NIPC Daily Report 24 June 2002 The NIPC Watch and Warning Unit compiles this report to inform recipients of issues impacting the integrity and capability of the nation's critical infrastructures.
NIPC Advisory 02-005.1: Remote Vulnerabilities in Apache Web Server Software. The NIPC issued an updated advisory to highlight the significance of a vulnerability that could affect a majority of active Web sites. The advisory can be viewed at http://www.nipc.gov/warnings/advisories/2002/02-005.1.htm Amtrak shutdown could paralyze rail commuter service. An Amtrak shutdown would ripple far beyond inter-city passenger train service, and could halt or severely curtail rail commuter service along the East Coast and California. An inter-city and commuter rail shutdown could create havoc along the East Coast where hundreds of thousands of people would be forced onto highways, subways and airports. Amtrak, for instance now hauls more passengers between Washington and New York than the airline shuttles combined. In addition to the Washington area shutdowns, Philadelphia's Southeastern Pennsylvania Transportation Authority would be largely shut down, as would New Jersey Transit. The Long Island Rail Road could operate as usual with one major exception - it couldn't get into Manhattan because it uses Penn Station. Boston's commuter system would be mostly shut down because its trains are operated by Amtrak and use many stretches of Amtrak track and stations. In California, all commuter service would apparently be shut down, including major systems in Los Angeles and San Francisco, because they are either operated by Amtrak or use Amtrak facilities. The effect on freight service would be minimal, although the large Chrysler plant at Newark, Del., and the Ford plant at Metuchen, NJ, would be isolated from rail services because they are served by Norfolk Southern trains that use Amtrak tracks. (The Washington Post, 21 June) FEMA taking charge of wireless. The Office of Management and Budget will soon direct the wireless communication initiative to be placed under the Federal Emergency Management Agency (FEMA). FEMA will organize the government's communications capabilities under Project SafeCom to ensure emergency workers are outfitted with functional equipment. The Department of Treasury is passing the project to FEMA because of their emphasis on emergency preparedness and first responders. To fund this wireless initiative, the Bush administration's budget request identified $3.5 billion for new equipment and training to enhance state and local readiness for attacks. As part of the proposal, FEMA would allocate $7 million for grants to states, with at least 75 percent for local governments. (Federal Computer Week, 21 June) House panel approves bill permitting pilots to be armed. A House measure to create an experimental program under which 250 pilots would initially be armed faces tough opposition in the Senate and from key groups such as flight attendants and airlines. A Senate bill that would arm far more pilots has run into difficulties in committee. At the end of two years, the TSA could expand or eliminate the program for pilots. The Air Transport Association, which represents major airlines, called the House bill "an improvement" on an earlier measure that provided for more widespread arming of pilots. The airline association said the bill still fails to answer questions about who would be liable if a bullet accidentally wounds or kills a passenger or crewmember. (Washington Post, 20 June) Transportation agency steps up campaign to recruit baggage screeners . On 21 June the Transportation Security Administration (TSA) announced a major acceleration of its hiring campaign to recruit federal baggage screeners at 30 airports across the country. Under the 2001 Aviation and Transportation Security Act, the TSA has until 19 November to hire and train federal screeners at the nation's 429 airports. In order to meet its deadline, TSA needs to hire 7,000 to 8,000 screeners every month from July through the end of October. (Government Executive, 21 June) Microsoft Security Bulletin MS02-031. Microsoft Corporation has released Microsoft Security Bulletin MS02-031, " Cumulative Patches for Excel and Word for Windows." According to a 19 June Microsoft Security Bulletin, four newly discovered vulnerabilities each could enable an attacker to run macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to. Microsoft has made a patch available to close the vulnerabilities. The vulnerabilities include the following: An Excel macro execution vulnerability related to how inline macros that are associated with objects are handled could enable macros to execute and bypass the Macro Security Model. An Excel macro execution vulnerability relates to how macros are handled in workbooks are opened via a hyperlink on a drawing shape. It is possible for macros in a workbook so invoked to run automatically. An HTML script execution vulnerability that can occur when an Excel workbook with an XSL Stylesheet that contains HTML scripting is opened. The script within the XSL stylesheet could be run in the local computer zone. A new variant of the "Word Mail Merge" vulnerability previously addressed by a Microsoft alert, could enable an attacker's macro code to run automatically if the user had Microsoft Access present on the system and chose to open a mail merge document that had been saved in HTML format. Additional information on this bulletin and a patch to fix vulnerability can be viewed at: http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-031.asp (Microsoft, 19 June) Yaha Worm, apparently from India, spreading globally. Yaha worm, in its various forms, has allegedly been launched by Indian hackers in retaliation for extensive anti-Indian hacking carried out be Pakistani hacker groups. Yaha.E is designed to use infected machines to flood the Web address http://www.pak.gov.pk/ a Web site owned by a group in Pakistan registered as the Commission for Science and Technology for Sustainable Development in the South. A text file within the worm specifically mentions the Pakistani hacker group GForce. Yaha is similar to the highly successful Klez worm in a number of respects, according to the report. Yaha.E, for example, aggressively attempts to terminate anti-virus and related security software from memory, searching for and killing over 40 related processes. (iDefense, 21 Jun ) WWU Comment: The NIPC is closely monitoring this worm and will advise of changes in its status as necessary. Major US anti-virus vendors are rating this worm as Low and have removal instructions posted to their Web sites. Secret Service probes school hacking. Online criminals have compromised computers at the universities in Arizona, Texas, Florida, and California, and the Secret Service is investigating the incidents. These criminals may have placed spyware that captures passwords and credit card numbers on the computers. Someone actually sitting at the keyboard may have loaded such software onto the system. University systems have long been a haven for hackers and online vandals, given the loosely secured computer labs most of them have. In the past, compromised university systems contributed to the DoS attacks that struck at well-know e-commerce sites more than two years ago. (CNET, 21 June) ~dmh IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
