***************************************************************
Security-news <security-news@resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

July 29, 2002

It's issue #2 already! Even though we said this would be a bi-weekly
bulletin, it looks like we will try to put this out weekly when we have
the content to do it. Please send any contributions, feedback or
suggestions to secure@resist.ca and also let other people know that this
bulletin exists! We want the largest possible activist audience thinking
about and acting on security issues - our activist context today certainly
demands it.

**********************************
Security-news: Issue #2 - Contents
**********************************
* Security tip of the week: Passphrase Security
* News Item: Giant Spy Eye Opens on World's Biggest Rainforest
* News Item: PGP Vulnerability exposed by Outlook Plug-In
* How-to: Limit Your WWW Search Exposure

*****
Security Tip of the Week: Passphrase Security
*****
A secure passphrase consists of one or more words comprising 12 characters
or more. It should utilize random characters, upper and lowercase letters,
numbers, punctuation and special characters (~!@#$ etc). In addition, it
should not contain data traceable to you such as birthdates, names or
other information. Do not write your passphrase down anywhere, or store it
in plaintext on your computer (it should be stored in an encrypted
password safe if you must record it somewhere). For more info -
http://security.tao.ca/pswdhygn.shtml

*****
News Item: Giant Spy Eye Opens on World's Biggest Rainforest 
Wed Jul 24, 2002 
*****

BRASILIA, Brazil (Reuters) - Scanning a dense rainforest the size of
Western Europe, a mammoth radar system set to crank up this week will spy
on drug runners, diamond miners and illegal loggers that infest Brazil's
Amazon. 

But the story behind the $1.4 billion network of radar, control towers and
aircraft that form a spider's web over the jungle has its own share of
espionage, riddled with allegations of CIA interference, phone bugs,
bribes and dodgy diplomacy. 

Designed by U.S. defense contractor Raytheon Co., the System for the
Vigilance of the Amazon, or SIVAM, will fill a black hole in Brazilian
surveillance that has exposed its borders to international crime and rebel
activity. 

SIVAM, built under Brazil's most costly defense contract, will scan 1.9
million square miles of the world's largest rainforest, also cataloging
its widest diversity of wildlife and pinpointing Indian populations. 

For the rest of this story go to:
http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020724/sc_nm/brazil_amazon_dc_1
or http://www.guardian.co.uk/international/story/0,3604,565714,00.html

Security-news note: That's right, this whole surveillance project is being
touted as a way of environmentally protecting the Amazon - because as we
all know the US government has a real sincere interest in that..... We
also think they have a really sincere interest in gathering as much data
as possible on Brasil's neighbour Colombia. Even the Yahoo article notes
CIA assistance with Raytheon (a major US defense contractor) being awarded
the contract for this project. Even though the US doesn't officially own
this network - they might as well, given the fact that one of their own
companies did all the spec and design for the project and thus has access
to all the data.

***** 
News Item: PGP Vulnerability exposed by Outlook Plug-In 
By ComputerWire 
*****

One the most important secure email standards used to encrypt messages
could be vulnerable to attack through a plug-in used by the Microsoft
Outlook email suite.

It is claimed that certain commercial and freeware products supplied by
Network Associates Inc that use the Pretty Good Privacy encryption
standard contain a flaw that could leave systems exposed.

>From the hole in a PGP-encrypted messaging plug-in, a hacker might launch
keystroke-logging software to unscramble confidential email
messages. Investigations by Aliso Viejo, California-based eEye Digital
Security Inc suggest that Network Associates' PGP Desktop Security 7.0.4,
PGP Personal Security 7.0.3 and PGP Freeware 7.0.3 products are
susceptible.

For the rest of this article go to:
http://www.theregister.co.uk/content/55/26184.html
also - http://www.wired.com/news/technology/0,1282,53782,00.html

Security-news note: This is NOT a flaw in PGP itself, this is a flaw in 
the use of the PGP plugin by Outlook. To remedy this, de-install the
Outlook plugin for PGP and use a manual encrypt rather than the
auto-feature in Outlook.


*****
How To: Defensive Strategies - How to Limit WWW Search Exposure
by kendra@resist.ca
*****

There's this irritating language trend out there these days - which is
using the word "google" as a verb - as in - "I googled myself" or "I
googled my new partner to see what i could find out about them". 
Essentially what this means is to put yourself or another person's 
name into a search engine to see what turns up. The fact that "google" is
now being used as a verb like this speaks not only to the awesome
dominance that Google has in the search engine scene, but really to the
fact that the act of finding out information about individuals through
simple www search engines is remarkably commonplace these days.

If you haven't ever searched for data on yourself using your full name, I
suggest you go take a try at it right now.... If there's nothing out there
on you yet - excellent! It means you're either new to the web or just good
at covering your tracks. Most people who use the web regularly however
will find this is not the case.

It's surprising how much data comes back when you conduct a simple
search. This is data that not only may be of interest to a new partner or
an employer - but also the police or other investigators trying to analyze
your habits or those of the activist community.

A lot of online information about you may be out of your immediate
control, but there are ways to limit what others can find.

* It's good to periodically do Internet searches on your name and
regular email address to see what turns up. Use mutliple search engines,
since different engines catalogue different data. If there is information
that you prefer not to have publicly available, contact the site
owner. Search engine databases will typically reflect the changes within
six to eight weeks. 

* When making postings to the Internet, Usenet discussion groups or e-mail 
lists that archive messages, use a nickname or an alias rather than your
full name. You may want to post from an email address that is not
publically associated with your legal name. 

* Take steps to prevent a personal Web site or Weblog from being noted by 
the robotic programs that "crawl" and index the Web (for example, a family  
Web page that you want only friends and family members to  
see). Information on how to do that is available at
http://www.robotstxt.org

* If you sign a petition online, understand that the information could
become public and searchable on the Internet. Online petitions are largely
ineffective anyway, so there's not much reason to be signing them with
your legal name.

* If you want to put personal photos on the Internet, consider using an
online photo service that can "share" photos with families and friends 
using a password but are not indexed for search engines.

* If you are handling information or photographs that involve other
people - GET THEIR PERMISSION FIRST.  

* Remember that e-mail sent in confidence can be forwarded, intentionally 
or inadvertently, and even wind up on the Web. If you want to protect
yourself from email forwarding - USE PGP and the Secure Viewer option when
encrypting your mail. For more information on PGP and how to use it -
check out http://security.tao.ca

For more on this topic: 
http://www.nytimes.com/2002/07/25/technology/circuits/25GOOG.html?todayshead

***************************************************************
Security-news <security-news@resist.ca>
Good security is no substitute for good sense!
To unsub go to http://resist.ca/mailman/listinfo/security-news
***************************************************************