National Infrastructure Protection Center NIPC Daily Open Source Report for 10 December 2002
Daily Overview . CERT has released Vulnerability Note VU#961489 - "University of Washington IMAP Server vulnerable to buffer overflow after login." (See item 15) . CBS News reports United Airlines on Monday asked a federal judge to keep the carrier airborne, while it struggles to pay off mounting debts in the largest airline bankruptcy in history. (See item 4) . The Washington Post reports radioactive material that could potentially be used to make so-called "dirty bombs" has been seized at border posts in Central Asia in the past 12 months. (See item 1) . The Associated Press reports that beginning today, the federal government will open parking lots at the country's biggest airports that have been off-limits since Sept. 11, 2001, because of worries about car bombs. (See item 5) . Events continue to unfold in the Venezuelan oil and gas workers strike as troops take over gasoline distribution plants (See Item 7) as the strike continues to halt the country's crude and product exports (See item 8) Editor's Note: Yesterday's edition contained an item about an Information Bulletin issued by NIPC last Friday. The reference number for that bulletin should have been 02-011 (rather than 01-011). The URL for the bulletin is http://www.nipc.gov/publications/infobulletins/2002/ib02-011.htm. NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 9, Washington Post - U.S. concerned about nuke smuggling in Central Asia. Radioactive material that could potentially be used to make so-called "dirty bombs" has been seized at border posts in Central Asia in the past 12 months, a senior Defense Department official said Monday. The smuggled material, contaminated metals, was confiscated at checkpoints along the Uzbekistan and Turkmenistan borders, according to Harlan Strauss, director of International Counterproliferation Programs at the Defense Department. "It is possible to be reprocessed and to be utilized in a way that radioactive material can be used for a dispersal device or a small weapon to contaminate an area," Strauss said. Dirty bombs scatter radioactive material using conventional explosive devices. Over the past decade at least 88 pounds (40 kg) of weapons-usable uranium and plutonium has been stolen from poorly protected nuclear facilities in the former Soviet Union, according to a report published by Stanford University's Institute for International Studies earlier this year. While most of this material was subsequently retrieved, at least 4.4 pounds of highly enriched uranium stolen from a reactor in Georgia remains missing. The United States has spent about $86 million to help about 30 countries, mostly in the former Soviet Union and eastern Europe, combat the threat of smuggling of nuclear and other metals that could be used in weapons of mass destruction. Source: http://www.washingtonpost.com/wp-dyn/articles/A30485-2002Dec9.html Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 2. December 8, Associated Press - Israeli police, aided by the FBI, have arrested an Israeli suspected of hacking into computers of a U.S.-based electronics company and stealing personal information, including credit card numbers of some 80,000 customers, according to a court document released Sunday. David Sternberg, 24, of the port city of Haifa, allegedly broke into the computers of a large U.S. company that sells CD-ROMs and DVDs. The court document did not mention the company's name. Source: http://online.securityfocus.com/news/1760 3. December 6, Associated Press - Feds: insurance helps launder drug money. Colombian drug cartels conceived an elaborate scheme that converted more than $80 million in cocaine profits to clean cash by moving money through life insurance policies, authorities said. The use of life insurance purchases highlights gaps in international financial regulations intended to cripple drug money laundering in legitimate financial transactions. Officials said the case underscores the need for a greater focus on stronger oversight of insurance sales to prevent abuse. The United States has been tightening regulations to prevent both terrorists and traffickers from laundering money. Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021206/ap_on_bi_ge/i nsurance_laundering_1 [return to top] Transportation Sector 4. December 9, Reuters - Lufthansa may take equity stake in United. United Airlines said on Monday its German partner Deutsche Lufthansa AG may take an equity stake in the bankrupt U.S. carrier, while Lufthansa said it was still studying ways to help its ailing peer. In an interview with Reuters in Chicago, United Chief Executive Glenn Tilton said it was possible that Lufthansa, its partner in the airline network Star Alliance, would take an equity stake in United. United Airlines, the world's second-largest airline and a unit of UAL Corp, became the biggest air carrier ever to seek court protection on Monday when it filed for Chapter 11 bankruptcy. Lufthansa has said it is in talks with United to find ways to help it out of its crisis. Lufthansa Chief Executive Juergen Weber said in a statement, he believed United would be able to restructure successfully under Chapter 11." United will continue to fly under bankruptcy protection, which Lufthansa said meant that 330 code-share flights continued to be at their clients' disposal. Code sharing allows airlines to sell tickets on each other's planes. Source: http://www.reuters.com/financeNewsArticle.jhtml;jsessionid=SZYAZXDAFIQ2O CRBAEOCFEY?type=businessNews&storyI D=1876167 5. December 9, Associated Press - Airport parking lots to reopen. Beginning today, the federal government will open parking lots at the country's biggest airports that have been off-limits since Sept. 11, 2001, because of worries about car bombs. Federal officials also will change the way air travelers are screened after they pass through security checkpoints over the next few weeks, checking them only at randomly selected gates, said Robert Johnson, Transportation Security Administration (TSA) spokesman. New layers of airport security allow the rules to be eased, Johnson said, listing a better-trained screener workforce, federal air marshals, background checks of people who work beyond airport security checkpoints and screening of checked baggage at 252 airports. Johnson said the prohibition on unattended vehicles parking within 300 feet of a terminal will be dropped today as long as the terrorist threat level is at code yellow, or "elevated," the middle of a five-point scale of risk developed after the terror attacks. TSA chief James M. Loy was scheduled to announce the change at an airport security conference co-sponsored by the Airports Council International-North America and the American Association of Airport Executives. The "300-foot rule" will be reimposed if the threat level rises to orange or red, Johnson said. Source: http://www.washingtonpost.com/wp-dyn/articles/A28092-2002Dec8.html 6. December 9, CNNt - Cruise ship outbreak sickens 212. The Centers for Disease Control and Prevention (CDC) said Monday that 197 passengers and 15 crew members aboard the cruise ship Oceana have come down with a gastrointestinal illness. A CDC field team boarded the ship Saturday in Barbados to gather more information on the outbreak. "We conducted interviews with passengers and crew members and gathered samples," said CDC spokeswoman Susan McClure. There are 1,859 passengers and 868 crew aboard, according to a statement released by the CDC. The Oceana left Fort Lauderdale, Florida, November 29 and is scheduled to return December 13, said a spokeswoman for P&O Cruises, the company that owns the ship. Passengers and crew on four consecutive cruises of Holland America's Amsterdam and two cruises of Disney's Magic were sickened by a Norwalk-like virus. The virus can be transmitted person-to-person or by consuming contaminated food or water. A Norwalk-like virus is also suspected in a recent outbreak aboard Carnival's Fascination. Source: http://www.cnn.com/2002/TRAVEL/12/09/cruise.illness/index.html [return to top] Gas and Oil Sector 7. December 10ABS-CBN News - CARACAS, Venezuela: Troops take Venezuela fuel plants. National Guard troops took over Venezuelan gasoline distribution plants on Monday (early Tuesday in Manila) as President Hugo Chavez cracked down on an opposition strike that partly shut the banking system and crippled oil operations in the world's fifth largest exporter. A general strike, started on December 2 to force the leftist former paratrooper to quit or call early elections, has disrupted refineries, cut oil output by more than half and paralyzed oil exports -- the nation's economic lifeblood. Gen. Wilfredo Silva told reporters that National Guard troops had entered the Guatire gasoline distribution plant -- which supplies fuel for gas stations in Caracas -- to secure deliveries. Troops also took over the Yaguas plant in central Carabobo state, workers said. Source: http://www.abs-cbnnews.com/abs_news_body.asp?section=World&OID=10766. See following related story. 8. December 9, Reuters - Strike Slams Venezuela Oil Production. Venezuela's oil production was cut in half on Monday and under threat of further falls as a strike by foes of President Hugo Chavez that has halted the country's crude and product exports held strong into a second week. Peace talks between government and opposition negotiators have failed to reach an accord on elections to end the crisis and union leaders gave no indication they would call off the stoppage. Negotiators were scheduled to sit down for talks again on Monday. State oil company PDVSA, which had to declare force majeure on exports last week as tanker loadings were halted, chopped refinery runs across the nation's 1.3-million-barrel-per-day (bpd) refining system to minimum operating levels as unshipped products filled storage tanks. Source: http://story.news.yahoo.com/news?tmpl=story&u=/nm/20021209/bs_nm/energy_ venezuela_dc_1 9. December 6, East Bay Business Times (San Francisco Area) - Quakes are biggest threat to LNG plant. Vallejo-area residents have more to fear from earthquakes than equipment failure, human error or terrorists attacking a huge energy complex proposed for Mare Island, two experts told a citizens commission investigating the controversial project. An earthquake that could damage the plant, though, would cause far more destruction throughout the city than a quake-induced leak or fire at the Mare Island complex, the experts said. The subcommittee is to present its findings Dec. 17 to the Vallejo City Council, which must decide whether to authorize a feasibility study by subsidiaries of Bechtel Corp. and Royal Dutch/Shell Group. The partners propose to build the West Coast's first LNG (liquefied natural gas) terminal, which could regassify 1.3 billion cubic feet of natural gas daily, supplying 17 percent of California's consumption, and a 600- to 900-megawatt power plant. Source: http://www.bizjournals.com/industries/energy/electric_utilities/2002/12/ 09/eastbay_story3.html?f=et158 [return to top] Telecommunications Sector 10. December 6, Federal Communications Commission - Communications industry considers measures to protect nation's communications services against attack. Representatives from across the communications industry came together to consider recommendations to protect and strengthen the nation's communications infrastructure against terrorist attacks or national disasters. The measures were considered by the Network Reliability and Interoperability Council (NRIC) VI which held its quarterly meeting at the FCC. NRIC is composed of representatives from the telecommunications, cable, wireless, satellite and ISP industries. The 56-member Council will review some 300 best practices - many of which are currently being practiced by industry members - for widespread adoption and implementation across the industry. Best practices range from increasing physical security at communications facilities to process changes and training to increased protection of proprietary information. NRIC members have until December 20, 2002 to vote on recommendations to the industry that these best practices voluntarily be implemented. Source. http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-229263A1.doc [return to top] Food Sector 11. December 9, Wisconsin AG Connection - Michigan dairy herd may have bovine TB. Michigan state officials quarantined a dairy herd in Alcona County after tests indicated the possible presence of bovine tuberculosis in one of the cows. Dr. Joan Arnoldi, veterinarian with the Michigan Department of Agriculture, said tests likely indicate bovine TB in a 5-year-old cow in the 200-plus animal herd. Final test results should be available by mid-January. Officials say there is additional concern because of considerable movement between the quarantined herd and three other cattle herds in the area. The state is attempting to trace the various sales and herd movement. Bovine TB was discovered in the mid-1990s in Michigan and has devastated Michigan's interstate cattle trade. Source: http://www.wisconsinagconnection.com/story-national.cfm?Id=1387 12. December 7, San Diego Union-Tribune (California) - Irradiated burgers to appear at Dairy Queens. Dairy Queen plans to use SureBeam Corp.'s electron-based irradiation technology at some of its stores in the southwestern and northeastern United States next year. The decision was made after a successful test-marketing campaign of the system in Minnesota. The irradiation beams use electricity as an energy source to eradicate harmful bacteria like E. coli, listeria, and salmonella "much like thermal pasteurization does to milk," said SureBeam spokesman Mark Stephenson. SureBeam said it expects irradiated food to soon become commonplace in fast-food stores and supermarkets. SureBeam operates three irradiation service centers in Los Angeles, Chicago, and Sioux City, Iowa, which will process 14 million to 15 million pounds of ground beef this year. "We expect that number to jump to 350 million pounds next year," said Stephenson. Source: http://www.signonsandiego.com/news/business/20021207-9999_1b7irradiate.h tml [return to top] Water Sector Nothing to report. [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector Nothing to report. [return to top] Government Operations Sector 13. December 9, Reuters - Canada, U.S. set group to deal with future attacks. Canada said on Monday it had created a joint planning group with the United States to help better respond to a militant attack or natural disaster in North America but strongly denied that Ottawa was ceding sovereignty to Washington. The new group, headed by a Canadian officer but based in the United States, will develop coordinated plans to deal with a range of calamities. It will also coordinate maritime surveillance, intelligence sharing and emergency plans. Although the group's plans could one day see U.S. troops operating on Canadian soil, government ministers stressed that Ottawa would remain in overall control of events in Canada. Source: http://story.news.yahoo.com/news?tmpl=story&u=/nm/20021209/wl_canada_nm/ canada_attack_usa_col_4 14. December 8, New York Times - The Republican and Democratic leaders of the Congressional investigation into the Sept. 11 attacks plan to issue a final report next week calling for the appointment of a new cabinet-level director of national intelligence who would outrank the director of central intelligence, government officials say. After extended private negotiations this week, the four top lawmakers on the joint inquiry agreed among themselves on the most important recommendations to include in the final report. They now tentatively plan to present a draft to the full panel for a vote as early as Tuesday. Officials cautioned that it was unclear how their draft would be received by the committee's other members, or whether it would be revised as they sought a consensus. If the committee votes on the report on Tuesday, it may announce its final recommendations by Wednesday. Source: http://www.nytimes.com/2002/12/08/politics/08INTE.html [Return to top] Information Technology Sector 15. December 5, Government Executive - Integrated IT network in new agency worth expense. Technology industry representatives who met Thursday at a forum on technology's role in homeland security said the benefits of creating an integrated homeland security network will far outweigh the costs. Getting an integrated IT network up and running will be expensive, according to participant Christopher Baum, vice president and research area director for Gartner Research, an information technology consulting company. But once an integrated system is developed and implemented, it will actually help reduce IT costs. For instance, an integrated network would allow the department's 120,000 employees to communicate over long distances without having to set up face-to-face meetings. This would reduce travel expenses, save employees time and allow workers to escape the risks inherent in travel. Source. http://www.govexec.com/dailyfed/1202/120502a1.htm [return to top] Cyber Threats and Vulnerabilities 16. December 9, CERT/CC - Vulnerability Note VU#961489 -- University of Washington IMAP Server vulnerable to buffer overflow after login. A buffer overflow vulnerability exists in versions of the University of Washington IMAP Server up to and including the imap-2002 release. This vulnerability may allow an authenticated attacker to execute arbitrary code on the mail server with the privileges of the UID of the user running imapd. The University of Washington IMAP (UW IMAP) server is an e-mail application that uses the Internet Message Access Protocol (lMAP). This vulnerability is fixed in the latest development snapshot of the imap-2002a release. Source. http://www.kb.cert.org/vuls/id/961489 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 25(smtp); 4662; 139(netbios-ssn); 445(microsoft-ds); 53(domain); 27374 (asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 17. December 9, Wall Street Journal - Captured al Qaeda leader gives U.S. insight into plans. A senior al Qaeda leader captured last month is disclosing valuable information that has enabled interrogators to link him to more than a dozen terrorist operations against U.S. and Western targets, U.S. intelligence officials say. After weeks of questioning Abd al-Rahim al-Nashiri, counterterrorism officials at the CIA and other agencies believe they have disrupted his network of supporters in Persian Gulf countries, his main area of operations. The officials wouldn't describe the attacks that Mr. Nashiri and his supporters were believed to have been planning. But they said almost all involved attacks on ships or ports or other maritime targets. "He is talking about his maritime operations," said a U.S. intelligence official. Source: http://online.wsj.com/article/0,,SB103939056991946553,00.html 18. December 7, IC Wales (United Kingdom) - Anti-terrorist smallpox plan agreed upon. Health ministers from around the world have agreed upon an action plan to prepare for any deliberate release of the smallpox virus by terrorists. Global stocks of smallpox vaccines are to be increased, to allow the World Health Organization to respond to emergencies in any country. An international smallpox emergency exercise is to be held in June next year, to test the world's readiness to deal with an outbreak of the disease. A new Global Health Security Laboratory Network is to be set up to co-ordinate health surveillance and responses to disease outbreaks around the world. The ministers have also agreed to establish a working group to deal with the danger of a possible influenza pandemic, jointly chaired by the UK and US. Source: http://icwales.icnetwork.co.uk/0100news/0600uk/page.cfm?objectid=1243568 3&method=full&siteid=50082 [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk