National Infrastructure Protection Center NIPC Daily Open Source Report for 12 December 2002
Daily Overview . The Wichita Business Journal reports SC Telecom is working on fixing the remaining internal problems in its system after overseas hackers (from Asia and the Middle East) broke into it. (See item 8) . Reuters reports cyber crooks, trying to steal credit card information from online auction house eBay Inc.'s 55 million users, set up a fake Web site that mimicked the firm. (See item 5) . CERT has announced Vulnerability Note VU#810921 - "Cobalt RaQ4 contains vulnerability allowing remote root compromise." (See item 14) . CERT has announced Vulnerability Note VU#210409 - "Multiple FTP clients contain directory traversal vulnerabilities." (see item 15) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 11, The Japan Times online - Tepco may shut down all its nuclear reactors. All of the 17 nuclear reactors run by Tokyo Electric Power Co. (Tepco), the nation's largest utility, may have to be shut down temporarily next spring. In addition to shutdowns for regular checkups, Tepco needs to carry out unscheduled inspections at some facilities following revelations it falsified reports on nuclear reactor defects. Tepco had planned to keep the No. 2 and No. 6 reactors running at the Fukushima No. 1 power station, but the company recently told the Fukushima Prefectural Government it intends to shut them down sometime between late March and early April in response to the prefecture's call for thorough inspections, a company official said. But the possibility of all reactors simultaneously being down cannot be ruled out, the official said. Power supply "will be in an extremely severe situation, but we are considering (the shutdowns) because we believe our primary task is to restore confidence," another Tepco official said. In late August, it was revealed Tepco had falsified safety reports and covered up defects found during safety checks carried out in the 1980s and 1990s at the Fukushima No. 1 and No. 2 nuclear power stations, and at the Kashiwazaki-Kariwa Nuclear Power Station in Niigata Prefecture. In a related development, the House of Councilors passed two nuclear reactor regulation bills into law Thursday, aiming to prevent reactor-facility defects from being covered up by plant operators. The laws have revised the Electric Utility Law and the Nuclear Reactor Regulation Law. They place company inspections in the framework of law and toughen punishments for violators. Source: http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20021212a5.htm 2. December 10, Chattanooga Times/Free Press - Tennessee Valley Authority's nuclear power program makes turnaround. Tennessee Valley Authority's nuclear power program, rated as one of the industry's most troubled in the 1980's, has since become one of the best performing businesses in the state, as statewide quality group announced Monday. "TVA now has the safest and most efficient plants in the country," said Marie B. Williams, president of the Tennessee Quality Award group. "With nuclear power, safety is obviously the most critical. But TVA has also managed to deliver more reliable power at less cost from its nuclear plants," she said. TVA had a different reputation in the past - in 1985, TVA idled all five of its operating nuclear reactors when it was unable to meet tougher federal safety standards adopted after the 1979 accident at the Three Mile Island plant in Pennsylvania. It took seven years before TVA could restart its oldest nuclear plant, at Browns Ferry in Alabama. TVA now operates five nuclear reactors at Browns Ferry, Sequoyah and Watts Bar. Nuclear power supplies nearly one fifth of TVA's electricity. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3509489 3. December 11, PRNewswire - Dominion Virginia Power line crews Wednesday battled the season's second ice storm in a week, this time in the Shenandoah Valley and Northern Virginia. As of 4:30 p.m. Wednesday, the storm had affected a total of about 99,000 customers and power had been restored to all but 36,000. The company expects it may be late Friday before all customers have their lights back on. Staunton, Harrisonburg, Leesburg, Herndon and Fairfax were the areas most affected by the freezing rain and ice. Outages in Northern Virginia were expected to increase into Wednesday night. In anticipation of the storm, the company staged additional line crews, contractors and tree trimmers in the areas where the storm was projected to do the most damage. Dominion also recalled employees that had been sent to help North Carolina utilities recover from the freezing rainstorm that struck last week. Dominion reminds customers to stay away from downed power lines. All downed power lines should be considered energized and dangerous. If customers see a downed power line or need to report an outage, call Dominion's Customer Service Center, toll-free, at 1-888-667-3000. Dominion has a diversified and integrated energy portfolio consisting of about 24,000 megawatts of generation. Dominion also serves more than 3.8 million franchise natural gas and electric customers in five states. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3511780 4. December 11, Reuters - Duke Power said 127,000 homes and businesses remained without power in North and South Carolina as of Wednesday morning, almost a week after a deadly ice and snow storm damaged power lines. Duke Power, a subsidiary of Duke Energy Corp. , said in a statement it expected to have 100 percent restoration by midnight Saturday. At its peak, the storm knocked out electricity to 1.3 million Duke Power customers early Thursday, Dec. 5 in what the company has called the worst weather-related damage in its history. The storm dumped snow and ice from Texas through the Carolinas and up into New England, and was blamed for over 20 deaths, primarily from automobile accidents. Duke Power provides over 2 million customers in North and South Carolina with electricity. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3512473 Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 5. December 11, Reuters - Internet watchdog warns of fake eBay web site. Fraudsters trying to steal credit card information from online auction house eBay Inc.'s 55 million users appear to have set up a fake Web site that mimicked the firm, a private Internet watchdog said on Wednesday. The scam involved e-mails that asked recipients to log on to a Florida-based Web site, ebayupdates.com, and re-enter financial data for eBay, said Dean White, the Asia-Pacific coordinator of a U.S. group, SANS Institute Internet Storm Center. The scam e-mail, provided to Reuters by White, is headed "Ebay (sic) billing error" and begins: "Dear Ebay Member, We at Ebay are sorry to inform you that we are having problems with the billing information of your account." White said the mail, aimed at eBay's registered customers but possibly mass-mailed to other Internet users, began appearing on December 6. Source: http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=1886522 [return to top] Transportation Sector 6. December 11, Associated Press - 25 Chicago airport workers arrested. Twenty-five Chicago airport workers have been charged with criminal violations and the security clearances of 553 others have been canceled in a crackdown on employees using fake IDs, officials announced Tuesday. Those arrested include ramp agents, truck drivers, members of cleaning crews, a baggage handler, an airline cabin service attendant and a number of food service workers at O'Hare International and Midway airports. Six of those arrested were charged with making false statements about previous criminal records - four for drug offenses, one for burglary and another for robbery, federal officials said. Sixteen were charged with using bogus Social Security numbers and three with re-entering the country after they had been deported. The arrests and canceling of security clearances were part of a nationwide sweep dubbed Operation Tarmac designed to shore up airport security in the wake of the Sept. 11 attacks. Source: http://www.washingtonpost.com/wp-dyn/articles/A37392-2002Dec10.html [return to top] Gas and Oil Sector 7. December 11, Reuters - Venezuela loads oil tanker but most vessels wait. Venezuela began loading on Wednesday its first crude oil cargo in several days, but there were no clear signs that a strike by foes of President Hugo Chavez would end, oil industry sources said. The loading seems to be an isolated event and did not mark a significant break in the week-long halt to crude and products shipments from the world's No. 5 oil exporter, they said. Shippers said more than 40 vessels remained off the country's oil ports without berthing instructions. "It's going to be slow, but they are going to move some of the ships. They are trying to move the ships for Citgo, our affiliate," PDVSA board member Jorge Kamkoff told Reuters. Citgo is the international refining and marketing arm of PDVSA. Source: http://story.news.yahoo.com/news?tmpl=story&u=/nm/20021211/wl_nm/energy_ venezuela_dc_1 [return to top] Telecommunications Sector 8. December 10, Wichita Business Journal - SC Telcom hit by international hackers. SC Telecom in Wichita Kansas is working on the remaining internal problems in its system after hackers broke into it. Janice Fairbairn, director of business development for the company says any problems for customers have been cleared up. "By Monday (Dec. 2) DSL was working and by Tuesday (Dec. 3), dial-up was working," she says. The situation was reported to federal authorities, who are now investigating, she says. Fairbairn says the company was the victim of highly sophisticated, overseas hackers. One of the hackers was traced to Asia, another to the Middle East, she says. "Our security is really good, but they are really smart," she says. The company has about 4,000 customers. Source. http://wichita.bizjournals.com/wichita/stories/2002/12/09/daily20.html [return to top] Food Sector 9. December 11, Associated Press - Drug-resistant germs found in chicken. Consumer Reports magazine said it found bacteria in almost half the chickens it bought from stores nationwide, and much of the bacteria was drug-resistant. The magazine's survey found the bacterium campylobacter in 42 percent of 484 fresh broiler chickens tested, and salmonella in 12 percent. The report said 90 percent of the campylobacter samples and 34 percent of the salmonella resisted treatment by commonly used antibiotics. The increasing prevalence of drug-resistant bacteria is often blamed on doctors' over-prescribing antibiotics and patients' misusing them. Others point to the widespread use of antibiotics in livestock. Source: http://www.washingtonpost.com/wp-dyn/articles/A37283-2002Dec10.html 10. December 9, Reuters - USDA announces ground beef recall. Grocery store chain Publix is voluntarily recalling 120 pounds of ground beef that may be contaminated with a potentially deadly E. coli bacteria, the U.S. Agriculture Department said on Monday. USDA said various ground beef products sold at a Publix store in Coconut Creek, Florida, are being recalled. The department said the ground beef may contaminated with E. coli 0157:H7, one of the most deadly of food-borne bacteria. No illnesses have been reported from the potentially tainted food, the USDA said. Source: http://www.alertnet.org/thenews/newsdesk/N09167197 [return to top] Water Sector Nothing to report. [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 11. November 20, Savannah Now - Police are investigating the theft of more than $70,000 worth of rescue equipment from the Walthourville Fire and Rescue station. Firefighters at the all-volunteer department in Liberty County discovered the items missing during their weekly training on Tuesday, when they went to inspect the equipment. Stored in one of the fire trucks, the missing machinery ranged from the "jaws of life," used to extract car accident victims to bolt cutters and axes, said Assistant Fire Chief Thomas Hines. "We are just in shock," Hines said. "Everything they took they can now get in just about any lock and any door." The equipment is insured and should be replaced soon, Hines said. Meanwhile, area fire departments have called Walthourville officials to offer assistance and lend equipment. "We are still able to respond to calls," Hines said. "We might just have to call in another fire department if there is extrication needed." Source: http://www.savannahnow.com/stories/112102/LOCfireequipment.shtml [return to top] Government Operations Sector 12. December 11, Washington Post - Spy satellite effort viewed as lagging. The delays and funding problems in the Future Imagery Architecture (FIA) program come as the nation's combat and intelligence personnel are more dependent than ever on satellites to track terrorists, detect troop movements and identify nuclear, chemical and biological weapons sites in potentially hostile states. Unless the problem is fixed, according to one senior intelligence official, current spy satellites could stop working before the first next-generation satellite is launched in the next few years, leaving the country with a gap in coverage. The senior intelligence official said a "reprogramming" of about $625 million and possibly as much as $900 million, from other intelligence programs this year should be enough to get the program back on schedule so that spy satellite coverage is maintained without interruption. "The tradeoffs are not nearly as bad as a gap in imagery coverage," the official said. Source: http://www.washingtonpost.com/wp-dyn/articles/A37291-2002Dec10.html [return to top] Information Technology Sector 13. December 10, Federal Computer Week - CDC gears up systems against terror. In the 15 months since the terrorist attacks on America, the Centers for Disease Control and Prevention (CDC) has ratcheted up its systems and created new ones for a rapid response against a terrorist act. The Sept. 11, 2001, attacks and the mail-borne anthrax threat last fall tested CDC's ability to deliver public health services quickly, CDC Director Julie Gerberding said. The events taught the public health agency what it needed to do to respond more quickly and effectively to future threats, she said. "We are highly prepared. We are certainly far more prepared than we were a year ago," Gerberding told attendees at the E-Gov Homeland Security conference, sponsored by Federal Computer Week Media Group, in Washington, D.C. As events unfolded after Sept. 11, she said CDC officials realized that one of the most critical parts of their jobs was communicating to the public and to other public health officials. "If we don't get the communications right, we fail. Since the terrorist attacks, CDC has developed networks to alert public health officials to potential threats, and it is gathering data from hospitals nationwide as part of a concerted effort to look for patterns that might signal bioterrorism. Source. http://www.fcw.com/fcw/articles/2002/1209/web-cdc-12-10-02.asp [return to top] Cyber Threats and Vulnerabilities 14. December 11, CERT/CC - Vulnerability Note VU#810921 -- Cobalt RaQ4 contains vulnerability allowing remote root compromise. A remotely exploitable vulnerability exists in Cobalt RaQ 4 Server Appliances with the Security Hardening Package (SHP) installed. The Cobalt RaQ 4 is a Sun Server Appliance. Sun describes the Cobalt RaQ4 as follows: The Cobalt RaQTM4 is a server appliance that provides a dedicated Web-hosting platform and offers new capabilities for high-traffic, complex Web sites and e-commerce applications. The RaQ 4 server appliance offers a full suite of Internet services with remote administration capabilities, pre-packaged in a single rack-unit (1RU) industry-standard enclosure. The RaQ 4 is pre-configured with Apache Web server, Sendmail, File Transfer Protocol (FTP) server, Domain Name System (DNS), the Linux operating system, FrontPage Server extensions, and support for Active Server Pages (ASP), PHP and common gateway interface (CGI) scripts. A remotely exploitable vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ 4 server appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, overflow.cgi does not adequately filter input destined for the email variable. Source. http://www.kb.cert.org/vuls/id/810921 15. December 10, CERT/CC - Vulnerability Note VU#210409 -- Multiple FTP clients contain directory traversal vulnerabilities. Multiple File Transfer Protocol (FTP) clients contain directory traversal vulnerabilities that allow a malicious FTP server to overwrite files on the client host. In a typical file transfer operation, one participant (the client) requests a file while a second participant (the server) provides the requested file. Before processing each request, many server implementations will consult an access control policy to determine whether the client should be permitted to read, write, or create a file at the requested location. If the client is able to craft a request that violates the server's access control policy, then the server contains a vulnerability. Since most vulnerabilities of this type involve escaping a restricted set of directories, they are commonly known as "directory traversal" vulnerabilities. Directory traversal vulnerabilities are most often reported in server implementations, but recent research into the behavior of FTP clients has revealed several vulnerabilities in various FTP client implementations. To exploit these vulnerabilities, an attacker must convince the FTP client user to access a specific FTP server containing files with crafted filenames. Source. http://www.kb.cert.org/vuls/id/210409 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_FRIENDGRT.B Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 25(smtp); 4662; 8080(webcache); 445(microsoft-ds); 139(netbios-ssn); 27374(asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 16. December 11, Reuters - AMA wants protection for doctors giving smallpox shots. The American Medical Association (AMA) wants federally backed liability protections in place before initiation of any smallpox vaccine program. Amid growing speculation that a smallpox vaccination program could be started in the next few weeks, the AMA's House of Delegates voted Tuesday to specifically request initiation of the liability program before starting vaccinations. The Homeland Security Act, which was approved by Congress and signed by President Bush last month, includes the liability protections but this coverage doesn't take effect until January 24, 2003, AMA Trustee Dr. Timothy Flaherty said. "This action just covers the interim before that date," said Flaherty, who added that the AMA had no precise knowledge about a start date for a smallpox vaccination program. He said that the liability coverage would offer protection to vaccine manufacturers as well as to physicians and other providers who administer the vaccinations. Source: http://www.reuters.com/newsArticle.jhtml?type=healthNews&storyID=1890744 17. December 10, Milwaukee Journal Sentinel (Wisconsin) - Proposal aims to contain chronic wasting disease. In an effort to save the captive deer and elk industry in Wisconsin, the state agriculture board Tuesday approved tough restrictions to curb the spread of chronic wasting disease. The rules bar deer and elk farmers from shipping their animals off their property unless they're enrolled in a monitoring program, and require testing for the deadly disease under certain circumstances. Agriculture Secretary James Harsdorf said requiring farmers to monitor and test their herds will show other states that have purchased Wisconsin animals "that we're very serious about battling chronic wasting disease." The permanent rules will go before the Legislature by Jan. 1. Lawmakers can hold public hearings or make changes, but if no action is taken, then the rules become law. An agriculture official said the earliest the rules can go into effect is May 1, but the board can extend the emergency rules through June 1 if needed. Source: http://www.jsonline.com/news/state/dec02/102444.asp 18. December 10, Federal Computer Week - Report suggests ID alternatives. A national identification system is one approach to strengthening identity security, but a white paper published by a coalition of government organizations also proposes a "confederated" system in which Americans could use multiple identifiers for clusters of agencies and/or businesses. This approach would enable individuals to sign on to an account once and have access to different accounts among several entities they commonly transact with, according to the National Electronic Commerce Coordinating Council's (NECCC) white paper. Agencies and companies would have to develop policies, procedures and an interoperable technical framework to support such an arrangement. The advantage to this system over a national ID system is that no single identifier would follow an individual everywhere. Another advantage is that there is no single point of failure like that in a national ID system, in which there would be centralized control. Source: http://www.fcw.com/geb/articles/2002/1209/web-id-12-10-02.asp [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk