National Infrastructure Protection Center NIPC Daily Open Source Report for 13 December 2002
Daily Overview . Microsoft has released "Security Bulletin MS02-069: Flaw in Microsoft VM Could Enable System Compromise (Critical)." (See item 15) . Microsoft has released "Security Bulletin MS02-071: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (Important)." (See item 17) . CERT announces "Advisory CA-2002-35, Vulnerability in RaQ 4 Servers" which is a remotely exploitable vulnerability discovered in Sun Cobalt RaQ 4 Server Appliances running Sun's Security Hardening Package. (See item 14) . The U.S. Coast Guard reports the Gulf Safety Committee is implementing several programs to make the Gulf of Mexico a safer, more secure, and economically viable region for commercial and recreational use. (See item 3) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 12, Reuters - NRC may cite TXU's Texas nuclear plant following water leak. The U.S. Nuclear Regulatory Commission (NRC) will decide within 30 days whether to cite a TXU Corp unit for an apparent safety violation at a Texas nuclear power unit, the agency and TXU said Wednesday. The apparent violation involves a leaking steam generator tube at the 1,150 megawatt Comanche Peak 1 plant in Glen Rose, Texas. The unit is currently shut for electrical work and is expected to return to service within a few days. NRC public affairs officer Roger Hannah told Reuters that in the case that led to the leak, there was an apparent violation. There was no detectable radiation released into the environment, Hannah said. In response, TXU Energy spokesman David Beshear said the company has retrained its analysts to look for this particular kind of problem. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3512491 2. December 9, Polit.ru - In Russia nuclear sites' security increased due to new threats. In an interview with the Moscow radio station Ekho Moskvy, Rusenergoatom (Russian state nuclear energy company) general director Oleg Saraev announced that Russia is scrambling to implement additional security measures for nuclear power plants. Whereas authorities had previously believed that nuclear power plants could only be seriously damaged by a threat factor with state-level capabilities, Saraev admitted, "Now we are convinced that this would be possible even for very small groups of people." Saraev also told the radio station that Russia's nuclear plants are not completely capable of withstanding a terrorist act. "Technically they are capable of withstanding only the impact of a military airplane, fairly large, moving at a fairly good speed," Saraev was quoted. Because of this, security forces were now scrambling to implement a number of extra security measures. Source: http://www.polit.ru/documents/519848.html Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector Nothing to report. [return to top] Transportation Sector 3. December 10, U.S. Coast Guard - Gulf Safety Committee implements security programs. The Gulf Safety Committee, created in October 2001, is implementing several programs to improve safety and security in the Gulf of Mexico. The committee is a Regional Marine Transportation System Committee that brings together all offshore Gulf of Mexico (GOM) waterway users. Its goal is to stimulate procedural - and possibly regulatory - changes to make the GOM a cleaner, safer and more secure and economically viable region for commercial and recreational use. Examples of the new informational programs it has developed include: a one-page informational document to educate waterway users regarding the two security advisory systems in use; identifying weaknesses in the system for notifying waterway users of changes in the national threat level assignment; working with the Coast Guard to implement an effective notification system; developing a voluntary communication protocol to be used between fishermen and oil and gas facilities; and working with all applicable government agencies and industry representatives to develop a voluntary security guideline for the offshore oil and gas industry. The Gulf Safety Committee has a new web site to communicate with its membership and the public. They encourage all interested persons to visit www.uscg.mil/hq/g-m/harborsafety/Gulf%20Safety%20Committee.htm to read about the above projects. Source: http://www.uscg.mil/d8/dpa/171-02.htm 4. December 13, Hartford Courant - Drones To Serve As Coastal Watchdogs. The U.S. Air Force has deployed them to monitor military movements in Iraq, Afghanistan and the Philippines. The CIA dispatched one recently to kill a suspected al Qaeda leader in Yemen. Now the Coast Guard is planning to bring the latest in battlefield technology home to the Atlantic Coast. The maritime service, set to join the new Department of Homeland Security, is planning to deploy flying drones, remote-controlled aircraft similar to those now used for wartime surveillance, to patrol the nation's coastal regions for security threats. Officials say the unmanned aerial vehicles, or UAVs, will enable them to extend their reach into offshore waters by monitoring larger areas less expensively and more efficiently. Source: