Below is the NIPC Daily Report for 1 Apr NIPC WWU dw
NIPC Daily Report 01 April 2002 The NIPC Watch and Warning Unit compiles this report to inform recipients of issues impacting the integrity and capability of the nation's critical infrastructures. Government trains cyber defenders, but numbers still small. Officials warn it's only a matter of time before terrorists learn to exploit vulnerabilities in major systems, from air traffic and banking to spacecraft navigation and defense. The aim of federally funded scholarships to computer security students is to create experts who know security issues well enough to anticipate vulnerabilities and advise on equipment and software purchases. "Security training needs to be more like law school, a way of thinking, and less like trade school aimed at teaching specific knowledge," said Scott Blake, security strategy director at BindView Corp. (Associated Press, 29 Mar) New rules aim to beef up nuclear security. An investigation into security at the Nuclear Regulatory Commission's national headquarters has determined that as many as 100 foreign nationals are working at the facility, and up to 35 may be visa violators or illegal aliens. Similar situations and concerns at the Justice Department recently prompted a sweeping new policy announcement that foreign nationals "shall not be authorized to access or assist in the development, operation, management, or maintenance of department information technology systems." The Pentagon is expected to issue a similar policy within 60 days. (Fox News, 30 Mar) Phone hackers stick city for $15,000. The taxpayers of Grand Rapids, Michigan are footing a $15,000 telephone bill for international calls rung up because of hackers who broke into the city's voice-mail system last July and used a "back door" code to get access to an outgoing line. The access code was sold on the street and used to make $36,400 worth of international phone calls during off-hours when the city's phone traffic was too low to detect the problem. Worldcom, the city's local service provider, discovered the problem the Monday after the hackers broke in. The city has been negotiating since then to determine how much of the bill taxpayers must foot. Sprint has agreed to forgive $11,132 worth of calls billed through its long-distance service, however, AT&T is willing to write off only $10,119.71 of the $25,299.28 worth of calls made through its service. (Grand Rapids Press, 27 Mar) WWU comment: Many perceive the issue of cyber security as one involving the upgrade of security software and configuring firewalls. This event illustrates the financial impact of cyber-based crimes. When criminals strike a public infrastructure, consumers get stuck with the bill. Firewalls open for hackers. The number of flaws reported in firewalls have rocketed by nearly 50 per cent over the past four years. At least one security specialist believes the reason is because IT managers don't configure them properly. A report by security testing specialist NTA Monitor found that flaws in firewalls have increased by 45 per cent since 1998. The holes, which occur mainly because of poor configuration and sloppy patching, could give hackers a way into corporate networks. Many companies are unable to keep up with the latest vulnerabilities because of misconfiguration problems. (Silicon.com, 26 Mar) Hacking gold mine as BT publishes remote dial-up numbers. British Telecommunications admits publishing the private remote access numbers of a number of British companies on its Web site -- a move that could expose the listed firms to hacking attacks. The numbers were published on the public BT Together Web site in a list that BT thought only included local and national ISP dial-up numbers. Companies that give their employees dial-in access to their networks have been advised to check their security. BT promises to remove the list from the Web, but security experts warn that the companies affected are at risk of attack in the future. (ZdNet, 25 Mar) BT security move may be too late. Private network numbers were on show for over a year. Network managers have slammed BT for taking too long to respond to the security gaffe caused by its publication of a database of private network dial-up numbers. (VNUnet, 27 Mar) Government agencies exposed internal databases. Apparently, four US government Web sites left the contents of internal databases open to Web surfers. Databases operated by the Commerce Department's STAT-USA/Internet service, as well as the Department of Energy's Pacific Northwest National Laboratory and the Federal Judicial Center, allowed remote Internet users to browse documents ranging from correspondence to online order data. Early last month, the US House of Representatives committee leading the investigation into Enron's collapse temporarily took its Web site offline after internal documents were exposed to anyone with a Web browser. (Newsbytes, 29 Mar) WWU comment: The four previous articles highlight the largest vulnerability for any organization; the human factor. These events were most likely simple oversights or human errors. The potential for social engineering and the prevalence of poorly managed systems keeps computer networks vulnerable despite the latest security software. Smallpox vaccine turns up; discovered doses buy time for US. A pharmaceutical company has discovered 70 million to 90 million long-forgotten doses of smallpox vaccine in its freezers, instantly increasing the known US inventory of the vaccine six-fold and ensuring the nation an adequate supply in the event of a bioterrorist attack, according to government sources familiar with the find. The vaccine has been stored in freezers since it was made decades ago. It remained unclear why its existence had gone undiscovered for so long, exactly when it was discovered or by whom. (Washington Post, 28 Mar) WWU comment: The discovery of such a large quantity of vaccine helps diminish the fear of a potential vaccine shortage. At issue beyond vaccine quantity and integrity should be the lack of record keeping and accountability. Terror's confounding online trail. For all the sophisticated electronic tools the US Government has at its investigative disposal, tracking the activities of suspected terrorist groups online has proved to be not unlike the search for Usama bin Laden and his operatives on the ground. Even against a superior arsenal of technology, there are still plenty of ways for terrorists to avoid detection. Terrorist groups are taking advantage of their own technological knowledge to evade surveillance through simple tactics, like moving from one Internet cafe to the next, and more sophisticated ones, like encryption. Despite growing concerns about invasions of Internet users' privacy, it is still relatively simple to communicate anonymously online. (New York Times, 28 Mar) New technology means new problems. For the criminal justice community, new technology is never a simple solution. It's often a case of learning how to take full advantage of an emerging field, or a matter of waiting for the technology to mature. At the very least, new technology requires government agencies to think about the ways they do business. Police chiefs are also taking responsibility for reducing crime and are willing to be judged on how they do that. (Federal Computer Week, 28 Mar) Mutual aid agreements: support for first responders outside major metropolitan areas. First responders from communities outside major metropolitan areas who protect large geographic areas with small populations face many response challenges. Many of these communities rely upon volunteer departments with scare resources. President Bush's 2003 budget provides $140 million to assist these communities in planning and establishing mutual aid agreements. Mutual aid agreements have existed in support of civil defense, fire, and National Guard activities. This is the first time the federal government has directly supported the establishment of mutual aid agreements with federal resources. The First Responder Initiative will build on existing capabilities at the Federal, State, and local level, to develop mutually supportive programs that maximize effective response capability. (whitehouse.gov, 28 Mar) WWU comment: The two previous articles demonstrate the difficulties that law enforcement organizations are having in the cyber world. Law enforcement's biggest challenge is not education, nor is it organizational inertia or funding to pursue and apply new technologies. The nature of the US criminal justice system and federal oversight guidelines places legal limitation on law enforcement organizations. The nature of the Internet compounds this issue to involve the laws of other nations. Criminal and terrorist elements are not constrained, and therefore can evolve quickly. Proactive law enforcement and forward-thinking guidelines will help counter the lag-time between a criminal 'exploit', and a law enforcement 'patch.' Produce industry balks at food security guidelines regulation. Firms say FDA proposals to protect against bioterrorism are ineffective and costly. Fresh-produce shippers have lobbied the FDA to specifically exclude them from its new guidelines urging tamper-resistant packaging and other security measures. The preemptive strike illustrates a behind-the-scenes battle over food security regulations that many in the industry believe are unnecessary, ineffective and costly, ultimately driving up prices for consumers. (Los Angeles Times, 28 Mar) EPA head says water issues are huge future challenge. Threats to water quality and quantity pose the biggest environmental challenge, in large part because of antiquated and deteriorating water systems. Major cities are distributing water through pipes that are more than a century old. A report by the Harvard University School of Public Health found that although water is relatively abundant in the United States, "current trends are sufficient to strain water resources over time, especially on a regional basis." The study cited as contributing factors the deterioration of public water infrastructure such as pipes, as well as global climate effects, waterborne disease, land use, groundwater and surface water contamination and ineffective government regulations. At least $151 billion needs to be spent over the next 20 years to guarantee the continued high quality of US water, the report said. The Water Infrastructure Network, a national coalition of local government officials, water and water treatment utilities, health administrators, engineers and environmentalists, reported similar findings last year, putting the total cost of solving the problem at $1 trillion. (Water Technology Online, 28 Mar) Data-sharing partners square off with bioterrorism. New York's system proactively monitors disease outbreaks. Most biological agents that might be used by terrorists manifest themselves in the early stages as flu-like symptoms, which challenge health-care professionals and agencies. In many cases, it takes too long to figure out that a growing health problem is an attack caused by biological agents and not a natural disease. The answer is better collaboration through technology. After the 11 September attacks on the World Trade Center, the CDC deployed more than 20 epidemiologists to work at some New York hospitals round-the-clock, monitoring for unusual activity that might indicate a bioterrorist attack. Most hospitals have information systems that collect patient data as they enter the facility. As calls come into 911, the operator collects information that in some cases indicates a specific illness. As information comes in from both sources, business-intelligence and cluster-modeling tools are used to analyze it and watch for trends that would indicate a disease cluster is occurring in specific neighborhoods-a process known as syndromic surveillance. Key to achieving that goal is business-intelligence technology that can be used to collect and analyze data that has been stored in the agency's database for years but that could be useful if shared with the public. (Information Week, 28 Mar) ITAA lists nine ways to counter terrorism using IT. The Immigration and Naturalization Service recently sent to the Office of Homeland Security recommendations from the private-sector on how to conduct counterterrorism operations through the use of integrated IT. Officials and member companies of the Information Technology Association of America met with the INS and came up with nine suggestions during a meeting late last year. INS Commissioner James Ziglar said the recommendations would help provide businesses with investment advice and a better understanding of law enforcement and intelligence operations. (Government Computing News, 28 Mar) FCC creates media-security panel. The Federal Communications Commission announced the creation of an industry advisory panel intended to study the security of cable, broadcasting and satellite facilities in the event of another 11 September terrorist attack. The panel is expected to include between 30 and 40 members. The FCC has no plans to require TV stations to build direct wireline links from the their stations to area cable systems. (Multichannel News, 28 Mar) WWU Comment: The previous five articles illustrate the importance of government and private-sector cooperation in the protection of critical infrastructures. Food production and delivery is an area that remains extremely vulnerable to terrorist attack, and is starting to get federal-level attention. The water supply system is just one of many aging infrastructures throughout the US. Solutions demand government and industry cooperation, as well as potential cost sharing. The increased attention on emergency response since 11 Sep 01 has forced hospitals and emergency workers to combine existing information and processes in a synergistic manner. Combining patient data and 911-call symptoms has enabled existing software tools to yield predictive trends, thus speeding response. PDAs are a mixed blessing for firms with staff on the road. Hand-held devices extend the reach of e-businesses, but they also hold risks if companies lacking policies for securing them. The advent of personal digital assistants (PDAs) has effectively extended the e-business paradigm by making work ever less site-specific. Gaining rapidly in sophistication, PDAs can be synchronized with office desktop computers to give complete portable access to company data. That can make for productivity gains at a remote site or on the road, as well as increasing the possibility of PDA-transmitted viruses and office-system crashes. "People rush into the market and get a PDA with no reference to the standard of their firm because there is no standard at their firm," says lawyer George Atis, a partner and corporate IT specialist at McMillan Binch in Toronto. PDAs now access databases and download e-mail. (Globetechnology.com, 28 Mar) WWU Comment: The widespread use of PDAs causes three problems for organizations. The first concern is system integrity and the threat of malicious code. Second is the potential for network compromise through uploaded Trojan software. The third concern is the potential for economic espionage either through loss or theft of a PDA, or from an individual who downloads from the network and walks out the door. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
