You've got to think: information equals cash."
Bank crime rarely involves traditional robberies any more, said Oregon Bankers Association Chairman Mike Foglia. Instead, money and information are stolen remotely, via electronic and paper fraud. There is almost no risk to the criminal, who can't be spotted by security cameras, but can steal the money from the other side of the world.
Privately, bankers at the conference expressed dismay at the amount of fraudulent financial wire transfers that are completed after a fast-talking criminal tricks a bank employee during a single phone call. Other frauds are even easier depositing a fraudulent "convenience check" from a credit card company, then withdrawing the money; or skimming ATM card numbers right from the machine.
How much is virtually slipping out the door? Bankers wouldn't talk, but Foglia admits loss of "seven figures" at the various Wells Fargo branches he manages near Portland. And he concedes fraud is on the rise at all banks.

IDENTITY THEFT HAVEN
But frequently, the initial crime doesn't even involve money. It starts as a simple phone call, and a request for information, such as bank account balances. From there, the data is resold and reused, leading to crimes from simple credit card fraud to full-blown identity theft resulting in car loans or even equity loans.
Where the fraud receipts eventually end up is anyone's guess, but there is evidence terrorist groups used stolen credit cards and other bank fraud techniques to support the Sept. 11 attacks and other terrorism activities.
From the heavy sighs and drawn faces, it was clear that Douglas was, at least in part, preaching to the choir. Oregon has already suffered one of the nation's worst-ever information leaks. Last year, police acting on a tip found computer disks with the state's Department of Motor Vehicle records all of them in a suspect's apartment. The suspect, Jody Gene Oates, pleaded guilty last month to identity theft and was sentenced to 4 and one-half years in prison.
Many Oregon banks use state drivers' licenses to verify the identity of a new account holder.
"How can you trust that as verification now?" Douglas asked.
But Oregon's troubled bankers are hardly alone. Just last week, Bank of America kicked off a new ad campaign "Invasion of the ID snatchers" with the National Consumers League warning customers about the hazards of ID theft. The campaign is a response to an incident earlier this year when a criminal set up a fake Bank of America Web site and stole customer information. During an interview with the American Banker, bank privacy officer Robin Warren said ID fraud losses at the firm are rising, and the February incident was "a big wake-up call."

PHONE CALL TRICKERY
Douglas takes his shock therapy to banking groups around the country, telling executives that the banking system has become a convenient database for criminals.
He played secretly-taped phone conversations with information brokers, who regularly call banks pretending to be depositors, tricking customer service representatives into giving out private information. Bank records, for example, can be obtained for as little as $50.
"She didn't even ask for my name," bragged the broker on the tape, who had gotten a customer's account balance information armed only with a Social Security number. "You wouldn't believe how easy it is. ... You have to talk fast. You can't give people a chance to think. That's the key."
Another tactic used, Douglas said, is acting belligerent if the conversation starts to go poorly. Also, since Sept. 11, many criminals have taken to impersonating the FBI, he said, knowing that many bank employees are all too eager to help the war on terrorism.
Surrendering private financial information was declared a federal crime in 1999 by the Gramm-Leach-Bliley Act. But while thousands of companies still operate in the seedy information area, not a single one has faced prosecution, Foglia said.
While he admitted that both identity theft and electronic fraud in general are on the rise, and conceded banks "could do more," he said the lack of prosecutions was the real problem.
"We have cases we tie up with a bow and give them to (federal authorities), and we can't get them interested unless the loss is at least $50,000," Foglia said. Criminals know this, he said. They know they can risk a $10,000 fraud with almost no fear of jail time.
"What if we could take all the millions we have lost in fraud in the past year and hire some prosecuting attorneys?" he asked hypothetically. "The fact that there are no prosecutions is deplorable, particularly when we know this stuff funds terrorism."
Douglas, who often ends his talks showing a video about stalking victim Amy Boyer hunted by her killer with the help of an information broker said there is frustration around the country with the lack of prosecutions connected to Graham-Leach-Bliley or other bank frauds. Even if the initial crime seems neat, clean, perhaps even victimless, the ultimate consequences are severe.
"This is not about being able to steal a $50 pair of Reeboks (with a stolen credit card) any more," said Douglas. "It's about terrorism, stalking and murder now."
******************
New York Times
Spam: An Escalating Attack of the Clones

SAN FRANCISCO -- AT 2 a.m., the red squiggle begins to rise. Sharply.

The workers sitting in the dimly lighted room barely look up at the white screen on the wall that tracks the deluge of unwanted e-mail to millions of In boxes. They already know it's happening.

Their computer monitors are filled with e-mail meant to appeal to the lonely and insecure: Free XXX video. Debt consolidation. Breast enhancement. Viagra. Work from home. Beat cellulite.

It is the middle of the night on the West Coast, but spam attacks e-mail messages sent to multiple addresses often lumped together as "undisclosed recipients" are bubbling up from all corners of the Internet. Spam doesn't sleep.

Click and type. Cut and paste. Save. Export. That is how spam filters are created in the round-the-clock war room run by Brightmail, a company that performs filtering for Internet service providers like Earthlink, MSN and AT&T Worldnet as well as companies trying to keep their e-mail systems unclogged.

In the war room, the steady pulse of keyboard and mouse clicks is punctuated by brief declarations.

"I got the Viagra," calls out one 20-something employee as he clicks to create a simple filter.

"I need help on the breast enhancement," announces another.

Spammers are like fruit flies. They multiply. They are elusive. Worst of all, they evolve quickly. The most aggressive spammers have become very sophisticated, constantly varying subject lines, "from" addresses and body text.

Joe Long, a war room employee, remembers when times and spam were simpler. Two years ago, he and his colleagues would sometimes be able to parry all the attacks and clear their to-do list. "That never happens now," Mr. Long said.

For in addition to becoming more sophisticated, spammers have become more prolific. These days, more and more junk e-mail is finding its way into In boxes.

Brightmail says the volume of spam it encounters has almost tripled in the last nine months. The company adds that 12 to 15 percent of total e-mail traffic is spam; a year ago, that figure was closer to 7 percent. Brightmail, which maintains a network of In boxes to attract spam, now records 140,000 spam attacks a day, each potentially involving thousands of messages, if not millions.

Statistics like these are supported by anecdotal evidence from computer users, who report that they are seeing more unwanted e-mail every time they log on. Hounded by spam, some computer users have simply abandoned e-mail addresses.

No one knows precisely why spamming has increased so much. One reason may be that it is an inexpensive form of marketing favored in a slumping economy.

Another may be that it is relatively simple to do it is not much harder to send one million e-mail messages than it is to send one.

But some analysts say that the increase may also result, paradoxically, from the efforts to curb spam. A kind of arms race may have developed, those analysts say: the more efforts are made to block unwanted e-mail, the more messages spammers send to be sure that some will get through.

Whatever the reasons, individual complaints about e-mail are echoed by Internet service providers, some of which say that 50 percent of incoming e-mail traffic is spam.

Consumer advocates and politicians are complaining too, and proposing new laws to fight spam. Governmental agencies are also announcing new initiatives in the battle.

Clearly, spam is a part of electronic communications that everyone loves to hate. But it is also something that no one, it seems, can do much about. Here are the reasons.

Regulation

The Federal Trade Commission currently receives 40,000 spam complaints a day at its Web site, www.ftc.gov/spam. It has an e-mail address, uce@xxxxxxx ("uce" stands for "unsolicited commercial e-mail"), to which people can forward spam e-mail that they receive. To date, the commission has collected more than 12 million such messages, which are kept in what is affectionately known as the refrigerator, a computer database in the commission's Internet lab.

But the commission cannot and does not regulate unsolicited commercial e-mail. There are currently no federal laws against spam.

Spam is a form of commercial speech. While commercial speech enjoys some protection under the First Amendment, it is also subject to regulation but such regulation needs to be established by legislation.

So in a majority of spam cases, the trade commission's hands are tied. Even pornographic spam (including that sent to children) falls outside its mandate.

"We can only do what our statute allows us to do," said Brian Huseman, who coordinates spam issues for the commission. And that statute empowers the commission to fight fraudulent and deceptive marketing practices.

So the F.T.C. is focusing on the spammers that do fall under its jurisdiction. To date it has filed 32 spam-related fraud cases, including one against a company that sells nonexistent ".usa" domain names and another against a company that distributed programs that forced computer modems to dial international calls.

Only a fraction of spam is outright fraud; most spam e-mail is aimed at selling legitimate products. Brightmail categorizes only 4 percent of spam attacks as intentionally fraudulent.

The trade commission has tried to extend its definition of "fraudulent" to encompass more than the most blatant fraud. The commission is investigating whether businesses that sell bulk e-mailing tools and lists have deceptive marketing practices. The goal is to cut off spammers' resources.

The commission also recently sent warning letters to companies that have nonworking "remove me" options at the bottom of their e-mail messages. (A commission survey showed that 63 percent of "remove me" options either did not work or resulted in even more e-mail.)

However, the F.T.C.'s definition of what constitutes fraud is very specific. For example, a false subject line ("As you requested" or "Human Resource Policy changes") or a false return address does not legally constitute fraud. The e-mail's content must actually be misleading in a way that affects consumers.

"Just because it's false doesn't mean it's deceptive under our statute," Mr. Huseman said.

Federal Legislation

Ideally, consumer advocates want the spam equivalent of the 1991 federal Telephone Consumer Protection Act, which prohibited prerecorded telemarketing calls and junk faxes. The trade commission was also given power to enforce the legislation.

A broad anti-spam law has been approved in Europe. On May 30, the European Parliament passed a ban on unsolicited commercial messaging. Electronic marketing can be aimed only at consumers who have given prior consent.

In contrast, more than a dozen spam-related bills have been introduced in Congress over the last two years, and most of them have languished. Of the handful that have made progress, the most recent is the Controlling the Assault of Non-Solicited Pornography and Marketing act (a contorted title that yields the acronym Can Spam), which was unanimously approved by the Senate Commerce Committee last month. The Can Spam bill would, among other things, let the F.T.C. impose civil fines up to $10 per unlawful message, require valid "remove me" options on all e-mail and authorize state attorneys general to bring lawsuits.

Now it must be voted upon by the full Senate, and two other independent spam bills are moving slowly through the House of Representatives. But interest groups are lobbying to tone down the strongest aspects of spam legislation.

Those lobbyists are not spammers. They are some of the country's largest corporations and commercial associations: Citicorp, Charles Schwab, Procter & Gamble, the National Retail Federation, the Securities Industry Association and the American Insurance Association. The groups argue that many of the bills would unfairly restrict e-mail marketing and put electronic commerce at a disadvantage.

"We would like the bill narrowed so only pornographic, fraudulent and deceptive spam are targeted," said John Savercool, the vice president of federal affairs for the American Insurance Association. "We think that is where the consumer angst is."

But Senator Conrad Burns of Montana, a Republican sponsor of the Can Spam bill, says that consumer frustration goes beyond pornography and fraud. "I get enough applications for credit cards, offers to consolidate my debt and advertising for Viagra in my mailbox," he said. "I don't need it on my computer too."

Litigation

With little happening in Congress on anti-spam legislation, 25 state governments have taken the lead and passed a variety of spam-related laws. They range from Delaware's 1999 outright ban on unsolicited commercial e-mail to more indirect limitations. Most states ban false return e-mail addresses, require "remove me" provisions or demand labels on sex-related messages.

But laws, whether federal or state, may serve as a deterrent only when they are enforced. And enforcement of these state anti-spam laws is more the exception than the rule. Despite hundreds of thousands of consumer complaints to state agencies, only Washington State has filed a lawsuit based on anti-spam legislation. Other states that do not have anti-spam laws, like New York, have sued or charged spammers by using laws on deceptive marketing and computer hacking. The cases are pending.

Legal experts say the problems with local spam laws are manifold. First of all, most do not prohibit spam. "Even if the laws were enforced effectively, they wouldn't address most of the spam problem," said David E. Sorkin, a professor at the John Marshall Law School in Chicago who runs a site called Spamlaws.com. "The implied message is that if you weren't lying about it, it would be O.K. to spam people."

Second, spam transcends state (and national) boundaries, and many of the state laws stipulate that they take effect only if a spammer can "reasonably know" that the recipient is a resident of a particular state.

Third, spammers are elusive. Lawsuits generally need to nail down a physical presence to proceed. When the F.T.C. sent warning letters to spammers with false "remove me" options, more than 20 percent of the letters came back because the addresses registered with the domain names were false. Telemarketers are easier to identify because telemarketing is expensive and as a result, such companies need assets. All a spammer needs for business is a computer, an Internet connection and an inexpensive CD containing spamming software and tens of millions of e-mail addresses.

"Most of the spammers are not wealthy people," said Stephen Kline, a lawyer for the New York State attorney general's office. "It's tough if you are going after someone with very few assets to get restitution for consumers or justify the costs."

So most spam-related lawsuits have been brought by companies and individuals motivated more by a sense of a crusade than by the prospect of a financial reward. In March, Morrison & Foerster, a California law firm, filed a lawsuit against Etracks, an e-mail marketer, for sending e-mail to its servers. Etracks says that it works with permission-based marketing, a contention that Morrison & Foerster disputes.

Some I.S.P.'s, including CompuServe and AOL, have filed suit against spammers to prevent them from sending unsolicited e-mail to users of those services. But using lawsuits to combat spammers is like trying to catch swarming fruit flies by hand. For every one you manage to catch, there are 10 more undeterred ones pestering you.

Technology

To date, the most effective weapon against spam is technology. "Spam requires a technology solution because it is a technology problem," said Ken Schneider, chief technology officer at Brightmail.

But even technology is limited, since spam is e-mail and e-mail is designed to flow easily. Only 5 percent of all enterprises will be able to filter 90 percent of spam in 2002, said Joyce Graff, research director at Gartner Research.

Businesses have tried to throw up all types of defenses. Many reject mail coming from computers that are known to have been hijacked for spam. Some I.S.P.'s reject e-mail sent in bulk. That often results in the rejection of legitimate noncommercial messages sent to addresses on mailing lists.

Other technological approaches limit e-mail to preapproved senders or senders who respond with a password approaches that slow down the transmission of e-mail. Users can also buy personal In box protectors.

Brightmail, which has one of the most sophisticated services, says the best spammers are always a step ahead of its defense mechanism. They evade Brightmail filters by randomizing the characteristics that filters look for.

"It's very difficult to fight," said Mr. Long, the war-room worker. "You get entrenched fighting it one way, and they go put a new tool against you."

Spam may be an inescapable element of online existence. "Is spam going to be something we will all learn to live with, like increased airline security?" asked Enrique Salem, chief executive of Brightmail. "Or will it disappear?"

For spam to disappear, a combination of coordinated international regulatory action, aggressive enforcement, software and human oversight is needed, Mr. Salem said.

The bad news is that until that magic combination comes about, spam will continue to clog In boxes. The good news is that it could help you look younger, feel more virile, become debt-free and get a college degree at home. Really.
******************
USA Today
Manager of FBI computer overhaul resigns
By Kevin Johnson, USA TODAY

The executive in charge of overhauling the FBI's antiquated computer system has resigned.

The FBI said Robert Chiaradio is leaving to take a job at financial consulting giant KPMG. He was elevated in December to one of the bureau's top four administrative positions.

Former IBM executive W. Wilson Lowery Jr., will replace Chiaradio, officials said.

Outdated computer systems have been blamed for several internal bureau problems, including the FBI's failure to turn over thousands of documents to lawyers representing Oklahoma City bomber Timothy McVeigh. The foul-up caused a month-long delay of McVeigh's execution last year.
****************************
San Francisco Chronicle
File-sharing jamming proposed

Entertainment companies could legally launch electronic attacks against Internet file sharing networks under a proposed law previewed Tuesday by a Southern California congressman.

U.S. Rep. Howard Berman, D-North Hollywood, plans to introduce a law to legalize the use of electronic countermeasures to thwart copyright infringement on popular peer-to-peer networks such as KaZaa and Morpheus, where millions of music and movie files are traded.

Berman, whose district stretches from North Hollywood to the San Fernando Valley, said the law would legalize actions -- like flooding peer-to-peer networks with decoy files -- that now might violate laws like the federal Computer Fraud and Abuse Act.

"We see this as a very technology friendly bill," said Gene Smith, Berman's chief of staff. "Copyright owners should be able to develop technological responses to the technological piracy of their property."

But Steve Griffin, whose Tennessee firm distributes Morpheus, called Berman's proposal "a declaration of cyberwarfare on consumers."

"It gives . . . media companies the right that even the U.S. government doesn't have, to go into people's computers," said Griffin, chief executive of StreamCast Networks Inc.
*************************
BBC
Piracy fight gets serious

Record makers could win the right to carry out hack attacks on music sharing services if a US proposal becomes law.
Californian congressman Howard Berman has drawn up a bill that would legalise the disruption of peer-to-peer networks by companies who are trying to stop people pirating copyrighted materials.

If his idea becomes law, record companies will be able to carry out a variety of attacks on the sharing services to make them unusable or so irritating to use that people abandon them.

Existing legislation makes it an offence for anyone to carry out many of the attacks mooted in the proposal.

Better blockers

So far, music companies have used legal action to stop people spreading pirated pop through net-based peer-to-peer networks, such as Napster, Kazaa and Audiogalaxy.

Their attempts have largely been successful.

Napster has declared itself bankrupt and is trying to relaunch itself as a subscription service; Kazaa has run out of money to pay its mounting legal bills; and Audiogalaxy has agreed to remove copyrighted material from its network that it does not have permission to share.

However, legal action can take a long time to work and now Howard Berman, a democrat congressman for California, has proposed legislation that will let music makers act much more quickly.

Spoof tracks

His proposal would let the record makers carry out hacking-type attacks on sharing networks to protect copyrighted works.

If it became law, record companies would win the right to place spoof tracks on sharing services, block downloads, redirect people to non-existent files and launch attacks that disrupt the smooth running of the networks.

Some record labels have already been known to seed some networks with spoof tracks or adverts to try to stop people getting hold of music they have not paid for.

The law would also allow the record companies to place programs on the machines of peer-to-peer networks to let them trace who is pirating pop.
*************************
Federal Computer Week
OMB takes aim at redundant IT

The Office of Management and Budget is taking action to cut down on redundant information technology investments with plans to redeploy funding this year and head off funding requests in coming years, Norm Lorentz, OMB's chief technology officer, said June 25.

OMB has written "Clinger-Cohen letters" for projects under many of the 24 initiatives under the Bush administration's E-Government Strategy, Lorentz said. Those letters, for perhaps the first time on such a wide scale, exercise a section of the Clinger-Cohen Act of 1996 that gives the White House the authority to shut down or redeploy funding for under-performing or redundant programs, he said.

Because the 24 initiatives are aimed at consolidating common IT investments across government, these letters are a necessary step, Lorentz said. Mark Forman, OMB's associate director for IT and e-government, and the affected deputy secretaries who make up the President's Management Council, should release the programs that are receiving the letters soon, he said.

For future investments, OMB plans to work with agencies to stop redundancy before it happens.

On July 18, OMB will release the final current version of the federal enterprise architecture business reference model. The model will be available on a Web site accessible only by agency personnel, although parts of it likely will be released over time for the public, Lorentz said.

OMB expects agencies to use the business reference model as the basis for planning their fiscal 2004 budget requests and their submissions under OMB Circular A-11, which sets the requirements for all investments. Officials should check their investment plans against the model before submitting requests to OMB, he said.

It is only the first of five reference models that will make up the entire federal enterprise architecture plan. The others including models for performance, data, applications and technology are at various points of development, and will be released in the coming months, he said.
************************
Federal Computer Week
Military, FEMA test communications

As part of a month-long communications exercise focused on interoperability among U.S. armed forces and the Federal Emergency Management Agency, an Army Reserve unit on June 24 successfully completed a video teleconference with FEMA personnel halfway across the country.

Grecian Firebolt, which began June 1 and is scheduled to conclude today, has been testing interoperability among the Army, the Air Force and FEMA's Mobile Emergency Response communications teams. It includes reserve and active Army units, and Army and Air National Guard units connecting more than 30 sites throughout the United States and Puerto Rico.

The 311th Theater Signal Command (TSC), an Army Reserve unit headquartered at Fort Meade, Md., led this year's exercise, which was designed, in part, to test the communications piece of a homeland defense scenario, said Maj. Gen. George Bowman, commander of the unit.

The homeland defense scenarios have included dealing with such things as potential mail bombs and protestors attempting to foil activities and influence soldiers, said Lt. Col. Thomas Chegash Jr., communications systems control element branch chief in the 311th TSC.

Those scenarios did not include attacks against communications or information technology systems, but did include reports of real-world situations, like virus updates, that participants had to deal with on the fly, said Maj. Anthony Britton, an action officer at Joint Forces Command, who was on hand to observe the exercises and the joint communications capabilities of the Army and Air Force.

The 311th TSC conducted a video teleconference with a FEMA office in Denton, Texas, as part of an exercise to ensure that the agency "has the bandwidth available in case we're faced with another" Sept. 11, said Ozzie Baldwin, FEMA's telecommunications manager of information processing in Denton.

Baldwin said that Grecian Firebolt has also helped FEMA establish procedures for communicating via e-mail on both secure and nonsecure networks with the Defense Department in a homeland defense scenario.

"We have established the procedures, and now they will be published and used in any deployment," he said. "In case of incident, we can immediately exchange e-mails," and that includes a Secret Internet Protocol Router Network (SIPRNET) connection between FEMA headquarters and DOD that was recently installed and tested during the exercise.

"Now, we can say for the next incident, we are ready," Baldwin said.

Grecian Firebolt, which cost more than $1.2 million to execute, focuses on the oversight and management of the tactical and strategic networks the Army and its partners use to communicate during a homeland security mission. It includes satellite links, line-of-sight tools, e-mail and videoteleconferencing (VTC), Chegash said.

"Overall, our base goal is training," Chegash said, adding that establishing the VTC link was one of the most difficult challenges in the exercise. "We have been troubleshooting for days. The equipment we have is old, not operator-friendly and difficult to set up."
***********************
Federal Computer Week
'Tribalism' may defeat Homeland

It was only a matter of days after President Bush unveiled his plan to take pieces from various federal agencies to create a Homeland Security Department that officials began to buttonhole Rep. Tom Davis, presenting him with lists of reasons why their agencies shouldn't be moved.

They received a frosty reception from the Virginia Republican, however, said Davis aide Melissa Wojciak.

Davis, who heads the House Government Reform Committee's Technology and Procurement Policy Subcommittee, staunchly supports Bush's plan, Wojciak told a gathering of technology experts June 25.

But the almost instinctive effort to undermine the president's plan illuminates what is likely to be the biggest problem for the Homeland Security Department "tribalism."

While the administration's senior policymakers wrestle with problems such as information sharing, interoperability and database integration, rank and file government workers grapple with fear of change, said organizational psychologist Joyce Doria.

"People choose the familiar even the dysfunctional over change," she said. Wojciak and Doria spoke at E-Gov's Homeland Security 2002 conference in Washington D.C.

Since the Sept. 11 terrorist attacks, it has become clear that among them, various government agencies had information and warnings that, if shared, might have alerted them to the terrorist danger.

Much discussion since then has focused on how to get agencies to share information and better communicate with one another.

It will take technology to solve some of the problems, but "the technology does exist," said Doria, who is a vice president at the consulting firm Booz Allen Hamilton. "The hurdles are more bureaucratic than technical."

Developing workable plans to use technology to improve teamwork among agencies will be the easy part. Getting agencies to accept them will be the real challenge, she said.

"Change is painful," and those who plan for significant change typically underestimate the difficulty of getting workers and managers to accept change, she said. "Man is by nature tribal," and convincing people to accept outside ideas, leaders and ways of doing things is difficult.

"Tribal ways will beat change every time if you're not careful," Doria said.
***********************
BBC
Tech managers targeted by cyber criminals

The head of the UK's cyber police unit has warned that tech managers could become victims of kidnappers and organised crime.
Len Hynds, from the National Hi-Tech Crime Unit (NHTCU), has told Computing magazine that computer bosses could be vulnerable to attack in the same way as bank managers were targeted in the past.

Mr Hynds said that the NHTCU had already seen cases of criminal gangs blackmailing companies after discovering weaknesses in their computer systems.

The next step could well be physical risk to technology managers, he said

Tech recruits

"Organised criminals will intimidate people with access to information," he told Computing.

He warned companies to improve recruitment and to be careful about the people they employed in positions with access to computer data.

Criminal gangs were also likely to start hiring more people with technological know-how as computers increasingly become an important tool in crime, he said.

Computer forensic firm Datasec conducts investigations of criminal or industrial computer crime and has had cases in which individuals within organisations have been targeted for their knowledge about sensitive data.

Distributed responsibility

Managing director Adrian Reid believes employees with responsibility for technology should exercise caution when talking about their work.

"If someone was going to target the IT manager, he or she will find out as much about that individual as they can," he said.

"Employees in sensitive areas need to be careful about what they say about themselves and what information about them is in the public arena," he said.

Nearly three-quarters of UK companies have sensitive data on their computer networks and they too must do more to make sure that one person does not have sole responsibility for such information.

"Companies should consider distributing responsibilities," said Mr Reid. "It is harder to corrupt a group of people than it is one individual."
*************************
Government Executive
House passes law enforcement information-sharing bill

By Drew Clark, National Journal's Technology Daily


The House on Wednesday passed a bill that would permit federal law enforcement authorities to share information about potential terrorist attacks with state and local authorities.

Passed by a vote of 422-2, the bill, H.R. 4598, would require the president to promulgate guidelines for sharing classified and sensitive intelligence information, as well as information obtained through wiretaps or grand-jury investigations.

House Intelligence Terrorism and Homeland Security Subcommittee Chairman and bill sponsor Saxby Chambliss, R-Calif., said the measure seeks to get information about "potential acts of terrorism declassified and redirected to people on the front lines."

"We do a great job of getting information," he said, as he acknowledged weaknesses within the CIA and FBI. "But we don't do a great job of sharing information."

Rep. Anthony Weiner, D-N.Y., added that a key impetus for the bill came when New York City officials learned information about a threat from Time magazine rather than from FBI officials. He called the bill an attempt to rationalize existing laws that currently bar federal agents from communicating sensitive and classified information with local police.

"This is an effort to empower local officials upon whose real estate future attacks may occur," said Jane Harman, ranking Democrat of Intelligence subcommittee. "Homeland security is a bottom-up problem and not a top-down problem. It is not about the best arrangement of deck chairs but about getting the 'first responders' the information they need."

In a policy statement, the Bush administration expressed support for the goals of the legislation, saying that it "seeks to balance and reconcile the needs of state and local personnel to have access to timely and relevant homeland security information to combat terrorism, with the need to protect and safeguard both classified and sensitive but unclassified information."

Although the bill would require the president to decide upon procedures for sharing information within a year, it would empower him to set them. Among the options it suggests include: boosting the number of security clearances, deploying non-disclosure agreements or increasing the use of joint terrorism task forces with the FBI.

But the policy statement also raised two specific concerns: that the definition of "homeland security information" includes census information "that has been collected solely for statistical purposes under a pledge of confidentiality," and that provisions regarding the dissemination of foreign intelligence information could limit the administration's flexibility under the anti-terrorism law Congress passed in October.

Several members of the House Judiciary Committee raised privacy concerns about the bill but said they were largely satisfied by amendments adopted in committee.

"For public-safety information, we need to be able to communicate what is known," said Rep. Bobby Scott, D-Va. "But it must be limited just to those who need it, and is not spread around on the Internet where everyone can see it."

Rep. Sheila Jackson-Lee, D-Texas, said the law needs to ensure that information from whistleblowers is shared, but she withdrew her amendment to make such a change on the floor.
*********************
MSNBC
Kiss your MP3s at work goodbye
Companies crack down on employees using streaming media
By Lisa M. Bowman

June 27 Stash those headphones and trash that file-swapping software: Companies are cracking down on employees who use streaming media and swap MP3s at work.
COMPANIES INCREASINGLY ARE blocking access to Internet music and video at firewalls and are issuing sweeping initiatives that ban workplace media usage. The trend is a result of two developments: media usage hogging enormous amounts of corporate bandwidth and threats of legal liability as the entertainment industry aggressively pursues copyright scofflaws.
The Recording Industry Association of America is beginning to train its legal guns on companies it thinks are aiding copyright theft by allowing workers to trade free music and movies at work.
In April, the RIAA announced a settlement with an Arizona company that allegedly let employees trade MP3 files over an internal network. Integrated Information Systems (IIS) agreed to settle the case for $1 million. And more companies will be facing similar charges, according to RIAA President Cary Sherman.
"We'd very much like corporations to think about their obligations to respect the intellectual property rights of our artists and labels," he said. "Some of these corporations, we are told, have their own little networks that is very clearly illegal."
Typically, the RIAA receives tips about alleged illegal file swapping through its anonymous tip line. It then threatens legal action and asks companies to stop. So far, the tactics may be working.
The IIS incident, along with the RIAA's punishment of file-swapping networks such as Napster and Kazaa, has prompted companies to examine their own usage policies to make sure they're not running afoul of copyright law.
"I think that got people's attention," Ross Blanchard, director of marketing at online song database Gracenote, said of the IIS settlement.

NETWORK HOGS
Then there's the bandwidth strain.
Companies are slowly realizing that their sluggish networks may not be the result of a flurry of e-commerce transactions or an influx of training videos. Instead, employees may be slowing the system simply to get their hands on a copy of the latest "Star Wars" movie.
"There's just so much broader use of networks than what they were intended for," said Wilson Craig, the public relations manager for Packeteer, which makes products to manage network traffic.
Craig said companies will come in with complaints about sluggish networks, thinking newly installed corporate software is to blame, only to discover that 40 percent of their bandwidth is being taken up by music downloads.
People are more likely to use their work computers than home computers to swap media files or listen to streaming audio or video, according to research firm Nielsen/NetRatings. That's probably because their office computers are connected to higher-speed networks than their home machines. Some studies have estimated that as many as one in five work computers contains file-swapping software.
Even companies in the business of protecting corporate networks from abuse and strain aren't immune from the problem. NetReality, which makes network management software, saw its system grind to a halt one day. The cause: Someone in the Israeli office was downloading a copy of "The Lion King."
It's not an unusual discovery, as more media become available to wreak havoc on corporate networks, surprising companies large and small with their popularity. The availability of swapping sites and digital music and movies has never been greater, despite Hollywood's attempts to restrict them.
The number of "peer-to-peer" Web sites has increased fivefold in the past year, according to Websense, a company that makes software to monitor and block employee Web usage. What's more, Websense says, the number of sites containing streaming media, such as online movie theaters, has jumped fourfold in the past year to 400,000 Web pages.

"I DON'T WANT TO WAIT"
Companies can use several tactics to stem the flow of unwanted media files on their networks, including blocking access or simply telling employees there's a ban. But determined workers and developers, it seems, are finding ways around such obstacles. For example, some file-swapping technology can trick a network into allowing it in by disguising itself as a mundane piece of software.
And as Napster and its underground offshoots have shown, people will find ways to collect movies and music. An employee of Entertainment Weekly who asked not to be identified said he regularly obtains music from file-swapping sites, despite a ban on the practice by his employer, AOL Time Warner. The media giant owns one of the major record labels that's successfully cracked down on such sites.
Although the company doesn't have an internal network and prohibits use of major file-swapping sites, the employee said AOL Time Warner has yet to block some smaller, more obscure sites where he can find music.
"If I like a song and I want to hear it, I don't want to wait for the next hour or more to hear it on the radio," the employee said, adding that he doesn't fear he'll be punished for securing tunes, as long as he gets his work done.
"I get the impression they just turn the other way," said the employee, who estimated that he buys about three CDs a month in addition to obtaining music via the Web.
Others haven't been so lucky. Carla Tomino, a secretary at Northwestern University, said she was fired last summer for violating a policy prohibiting personal use of company equipment by storing 2,000 MP3 files on her computer.
Although firing may be an extreme case, Tomino is not alone in being punished. According to Websense, about 35 out of 250 companies surveyed in a recent poll had disciplined or reprimanded employees for downloading songs.
But technological tricks or stringent corporate policies aren't likely to stop the practice. As the Entertainment Weekly employee said, "If you want it bad enough, you can find it."

JUST LIVE WITH IT
IT workers say the same thingthat the songs are already out of the proverbial jewel box. Like universities, companies may have to learn to live with a certain amount of media on their networks.
Frank Gillman, director of technology for the law firm Allen Matkins Leck Gamble & Mallory, said streaming media and MP3s are only the latest ways for employees to waste time and corporate resources.
"Every month brings something new that people will do," he said. "Today's MP3 is just yesterday's Internet surfing, which was yesterday's sending e-mail to relatives, which was yesterday's putting the book under the table and reading."
Gillman said his company tries to block media files with Websense, but he knows some of them still get through. Gillman said one of the most effective deterrents is educating people and making it personaltelling employees, for example, that even something as seemingly benign as downloading a movie can cause major network problems for their buddy or work group in the next cubicle.
"What you really want to do is protect people from themselves," he said.
**********************
News.com
Critical hole found in encryption program
By Vivienne Fisher
Staff Writer, CNET News.com
June 27, 2002, 10:30 AM PT


A popular open-source program for encrypted communications has a serious flaw that could let Internet attackers slip into servers running the software, said its creators and a security company this week.
The program, Open Secure Shell (OpenSSH), is included in many widely used operating system distributions, such as OpenBSD 3.0, OpenBSD 3.1 and FreeBSD-Current, all open-source variants of the Unix OS. Such operating systems appear on networking equipment and security appliances, among other things.

The flaw affects versions 3.0 to 3.2.3 of the software, said Grant Slender, principal consultant for Australasia at network protection company Internet Security Systems, which first discovered the vulnerability.


Slender said the flaw involves OpenSSH's inadequate handling of "buffer overflow" attacks, in which a message sent to a program is much longer than the program is designed to expect. Attackers exploit such holes by flooding programs with more characters than they can accommodate and running the excess characters as executable code.

Because of the flaw, "it is possible for a remote (off-site) attacker to send a specially crafted (message) that triggers an overflow," according to the ISS advisory. "This can result in a remote denial-of-service attack on the OpenSSH daemon." A denial-of-service attack overloads a server with requests for information, tying up the machine indefinitely.

The advisory also said that hackers exploiting the hole would enter a server at the highest level of access. "The OpenSSH daemon runs with superuser privilege, so remote attackers can gain superuser access by exploiting this vulnerability," it said.

ISS has been criticized recently for its handling of another security alert involving a flaw in the popular open-source Apache Web server. ISS alerted the public to the Apache hole the same day it warned the Apache developers, giving the programmers no head start on fixing the flaw. This time, the company gave notice.

Slender said ISS notified OpenSSH's senior developer, who had created a patch. "In this case, we did contact the senior developer and, with his coordination, we worked toward making sure the (programming) community was ready to have the vulnerability announced," he said.

ISS is advising system administrators to disable unused OpenSSH authentication mechanisms.

It's also possible for administrators to remove the vulnerability by disabling the challenge-response authentication parameter within the OpenSSH daemon configuration file, according to the advisory. Slender also said people should upgrade.

Information about the vulnerability has been posted on security mailing lists such as Bugtraq and Debian.

Staff writer Vivienne Fisher reported from Sydney. News.com's Robert Lemos contributed to this report.
************************
ZDNET
Police database brings feature searching
By Reuters

In Arizona and Los Angeles, police are replacing law enforcement mainstays such as mug shots and lineups of suspects with technology some call Mr. Potato Head.
The photographic database and facial recognition systems, called Crime Capture and CrimeWeb, allow investigators to pick different types of facial features to search databases for criminals. It's not unlike the toy famous for allowing kids to change body parts on a potato, police said.

"We've named it Mr. Potato Head in Arizona," said Cyndy Pellien, administrative services officer for the Arizona Department of Public Safety.


"You can pick different types of eyes and hair," or even search for a specific tattoo, she said. "If there is a missing child, we have the ability to scan their school photo in the system and do flyers to notify people statewide immediately."

The software from ImageWare Systems replaces the paper records that can often take days or weeks to find or send to other agencies.

Officials around the United States are using the system to take digital photos of faces, tattoos, scars and other identifying features of people arrested.

The photos, combined with fingerprints, names and other personal information, are aggregated into a database that can be accessed by other law enforcers.

"Before, if you were booked, your picture was taken on real film. Then it was sent to a lab and developed," said Sgt. Larry Bryant of the L.A. County Sheriff Department's records and identification bureau, where officials arrest about 30,000 people a month.

"The police agency right next door never knew that a booking photo existed," he said. "They would have to send a letter to the crime lab requesting a copy, and that could take a week to two weeks to process."

The database is easily searchable, allowing its users to quickly find faces that are similar to a witness' description. For example, officials in Los Angeles County can use a composite sketch to search on its database of 1.5 million faces and get a list of faces that most closely match, Bryant said.

The wheels of law
The system also can help identify cars, allowing officials to search on different makes, models and types and even add dents and pin stripes, said Jim Miller, chief executive of ImageWare Systems, based in San Diego.

ImageWare's technology is also accessible by mobile devices. Los Angeles County is testing the system on iPac handheld computers, said Bryant.

Critics of facial recognition software, increasingly touted by law enforcers since the attacks of Sept. 11, say the technology is unreliable and violates individual privacy rights when used to grab images of unsuspecting people in crowds. "People shouldn't be held as a suspect just because a technology holds them to be that way," said Mihir Kshirsagar, a policy fellow at the New York-based Electronic Privacy Information Center.

Miller said the technology is not relied on as the sole source of identification, and the central repository at ImageWare is not connected with any outside databases. "It's not a guilt or innocence tool," he said.

In the United States, about 900 police departments, including in New York and Los Angeles, and federal agencies such as the FBI use ImageWare technology, according to Miller.

In Las Vegas, officials use the system to automate background checks for 250,000 casino workers, while the state of New South Wales, Australia, including the state capital Sydney, and the country of Costa Rica are also putting it into use, he said.
**********************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 510
2120 L Street, NW
Washington, D.C. 20037
202-478-6124
lillie.coney@xxxxxxx