http://www.ctnow.com/news/local/hc-drones1213.artdec13,0,2022454.story?c oll=hc-headlines-local 5. December 9, U.S. Customs Service - United Kingdom signs declaration of principles to join U.S. Customs Container Security Initiative. U.S. Customs Commissioner Robert C. Bonner and Terry Byrne, Law Enforcement Director General of Her Majesty's Customs and Excise, and U.S. Ambassador to the United Kingdom, William S. Farish, announced on Monday that the British government has agreed to participate in the U.S. Customs Container Security Initiative (CSI). Under terms of the declaration announced today, U.S. Customs officers will be stationed at the port of Felixstowe. UK Customs and Excise Director General, Terry Byrne said: "Sharing and applying intelligence is the key to anticipating, spotting, and preventing terrorist attacks world wide and that is at the heart of our agreement today. We are pleased to be able to play our part in working more closely with the U.S. and other counterparts in identifying and checking the shipment of sea containers around the world." Source: http://www.customs.ustreas.gov/hot-new/pressrel/2002/1209-01.htm [return to top] Gas and Oil Sector 6. December 12, New York Times - Warnings from al-Qaeda stir fear that terrorists may attack oil tankers. A recent audiotape believed to have been made by Osama bin Laden praised and seemed to take responsibility for a suicide attack two months ago in which a speedboat packed with explosives rammed and crippled a French tanker, the Limburg, off Yemen. Other leaders of al-Qaeda have vowed to cut the "economic lifelines" of the world's industrialized societies. The threats have focused the attention of intelligence agencies and marine police worldwide on the vulnerability of tankers. Nowhere has the concern been more acute than in the Strait of Malacca, between Malaysia and Indonesia. A quarter of the world's trade passes through the strait. That includes half of all sea shipments of oil, bound for East Asia or sometimes the United States, and two-thirds of the world's shipments of liquefied natural gas. More pirate attacks occur in Indonesian waters than anywhere else in the world. The pirates have spies in ports to identify valuable targets, and sometimes confederates aboard as well. Source: http://www.nytimes.com/2002/12/12/international/asia/12TANK.html 7. December 12, Dow Jones Newswires - Venezuela's state oil company Petroleos de Venezuela SA (E.PVZ) was moving 350,000 barrels of crude oil Thursday from a Lake Maracaibo port to the giant Amuay refinery, Jose Fernandez, operations head at the Maracaibo port authority told Dow Jones Newswires. The Amuay refinery was brought down to standby mode some days ago along with most others in Venezuela due to problems resulting from a nationwide strike against President Hugo Chavez's leadership. Officials couldn't be reached for clarification on why the government is moving crude to Amuay. Source: http://story.news.yahoo.com/news?tmpl=story&u=/dowjones/20021212/bs_dowj ones/200212120918000451 8. December 11, Associated Press - St. Croix refinery cuts output due to Venezuelan strike. The Hovensa oil refinery in St. Croix was forced to cut its daily output due to the protest strike paralyzing Venezuela's oil industry, company officials said Wednesday. The refinery, one of the largest in the Western Hemisphere, usually receives some 270,000 barrels out of its 440,000-barrel estimated daily production from Venezuela's state-owned oil company, Petroleos de Venezuela S.A., officials say. "We have been informed by Petroleos de Venezuela that they cannot provide us with any more crude oil in light of their situation," said Alexander Moorhead, Hovensa vice president. "And so we decided to reduce the oil refining rate until the end of the month." Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021211/ap_wo_en_po/c b_fin_virgin_islands_venezuela_oil_1 [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector 9. December 12, Denver Post (Colorado) - Ranchers oppose new CWD-rules. The future of elk ranching in Colorado now rests with a pair of state commissions as they begin examining tough new chronic wasting disease (CWD) regulations that ranchers say will put them out of business. For the last two years, the industry has been battered by an outbreak of chronic wasting disease that took hold in an elk ranch in northeastern Colorado. It has swept up more than two dozen ranchers who bought elk from the infected ranch. Now, state agriculture and wildlife agencies are moving to implement new regulations that further restrict the trade of live animals and impose expensive new safety requirements on ranching operations. Elk ranchers are preparing to sue. Source: http://www.denverpost.com/Stories/0,1413,36%257E11799%257E1047173%257E,0 0.html 10. December 11, Reuters - USDA: Pilgrim's Pride Knew of Listeria. Pilgrim's Pride knew the listeria bacteria was present at its Pennsylvania poultry plant months before its products were blamed for killing eight people last summer, U.S. Agriculture Department (USDA) officials said on Wednesday. The poultry producer recalled 27.4 million pounds of its Wampler brand ready-to-eat turkey and chicken products in October after USDA inspectors found the plant's floor drains had tested positive for listeria. The USDA, along with the Centers for Disease Control and Prevention, linked its poultry to a listeria outbreak that has caused eight deaths, three miscarriages, and 45 more illnesses. USDA Undersecretary Elsa Murano said Pilgrim's Pride routinely tested for listeria and found "a spike" in July and August for its presence. However, the company did not share the information with USDA. As a result, on Monday the USDA ordered its inspectors to increase listeria testing at plants that choose not to share critical food safety information. Source: http://reuters.com/newsArticle.jhtml?type=businessNews&storyID=1892099 [return to top] Water Sector Nothing to report. [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector Nothing to report. [return to top] Government Operations Sector 11. December 10, Lawrence Livermore National Laboratory, Department of Energy - Director creates new homeland security organization. Director Michael Anastasio today designated a new Homeland Security Organization at Lawrence Livermore National Laboratory. Dr. Wayne Shotts, associate director for the Lab's Nonproliferation, International Security and Arms Control Directorate, will head the new organization in an acting capacity. With the creation of the Homeland Security Organization, the Laboratory unveiled two new technologies: Analytical Conflict and Tactical Simulation (ACATS) can be used to analyze concepts of operation, technology and training for emergency responders. ACATS has been designed to model emergency response operations in a range of urban settings, from the spread of a chemical or biological agent within a building to the search for survivors in the rubble of a bombed building. The second technology, the Homeland Operational Planning System (HOPS), is being developed in partnership with the California National Guard, specifically for homeland security planning and analyses. HOPS analyses provide insight into the vulnerabilities of elements of U.S. infrastructure and the effectiveness of options for mitigating vulnerabilities and for defending against terrorist attacks Source: http://www.llnl.gov/llnl/06news/NewsReleases/2002/NR-02-12-06.html ACATS press release: http://www.llnl.gov/llnl/06news/NewsReleases/2002/NR-02-12-07.html HOPS press release: http://www.llnl.gov/llnl/06news/NewsReleases/2002/NR-02-12-08.html 12. December 12, Washington Post - Bush appoints Postal Service review panel. President Bush named a nine-member commission Wednesday to study ways to improve the perennially troubled finances of the U.S. Postal Service. Bush said in an executive order that the commission should find ways the Postal Service can continue delivering to every address in the nation at affordable rates while "minimizing the financial exposure of the American taxpayers." The project was announced at the Treasury Department by Peter R. Fisher, undersecretary for domestic finance, who said the goal is "ensuring the long-term viability of the Postal Service, for mailers and for taxpayers." Source: http://www.washingtonpost.com/wp-dyn/articles/A42682-2002Dec11.html 13. December 12, Washington Post - Postal officials detail Brentwood cleanup plan. U.S. Postal Service officials expressed confidence Wednesday that the year-long effort to develop a safe and effective means of ridding the postal plant on Brentwood Road in North East District of Columbia of anthrax spores will pay off this weekend, when a full fumigation is scheduled to begin. During a community meeting in Northeast Washington and at an earlier news briefing, postal officials detailed their plans for the decontamination, the first stages of which will begin at 3 p.m. Saturday and continue into next week. The process calls for 2,000 pounds of chlorine dioxide gas to be pumped into the quarantined facility, which has been shut since October 2001 after two letters containing anthrax spores passed through the building on their way to Capitol Hill. Chlorine dioxide is a disinfectant used to purify drinking water that scientists have learned is lethal to anthrax spores when maintained in certain conditions. Source: http://www.washingtonpost.com/wp-dyn/articles/A43600-2002Dec12.html [return to top] Information Technology Sector Nothing to report. [return to top] Cyber Threats and Vulnerabilities 14. December 11, CERT/CC - Advisory CA-2002-35 Vulnerability in RaQ 4 Servers. A remotely exploitable vulnerability has been discovered in Sun Cobalt RaQ 4 Server Appliances running Sun's Security Hardening Package (SHP). Exploitation of this vulnerability may allow remote attackers to execute arbitrary code with superuser privileges. Cobalt RaQ 4 is a Sun Server Appliance. Sun provides a Security Hardening Package (SHP) for Cobalt RaQ 4. Although the SHP is not installed by default, many users choose to install it on their RaQ 4 servers. A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a Cobalt RaQ 4 Server Appliance. The vulnerability occurs in a cgi script that does not properly filter input. Specifically, overflow.cgi does not adequately filter input destined for the email variable. Source. http://www.cert.org/advisories/CA-2002-35.html 15. December 11, Microsoft - Microsoft Security Bulletin MS02-069: Flaw in Microsoft VM Could Enable System Compromise (Critical). A new version of the Microsoft VM is available, which includes all previously released fixes for the VM, as well as fixes for eight newly reported security issues. All of the vulnerabilities share a pair of common mitigating factors: The web-based attack vector would be blocked if the user had disabled Java applets in the Internet Explorer security zone in which the attacker's web site rendered. The email vector would be blocked if the user were running any of several mail clients. Specifically, Outlook Express 6 and Outlook 2002 (which ships as part of Office XP) disable Java by default, and Outlook 98 and 2000 disable it if the Outlook Email Security Update has been installed. Please see the bulletin for details on all eight vulnerabilities. Source. http://www.microsoft.com/technet/security/bulletin/MS02-069.asp 16. December 11, Microsoft - Microsoft Security Bulletin MS02-070: Flaw in SMB Signing Could Enable Group Policy to be Modified (Moderate). A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes. Source. http://www.microsoft.com/technet/security/bulletin/MS02-070.asp 17. December 11, Microsoft - Microsoft Security Bulletin MS02-071: Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (Important). By default, several of the processes running in the interactive desktop do so with LocalSystem privileges. As a result, an attacker who had the ability to log onto a system interactively could potentially run a program that would levy a WM_TIMER request upon such a process, causing it to take any action the attacker specified. This would give the attacker complete control over the system. In addition to addressing this vulnerability, the patch also makes changes to several processes that run on the interactive desktop with high privileges. Although none of these would, in the absence of the TM_TIMER vulnerability, enable an attacker to gain privileges on the system, we have included them in the patch to make the services more robust. Source. http://www.microsoft.com/technet/security/bulletin/MS02-071.asp Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 23(telnet); 4899(radmin); 4662; 445(microsoft-ds); 25(smtp);53(domain); Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 18. December 12, Washington Post - U.S. suspects al-Qaeda got nerve agent from Iraqis. The Bush administration has received a credible report that Islamic extremists affiliated with al-Qaeda took possession of a chemical weapon in Iraq last month or late in October, according to two officials with firsthand knowledge of the report and its source. They said government analysts suspect that the transaction involved the nerve agent VX and that a courier managed to smuggle it overland through Turkey. Knowledgeable officials, speaking without White House permission, said information about the transfer came from a sensitive and credible source whom they declined to discuss. Source: http://www.washingtonpost.com/wp-dyn/articles/A42876-2002Dec11.html 19. December 12, Washington Post - Biodefense testing site coming to Bethesda, MD. The National Institutes of Health in Bethesda, MD plans to break ground next year on a $186.1 million facility for testing microbes that could be used by bioterrorists. The 85,000-square-foot Building 33 would allow the National Institute of Allergy and Infectious Diseases (NIAID) to consolidate and significantly expand research on dangers such as anthrax, tuberculosis, smallpox, and other viruses and bacteria. NIAID has stepped into a leading role in the country's biodefense. Its mandate now is to develop vaccines, diagnostic tools and medicines to protect Americans against organisms that, in terrorists' hands, could cause widespread illness or death. Institute director Anthony S. Fauci calls construction of the facility essential to meeting this challenge. Without Building 33, research will continue to be constrained because of insufficient laboratory space, he said. "You're going to be severely hampered in putting together a comprehensive biodefense effort." Source: http://www.washingtonpost.com/wp-dyn/articles/A40587-2002Dec11.html 20. December 11, Purdue University News (Indiana) - Nanoparticles could aid biohazard detection. Nanotechnology could make life tougher for terrorists, reports a Purdue University research team. A group led by Jillian Buriak, associate professor of chemistry in Purdue's School of Science, has found a rapid and cost-effective method of forming tiny particles of high-purity metals on the surface of advanced semiconductor materials such as gallium arsenide. The researchers have learned how to use these nanoparticles as a bridge to connect the chips with organic molecules. Biosensors based on this development could lead to advances in the war on terrorism. "It is possible that this discovery will enable chips similar to those found in computers to detect biohazards such as bacteria, nerve gas, or other chemical agents" said Buriak. Source: http://news.uns.purdue.edu/UNS/html4ever/021211.Buriak.nanoparticle.html [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk