OCIPEP DAILY BRIEF Number: DOB02-172 Date: 24 October 2002 http://www.ocipep.gc.ca/DOB/DOB02-172_e.html
NEWS Nova Scotia bridge closed after crane collapse leaves structure sagging The Margaree Harbour bridge on Nova Scotia's Cabot Trail was closed to traffic Wednesday after a crane collapsed on the bridge. Traffic was detoured and there was no information on how long it would take to repair the damage. The crane was being used to build a new bridge over the Margaree River. (Source: novascotia.cbc.ca, 23 October 2002) Click here for the source article OCIPEP Comment: According to the Nova Scotia Emergency Measures Organization, the Margaree Habour bridge collapse should not have any affect on the new bridge that is being built and should result in only minor inconveniences for the local residents. There are two bridges approximately six kilometres from Margaree Harbour: one at Margaree Forks; the other at East Margaree. Vulnerable cached objects in Internet Explorer GreyMagic, an Israeli software firm, has published an advisory covering nine separate vulnerabilities in Internet Explorer, which all involve object caching. Most of the vulnerabilities have been deemed highly critical. Object caching takes place when the attacker opens a window to a page in his/her own site. The URL in the window is then changed to the victim page, but the cached references stay in place, providing direct access to the new document. While the vulnerabilities are all related to object caching, each of them is a separate vulnerability that uses a unique method for exploitation. Affected users are advised by GreyMagic to either disable Active Scripting or upgrade to IE6 SP1 until a patch becomes available. (Source: greymagic.com, 22 October 2002) OCIPEP Comment: Computer systems should be kept up to date and patched to mitigate such vulnerabilities. For the original report, go to http://sec.greymagic.com/adv/gm012-ie/. Global wardriving day set for Saturday This Saturday, hackers from seven countries including Canada plan to drive through urban areas with readily available equipment to identify wireless networks that have not been encrypted, according to a media report. Wardrivers claim that their goal is to raise awareness of security risks in wireless networks. (Source: msnbc.com, 23 October 2002) Click here for the source article OCIPEP Comment: As reported in OCIPEP Daily Brief DOB02-138, released 5 September 2002, during a similar exercise in Alberta, wardriving groups found that nearly 70 percent of wireless networks in the region were vulnerable to capture. IN BRIEF Port Simpson - Update After an afternoon outage on October 22, power was restored at 18:20 PST and continues to hold. Additional power outages have been caused by insulator failures as a result of salt buildup and fog. A scientific team from BC Hydro arrived on 23 October, and a technical and upper management team from BC Hydro is currently on-site addressing the situation over the long-term. The residential structures in the community have been without power for 13 of the last 16 days. (B.C. PEP, 23 October 2002) Manitoba-North Dakota: water issues The Manitoba government has filed a legal challenge to force the government of North Dakota to conduct a full environmental impact assessment of a project to supply drinking water to at least 60,000 residents of northern North Dakota. (Source: cbc.ca, 23 October 2002) Click here for the source article Internet attack could be first of many, experts warn The distributed denial-of-service attack against all 13 of the Internet domain name system root servers, which was reported in Daily Brief DOB02-171 and released 23 October 2002, failed to bring down the Internet, but according to some experts, that doesn't mean that more attacks won't follow and succeed where this week's attack failed. (Source: pcworld.com, 23 October 2002) Click here for the source article CYBER UPDATES See: What's New for the latest Alerts, Advisories and Information Products See: News - Vulnerable cached objects in Internet Explorer Threats Central Command reports on Kit/Kagragen, which is a worm creation kit generator. Worms created by this kit have some similar characteristics. A user can choose a subject line, body and filename for an e-mail and it will collect Outlook e-mail addresses from the infected user. A user will also be given the option to select up to two payloads. http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_ad p.php?p_refno=021022-000012 Symantec reports on VBS.Krim.C, which copies itself as Valentina.jpg.vbs to all logical and network drives, including drive A. The worm also spreads through IRC as Valentina.htm. This worm has three payloads, one of which formats drive C if the right condition is met. http://securityresponse.symantec.com/avcenter/venc/data/vbs.krim.c.html Symantec reports on Backdoor.Synrg, which is a Trojan horse that allows unauthorized access to the infected computer. It attempts to update itself over the Internet and propagate via mIRC. The Trojan uses HTTP port 80 and various IRC ports to communicate. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.synrg.h tml Symantec reports on Backdoor.Wiween, which is a Trojan horse that affects Linux systems. It poses as an exploit against the Linux TCP/IP stack. This appears to be an attempt to fool would-be Linux hackers into running this Trojan on their own systems. It sends information about a computer to some e-mail addresses and opens a TCP port above 4000, where it listens for incoming connections and offers a shell to attackers. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.wiween. html Trend Micro reports on WORM_MERKUR.A, which is a memory-resident worm that propagates via Outlook e-mail, the KaZaA network, and mIRC. It arrives with the subject line "Update your Anti-virus Software" and the attachment "TASKMAN.EXE". This worm also drops a batch file component that deletes .JPG, .MPG, .BMP, and .AVI files from certain directories. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MER KUR.A Vulnerabilities Multiple Firewall Vendor packet flood vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/6023/discussion/ Fragrouter 1.7 Trojan horse vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/6022/discussion/ Debian Linux YPServ (multiple versions) network information leakage vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/6016/discussion/ Debian GNU/Linux libapache-mod-ssl cross-site scripting vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4591 Virgil CGI Scanner 0.9 vulnerability. (SecuriTeam) http://www.securiteam.com/unixfocus/6U00O0K5SQ.html IE 5.5 and 6.0 (9 advisories in 1) cached objects vulnerability. (SecuriTeam) http://www.securiteam.com/windowsntfocus/6R00L0K5SW.html Tools There are no updates to report at this time. CONTACT US To add or remove a name from the distribution list, or to modify existing contact information, e-mail: [EMAIL PROTECTED] For urgent matters or to report any incidents, please contact OCIPEP's Emergency Operations Centre at: Phone: (613) 991-7000 Fax: (613) 996-0995 Secure Fax: (613) 991-7094 Email: [EMAIL PROTECTED] For general information, please contact OCIPEP's Communications Division at: Phone: (613) 944-4875 or 1-800-830-3118 Fax: (613) 998-9589 Email: [EMAIL PROTECTED] Web Site: www.ocipep-bpiepc.gc.ca Disclaimer The information in the OCIPEP Daily Brief has been drawn from a variety of external sources. Although OCIPEP makes reasonable efforts to ensure the accuracy, currency and reliability of the content, OCIPEP does not offer any guarantee in that regard. The links provided are solely for the convenience of OCIPEP Daily Brief users. OCIPEP is not responsible for the information found through these links. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk