NIPC Daily Report 7 June 2002 The NIPC Watch and Warning Unit compiles this report to inform recipients of issues impacting the integrity and capability of the nation's critical infrastructures.
President Bush proposed a Cabinet-level Department of Homeland Security. Among the new government functions the president's proposal would create are a threat analysis unit office and an office to coordinate federal programs with state and local officials. Those additions - as well as the management and administration of the new agency - would be paid for through savings from eliminating redundant functions in other agencies, the report said. The new department would have four divisions, Border transportation and security, Information analysis and infrastructure protection, Emergency preparedness and response, and Chemical, biological, radiological and nuclear countermeasures. The Secret Service, which specializes in threat assessments and security at high-profile events, would remain intact after moving from Treasury to the new department. It is one of several agencies that would continue their varied non-homeland defense chores at the new department. The FBI and CIA would remain independent agencies. But one question remained muddy: just what authority any new secretary of homeland security would have over the FBI and CIA. A senior administration official briefing reporters at the White House said the secretary could not order - only strongly suggest - that the FBI investigate a lead. (CNN, 6 June) Bush plan backs IT infrastructure. The White House proposes developing a single information technology infrastructure cutting across the many federal organizations that would be folded into the Department of Homeland Security. A system for interoperable communications between emergency personnel and other first responders will be a "top priority" for the Department, according to the plan. (Federal Computer Week, 6 June) FEMA will oversee all wireless efforts. The Federal Emergency Management Agency will coordinate all federal wireless communications projects in a bid to ensure interoperability and standards while avoiding stove-piped systems. FEMA will take over Project SAFECOM, an Office of Management and Budget e-government initiative, according to FEMA CIO Ron Miller. The purpose of Project SAFECOM is to bring wireless project managers together. SAFECOM will have four deputy program managers--from Commerce, FEMA, Justice and Treasury--to oversee initiatives, Miller said. It also will have a steering committee composed of representatives from user groups such as the International Association of Chiefs of Police. (Government Computer News, 5 June) WWU Comment: The previous two articles reflect the federal emphasis on information sharing. Interoperability and timeliness is critical both horizontally across similar levels of government such as in the FEMA and Homeland Security examples as well as vertically between federal, state, and local governments. State and local organizations will have the greatest need for information in their front-line roles and have valuable input to be considered when designing communication and information systems. Smart card use booming. Smart cards, which contain a chip that can store data such as a person's name and fingerprints, can help protect agencies' networks, buildings and data against unauthorized access, said Paul Kurtz, senior director for national security in the White House's Office of Cyberspace Security. "Smart cards represent a possible solution to the architectural problems of secure, mobile identification," Kurtz said. Still, there are challenges, including interoperability, infrastructure, privacy, security and cost. However, smart cards are not the only solution, nor a "panacea," Kurtz warned. The cards are a piece of a larger, coordinated effort to protect the nation's infrastructure. (Federal Computer Week, 5 June) TSA plans two smart card pilot projects. The Transportation Security Administration (TSA) plans to launch at least two pilot projects this year for a smart card program that eventually will put the identification technology into the hands of 10 million to 15 million workers, a transportation official said June 5. The Aviation and Transportation Security Act, signed in the wake of the Sept. 11 terrorist attacks, requires the department to develop a universal worker identification system. The cards will provide secure access to buildings and computer networks and will hold biometrics, most likely in the form of fingerprints. TSA will also set the policy for trusted traveler cards for frequent airline passengers in the near future. John Magaw, Transportation undersecretary for security, has said that there is no card that will allow people to get through security completely. The trusted traveler cards could be developed in tandem with the smart cards and will use the same architecture. TSA is coordinating its effort with the Federal Aviation Administration, which is moving forward with its own smart card pilot project. Both agencies will align their programs with GSA-developed smart card interoperability specifications. (Federal Computer Week, 6 June) WWU Comment: The benefits of smart cards in terms of interoperability, standardization, and convenience must be weighed against security and privacy concerns. The above articles refer to privacy concerns but do not cite the security risks of having a single method to control identification, physical access, network access, and personal information. Multiple layers of security are necessary to protect against a compromise due to greater access granted to protected areas and data more so than may actually be required for one to perform their job. Info sharing bill gains support. The Homeland Security Information Sharing Act requires the administration to develop a plan within six months that will outline how sensitive, but unclassified, federal information can be shared with the appropriate officials within state and local law enforcement. The plan must also outline a process for removing sensitive information from classified information so that it may be shared with these organizations. This will enable first responders to receive more detailed, timely information on potential threats. The Bill calls for the administration to outline systems that can be used to share information in a timely manner, and it fosters the use of existing systems, such as the National Law Enforcement Telecommunication System (NTWS) and the Regional Information Sharing Systems (RISS). (Federal Computer Week, 5 June) Tech factors in port protection. The Maritime Transportation Anti-Terrorism Act authorizes $83 million annually in grants for enhanced facility security at U.S. ports for the next three fiscal years. These grants will help cover the cost of anti-terrorism improvements and fund projects to determine which technologies will improve port security the best. The legislation would give the Coast Guard the authority deny entry to vessels from foreign ports with inadequate security and dispatch "sea marshals" to respond to terrorist threats. The legislation requires the government to develop anti-terrorism cargo identification and screening systems for containers. (Federal Computer Week, 6 June) New technology maximizes grid capacity, eliminating power outages. "Electricity reliability is a major problem in the U.S. and around the world," said Roberto Torres, an analyst with Frost & Sullivan. "The smartest and quickest way to improve reliability is to maximize grid capacity through improved technologies." A product called Advanced Grid Observation Reliable Algorithms (AGORA), allows power system operators to effectively simulate the activity on a power grid under any condition, allowing for more accurate operations and planning. For more than 30 years, the Newton-Raphson method has been used industry-wide as a tool to analyze the behavior of electrical power systems. This method can provide incorrect information that could result in inaccurate system planning, especially in more complex electrical systems. (Utility Automation, 6 June) Rocket cache found near Moscow airport. Detectives said on 6 June that they had discovered a cache of surface-to-air rockets buried near a Moscow airport. Following a tip, police uncovered the munitions hidden in a cemetery directly under the flight path of aircraft landing at Vnukovo airport, southwest of Moscow. ''One version (of the story) is they were stolen from a military unit to be sold to criminal groups. The second (version) is that a terrorist act was being planned against aircraft, because this cache was located directly under the flight path for landing,'' Moscow police spokesman Kiril Mazurin said. The airport mainly handles domestic flights, but also some charter flights abroad. According to experts, anyone with minimal training would be able to arm and fire the rockets. (Reuters, 6 June) WWU Comment: Although this incident occurred in Russia, there are two concerns for US transportation activity. American charter aircraft could be targeted at this site or the operatives could be training and developing techniques to be used in the US or at international airports used by American carriers. FAA forges ahead with STARS. The Standard Terminal Automation Replacement System (STARS) eventually will swap aging equipment for new color displays, processors and computer software at 173 air traffic control facilities nationwide. The Federal Aviation Administration plans to install STARS in Philadelphia in November despite several unresolved problems described in an inspector general report released June 5. STARS has been used in pilot projects at airports in Syracuse, New York and El Paso, Texas, since 1999. The agency "fundamentally disagrees" with the conclusions of the report and contends "it will not deploy a system that is unsafe," FAA Administrator Jane Garvey said in a memorandum to Transportation Department Inspector General Kenneth Mead. (Federal Computer Week, 6 June) FAA installs a new system for weather data. The Weather and Radar Processor system recently went online in Fort Worth, Texas. It allows controllers to see advanced Doppler radar weather information along with aircraft position data. The system will help controllers reroute air traffic to avoid severe weather, FAA officials said. This real time information gives controllers a better view of localized precipitation and helps them evaluate the weather's impact on flights. (Government Computer Nws, 6 June) Clarke warns educators about need for better security. "Law enforcement can't save the private sector," the president's cybersecurity czar, Richard Clarke said. "We can't tell the energy companies and the pipeline companies how to configure their systems. At a fundamental level, it doesn't matter who the threat is." What matters, he said, are the vulnerabilities within corporate networks that present risks to the national infrastructure. The most vulnerable networks are those at universities and college systems, many of which have little or no protection -- and thus, make great launching pads for attacks against infrastructure companies. To champion better security at the campuses, Clarke said attendees needed to press university provosts and boards of regents for better security programs and educational grants. (Computerworld, 5 June) Malicious programs taking advantage of World Cup theme. Kaspersky Labs warns users about the first appearance of malicious programs taking advantage of the hugely popular and widespread World Cup theme. Users are urged of the necessity to be extremely careful with e-mail containing popular subject themes. Users should refrain from "checking out" file attachments supposedly connected to the World Cup football championship, especially without the use of an anti-virus program armed with a freshly updated anti-virus database. For more detailed information about this series of worm viruses, please go to the following address: http://www.viruslist.com/eng/viruslist.html?id=48005 (Kaspersky Lab News, 6 June) Red-M's Bluetooth server vulnerable. Security researchers have identified numerous flaws in the Bluetooth short-range wireless access points sold by Red-M Communications Ltd., the most serious of which could compromise the administration password. @stake Inc. discovered six vulnerabilities in Red-M's 1050AP. (eWeek, 5 June) Evolving viruses threat many platforms. A new virus called Simile.D could lead to a rethinking of the principles underlying antivirus software. The fourth and latest variant of the virus can spread to both Windows and Linux computers. If placed on the Internet, the virus could cause some problems for administrators because of its ability to jump from Windows to Linux and back again. While Simile.D spreads successfully to Linux machines, the risk is lessened by the fact that only systems running in so-called super-user mode can be fully infected. (CNET News.com, 5 June) NRC holds firm on keeping nuclear security forces private. Nuclear Regulatory Commission officials are continuing to resist efforts by Congress to federalize security forces at the nation's nuclear facilities. "The 2001 Nuclear Security Act," (S. 1746) would make more than 5,000 nuclear security officers federal employees and establish a training and evaluation process for them. Currently, NRC regulations put private companies in charge of nuclear plant security. (Government Executive Magazine, 5 June) Internet Explorer buffer overflow vulnerability. According to a 4 June SecurityFocus News report, Microsoft's Internet Explorer web browser contains a flaw in the Gopher client that could allow a malicious server to take control of a victim's computer. The vulnerability was made public by Jouko Pynnonen of Finland's Online Solutions, who was credited by Microsoft last December with identifying a security flaw in IE that allowed an attacker to exploit another user's computer by simply causing the victim to view a web page or open an HTML e-mail. A user may be affected by the newly discovered vulnerability by simply viewing a web site that is maliciously designed to listen on a TCP port and write a block of data, according to Pynnonen's advisory. Once a victim has been compromised, the exploiter could do anything on the system that an authorized user could do, including install, modify, or delete files. A Microsoft representative said the company is investigating the report but had no further comment. According to Pynnonen, concerned users can protect themselves by simply disabling IE's built-in Gopher client from the LAN settings section of the Connections menu in IE's Internet Options folder. (SecurityFocus.com, 4 June) Shakira is the product of a VBS worm-generator kit. Most antivirus software vendors already have protection available to block this worm, hence the official name: Vbswg-aq. When the Shakira worm invades your PC, it displays this message: "You have been infected by the ShakiraPics Worm." Because Shakira is not destructive and just sends e-mail, it currently ranks a 4 on the ZDNet Virus Meter. The Shakira worm arrives as an e-mail with the subject line "Sharkira pics." The body text is "Hi, I have sent the photos via attachment have fun..." The attached file is shakirapics.jpg.vbs. If you open the attached file, the worm copies itself into the Windows folder as shakirapics.jpg.vbs, then makes a few changes to the registry. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed a recent Security Update should be safe from the attached VBS file in Shakira. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. (CDNET, 6 June) Hacker group defaces naval websites. A Navy subdomain reported that tracker.hroc.navy.mil, which is apparently used to track job applications, was defaced by a group calling itself 'Infidelz'. Confidential data was accessed and the hackers published and edited documents on the defaced page purporting to be from the human resources department of the Navy. A message from the defacers read: "Files on this server were accessed containing names, social security numbers, addresses, telephone numbers and the confidential personal information of job applicants." The site has since been taken down, but yesterday another Navy site, simamail.erl.mrms.navy.mil, was attacked in a similar fashion by the same group. ( Vnunet.com, 6 June ) IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
