Bulletin Board #10

Mime-Version: 1.0
Date: Fri, 21 Mar 1997 11:12:12 -0700
To: Recipient List Suppressed:;
From: Tim Johnson
Subject: BULLETIN BOARD #10

#1

Employment opportunity

From the OPSEC site
NMIA - http://www.cache.net/NMIA
OSS - http://www.oss.net
OPS - http://www.oss.net/ops
NIP - http://www.oss.net/nip
Position: Programmer/Analyst
DynCorp
Southern California Range Operations Center
Range Development Section
NASNI, Bldg. 1479
San Diego, Ca. 92135
contact person: Katheryn Whitfield
phone: (619)522-2224 fax: (619)522-2229 email: kathy@score.com

Position Description: Responsible for recommending and implementing enhancements to existing software or development of new software designed to improve the operational efficiency and to support the range user requests for additional range capabilities.

Qualifications Requirements: A Bachelor's degree in Computer Science or Mathematics as well as four years experience programming C/C++ language applications under the Unix/X11/Motif operating system environment. Desirable experience in underwater tracking system development. Ability to acquire a SECRET clearance is a must.

#2

Reference the TV Special

Date: Wed, 19 Mar 1997 20:25:55 -0500
From: Bob_Maher@tds.com (Bob Maher)
Subject: Re: Assistance needed for TV show

WARNING -- had a recent situation where a "British TV group" was gathering info on high tech stuff . Wanted to film and interview on some sensitive Government stuff. Turned out to be an operation that gathered the information and sold it to interested parties (usually foreign Governments or industries) -- whoever could benefit from the info. They claimed to be from the BBC with connections to the Discovery channel. Found out this was not so. Please verify their origins, and be careful not to be blinded by the "spotlight"!!!

#3

Turning over bugs
Date: Wed, 19 Mar 1997 16:52:37 -0600
From: Trace Carpenter
Subject: Turning over Bugs

last time I checked, the installation of a device is a violation of Federal law. And a private company doing TSCM does not have the authority to not report it to the proper authorities. I think that could also be considered violation of a Federal law. Regardless of what the customer wants,

The question is do you have a violation if you do not have a complainant? What I mean by that is I can have a device on my phone if I want to. If you illicitly place a recorder on my line, and I have supreme authority over my line, and I don't file a complaint is there a crime?

I have had very good luck in the past placing surveillance on tape recorders which have been placed on my client's lines and catching the culprit. If you don't, how are you going to prove who did it for prosecution. The FBI isn't too concerned about divorce cases. We turned one lady over to them who was VERY adamant that she wanted to pay us to bug her boyfriend's phone. We referred it to a contact at the Dallas office of the FBI who ran her history, saw she wasn't a "political spy" type and basically told us they didn't have time to deal with these types of cases. In fact, from what we know now, they never even contacted her.

What are your thoughts? How would you prove who was doing the work and get a conviction?

Sincerely,

Trace Carpenter

Trace Carpenter Investigations  Professional Private
Investigations
660 Amberton Tower  Suspicions Confirmed
4144 N. Central Expy.  Problems Solved !
Dallas, Texas 75204   Free Consultations
214.828.4520
214.828.1917 Facsimile

#4 New Report Details FBI/European Tapping Agreements
Date: Thu, 27 Feb 1997 18:23:46 -0500
From: "Kevin D. Murray"
To: TSCM Colleagues, and interested security professionals
Subject: FYI - Project TAP (Tape ALL People)

A report issued on Feb. 24 by Statewatch, a London-based advocacy organization, shows that the FBI has been working with its counterparts in the European Union for five years to create a "global tapping system." The report reveals the existence of a Memorandum of Understanding to ensure that surveillance of all existing and new technologies is compatible and coordinated with the FBI's efforts to advance its "digital telephony" agenda within the United States.

The FBI's plan is to facilitate wiretapping worldwide by pressuring countries to harmonize national laws on interception; increase cooperation of telecommunications providers; ensure equipment has interception standards incorporated; and create de facto global standards by persuading as many countries as possible to cooperate and by providing compatible equipment to non-participating countries.

To achieve these goals, the FBI and its EU counterparts wrote a resolution adopted by the Council of the European Union on "the lawful interception of telecommunications." The Council issued the resolution on Jan 17, 1995 (unpublished until November 1996) and a Memorandum of Understanding on the requirements that need to be adopted into all laws. The MOU has been signed by the 15 member countries of the EU, and the US. There have also been "expressions of support" from Australia, Canada, and Norway. The FBI and EU have also pushed the requirements as standards before the international telecommunications standards bodies such as the ITU and pressured other countries to adopt them.

The requirements are almost exactly the same as the FBI demands for digital telephony. They include "real-time access" to the "entire telecommunication transmitted" sent to a "law enforcement monitoring facility", access to all associated call data, geographic location information for mobile phone users, decrypted information for all operator-provided encryption, and response times "in urgent cases within hours or minutes."

The report notes that even countries that do not agree will be affected:

The strategy appears to be to first get the "Western world" (EU, US plus allies) to agree to "norms" and "procedures" and then to sell these products to Third World countries -- who even if they do not agree to "interception orders" will find their telecommunications monitored ... the minute it hits the airwaves.

The digital telephony proposal has received significant criticism in the United States since its adoption in 1994. The FBI originally claimed that law provided a mandate to simultaneously monitor a significantly higher percentage of phone lines that is current practice in the US. That interpretation was withdrawn after public protect. The FBI then claimed that the law would require the development of a global locator system based on the nation's telephone system. That interpretation was also withdrawn after public protect. Several members of Congress have said that they will oppose future funding of the plan.

A copy of the Statewatch report, the Council of Europe Resolution and more information is available at:

http://www.privacy.org/pi/activities/tapping/

Thanks to EPIC for passing this on to us. From EPIC Alert 4.03.
Kevin

#5

Assistance needed for TV show

From: ClarkAB@aol.com
Date: Thu, 20 Mar 1997 21:52:44 -0500 (EST)
Subject: Re: Assistance needed for TV show

Tim:

Candidly speaking, I am very concerned about such a show. In todays' world of high tech everything, why in the world would anyone want to broadcast on public television the techniques utilized by law enforcement and private industry security professionals the tools of the trade which target criminals.

I tend to think those in the public media business are so naive to think that criminals do not watch television, video tape such shows and utilize them as training films for their own folks in targeting people such as us.

I would not like to consider the consequences of how my life would be affected if a criminal gang were to target me utilizing the same devices that retired federal agents and others utilize to target criminals.

I will make a simple request. Please make every effort to deter this lady from publicizing the tools of our trade. The concept of counterintelligence methods and techniques being freely and publicly compromised to any criminal capable of owning a television and VCR scares the hell out of me. I strongly urge you to make this effort on the behalf of all of us (including yourself) as our lives may depend on this.

Thank you.

ED LAWTON

#6

Assistance needed for TV show

From: ClarkAB@aol.com
Date: Thu, 20 Mar 1997 22:01:22 -0500 (EST)
Subject: Re: Industrial espionage acts

Tim:
This is a review of my comments pertaining to your earlier message. Please do not support this initiative. Again, techniques involved in industrial espionage do not need to be publicized on television. Your motto indicates that what is said in private, is private. So what is wrong with the picture painted in your message.

Have you ever considered that the M.O.'s, types of equipment utilized and officer responses in the reenactments on television (Top Cops, Best Stories of the Highway Patrol, etc) are evaluated and practices by criminals still on the streets in attempts to determine weaknesses of other law enforcement or security personnel!

If I could, I would send out my messages to you to all the folks you send your messages to. In fairness, I think you should evaluate the benefits of this womans' show with respect to the potential dangers other officers and police or security personnel will potentially encounter because of the unnecessary publicity she will provide. What is her motive? Let's keep our capabilities where they belong, out of sight!

ED L.

#7

The following was printed at list@investigations.com, a Private Investigators site, in response to a request for information:

Date: Thu, 20 Mar 1997 15:37:26 -0800 (PST)
From: list@investigations.com (PROINV-L-DIGEST)

Date: Thu, 20 Mar 1997 13:49:40 -0800
From: "W. M. Johnson"
Subject: Industrial Espionage
Greetings:
Tim Johnson mentioned an upcoming series of TV programs to be filmed in the US by what is apparently an Australian production crew. I'm sure Mr. Johnson and other experienced investigators know how to protect themselves from "Delphi" and other sophisticated pretext attacks, but I felt I should post a few comments to the list since several new people have recently joined the group. As many of you know, I'm a former government investigator, Pinkerton official and the founder of BECCA, the Business Espionage Controls & Countermeasures Association. I'm also the author of "Who's Stealing Your Business? - How To Identify & Prevent Business Espionage," a book published by the American Management Association, the largest provider of management training.

The "reporter" and/or "film crew" pretexts are among the most common pretexts used in business espionage. It's not that difficult to set up a "shoot," as many of you know. I wrote an article for Sterling Publications in England regarding the "Delphi" method of interviewing as it is used by legitimate researchers, reporters, and people posing as such. In brief: The Delphi method of interviewing is named after the Temple of Apollo at Delphi and was developed by Rand Corporation mathematicians Olaf Helmer and Norman Dalkey. Specialized interviews based on the Delphi method are legitimate forecasting tools, but are also used by spies. >These interviews deliver the single most likely guess as to what a company or industry will be doing in the future based on projections made by the best minds involved in the field at the present.< In very simple terms it works like this:

Poll experts on a subject (equipment, business practices, etc.) separately and in private regarding both their rational projections and their gut reaction hunches.
Repeat the interviews several times if possible, after the experts have had a chance to think about and reevaluate their data.
Break these data down to isolate a group opinion covering an are of interest. (Those being questioned may or may not know the real intent of the interviewer.)
If possible, bring those polled together to "talk out" a consensus. The results can provide an honest and straightforward look at thfuture if the information gathered is shared with all of the contributors. There are many dishonest variations of Delphi Technique however some of which the original developers would no doubt find appalling. I've been pretexted by several "freelance reporters" and "T.V. producers." One of the "reporters" was a former Cold-War warrior who was setting up shop in the private sector. (I would have been more help to him if he had been straight-forward.)

I'm not suggesting that we need to be fearful of everyone asking questions. Communications are vital to any business and there are many good reasons for keeping the channels open. However, it is always wise to ask questions, and verify the answers,< before you answer someone else's questions. I'm looking forward to hearing more about the Australian production.
All the best,
William M. Johnson, Ph.D., CCO
TEL: 206-364-4672 FAX: 206-367-3316

#8

A response

Tim Johnson
dbugman@amug.org
In response to the above concerns, I have requested additional information to verify the authenticity of the requestor and an outline of the proposed presentation. In partial support of the proposed presentation, they have produced the following specials.

"Ultrascience" is half hour science documentary series produced in Australia by Beyond Productions, for the US company Discovery Communications Inc. Beyond has been producing television information, drama and comedy programs and feature films and documentaries for almost 12 years. Perhaps you're seen Beyond 2000, Invention or the feature documentaries Shuttle and Submarines: Sharks of Steel, all have been broadcast on Discovery.

I'd like to get more input from you folks with your views and thoughts. Do you think the "bad guys" know about the technology? Do you think they have access to the equipment? Do you think the people in a position of protecting information know as much as they should about how to protect it? (This last question is directed to those who have attended security seminars [such as TSCI's TSCM/POPI] in which some of the threats and technology were discussed? Who do you feel would benefit more from the information.

The above questions are not asked to solicit support for or against the special, but rather to provide insite into what the bad guys probably already know and what the good guys don't kmow.

Personally, having presented quite a few security seminars with Gary Bunker, I feel that most of the people in security DON'T realize what the technical threat is, nor how to counter it. Neither do they know where to get reliable information or support. (Again, I'd like input from some of you have attended security seminars--did you come away with a different view or attitude. did you feel knowledgable before attending and what was you outlook after having time to digest the information provided.)

Your comments are earnestly solicited and if you wish to make a statement, but do not wish top be identified, let me know and I'll keep you anonymous.

#9

Date: Mon, 17 Mar 97 08:24:20 -0000
From: Nick Robson

The SCI Security Newsletter
Volume 2#3 March 1997

Quicken & ActiveX

Hackers belonging to the Hamburg, Germany Chaos Computer Club have demonstrated an ActiveX control that will transfer funds from users' bank accounts without using a personal identification or transaction number. The Chaos crackers demonstrated their hostile ActiveX control on a German TV show to make their point about what they saw as the security risks posed by ActiveX. If made available on a web site, the control could install itself on a users' computer an covertly check to see if the popular personal-finance software package, Quicken, is installed.

Continuing the scenario, if the control had found Quicken, it would issue a transfer order and add it to that application's batch of existing transfer orders. The next time the Quicken user paid their bills, the illicit transfer would be included, unnoticed by the victim. Quicken claims to have more than 9 million active users worldwide. Computer security experts, who have been highly critical of Microsoft's ActiveX, said this was just another example of why the technology should be abandoned.

"ActiveX may be very useful for intranets, but it has no place on the Internet because of the security problems," said Kevin McCurley, a cryptography expert at Sandia National Laboratories. The entire issue of potential risks in ActiveX and related technologies is a significant network security hot topic these days. This Quicken story (a response from Intuit is below) is but a very minor aspect of a much broader concern over ActiveX issues which has been raging in some quarters. It seems clear that some new systems to tightly couple users to remote environments are being deployed with insufficient consideration being given to the "real world" issues which are unlikely to be solved through technological wizardry alone, to say the least.

More Security Holes In Microsofts Internet Explorer

EliaShim the anti virus and computer security software manufacturer warns of security hole in Internet Explorer Less than a week after the discovery of a potential security gap in Internet Explorer 4.0, Microsoft Corp. may have another hole to fill. EliaShim Ltd. claims it has identified security problems in Microsoft Internet Mail and News applications. "Hostile links" can be embedded in newsgroup messages or in messages received by Internet Mail as shortcuts, company officials said.

And another Internet Explorer Bug Found

Another bug in Microsoft's Internet Explorer has been discovered by a group of University of Maryland students. The students posted their results at their Web site recently and claimed that the bug could let a hacker remotely break into a user's computer or install viruses onto the system. UMD students David Ross, Dennis Cheng, and Asher Kobin found the bug in IE 3.01.

Microsoft acknowledges the bug but hasn't defined it full impact. The bug apparently centers around IE's Iframe, or floating frames feature.

The patch for the URL/LNK bug does not fix the UMD student's bug. The students' Web site is at http://dec.dorm.umd.edu/ . Microsoft's IE site is at http://www.microsoft.com/ie .

Year 2000 ?
At a recent meeting sponsored by the Electronic Banking Economics Society, one speaker predicted that a bankruptcy rate of between 1% and 5% could result directly from costs related to fixing the notorious "Year 2000 Problem." "If you have not yet begun a Year 2000 conversion today, you will not be able to convert by 2000," he said, noting that there are just over 100 weekends left to work on systems affected by the problem. If companies choose to ignore the problem, they'll be liable for millions in lawsuits brought by shareholders when company stock prices begin to plummet. Only one third of U.S. companies are addressing the problem, with another third entering the preliminary discussion phase, and the other third doing nothing. Still, that's better than the rest of the world: "Britain is three steps behind the United States on this issue, Europe about 10 steps behind the United States on the issue, and Japan is about 15 steps behind the United States on the issue," a consultant said.

Internal LAN Security
Many organizations still perceive that the main threat to their network security will come from outside the organization in the form of hackers or criminals intent on fraud.

However, equal if not more attention should be paid to ways in which networks can be compromised from within an organization. The proliferation of technology has meant that within an organization hundreds of Local Area Networks (LANs) can be communicating with each other across the world. The speed of business demands that systems are able to react quickly and transparently, but this must be balanced against the need for security

As networks have grown in complexity, there has been a greater need for management controls and tools to fix problems as they occur. One such tool is the LAN analyzer, which is a sophisticated piece of hardware or software which can monitor the network and "listen" to everything that is transmitted. At the low end there is public domain software - so-called "sniffers". These programs are available freely on the Internet and are relatively easy to use.

Sniffers obviously have serious security implications - anyone could be picking up not only confidential information but data such as passwords, which could be used at a later date to hack the system and access accounts or even take over the network.

Moreover, information which has been sniffed and captured could be played back, to do a duplicate payroll, for example or even crash the network.

It is not only your network security which has to be considered. Third party advisers such as accountants, management consultants and tax advisers pass sensitive information about your company over their network - how can you be sure that their networks are protected from LAN sniffers? The dangers are obvious. As the business world becomes more and more competitive, sensitive corporate and personal data held by organizations (e.g. share information, financial statements, acquisition details, passwords) in the hands of the wrong person can be harmful to both companies and individuals.

Solutions
Companies are working on software and hardware solutions to make it more difficult for the determined hacker, whether inside or outside the organization, to violate corporate networks.

There are four key aspects of network security: access control, authentication, data integrity and privacy. An overriding factor is that all security mechanisms should be transparent to the user and should not diminish overall network performance or operation. To be continued in next issue.

SCI Ltd.
Security * Computers * Communications

P.O. Box 30498 SMB
Grand Cayman, B.W.I.

E-mail: sci.ltd@candw.ky
HTTP : http://www.candw.ky/customer/tscm/

Tim Johnson