National Infrastructure Protection Center
NIPC Daily Open Source Report for 26 November 2002

Daily Overview

.       Internet Security Systems has raised its AlertCon Internet
threat indicator to Level 2, due to the large increase of scanning
across the Internet, primarily from Asia, and a number of incident
reports regarding security breaches against commercial entities.  (See
Internet Alert Dashboard)

.       CERT announces Vulnerability Note VU#740619: Secure Shell for
Servers, developed by SSH Communications Security, does not properly
remove the child process from the master process group after
non-interactive command execution.  (See item 16) 

.       The Associated Press reports that President Bush signed
legislation Monday creating a new Department of Homeland Security
devoted to preventing domestic terror attacks.  (See item 10) 

.       The Associated Press reports Federal authorities have charged
three men with orchestrating a huge identity-theft scheme in which
credit information was allegedly stolen from more than 30,000 victims.
(See item 1)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      November 25, Reuters - Opposition parties said on Monday they
had lodged no-confidence motions against the Bulgarian government for
bowing to European Union pressure and agreeing to close down two nuclear
The ruling coalition of Prime Minister Simeon Saxe-Coburg is likely to
defeat the two motions in the 240-strong parliament, where it has a
sound majority, local commentators said. EU candidate Bulgaria agreed
last week to close reactors three and four of its Soviet-era Kozloduy
nuclear plant by 2006. The plant generates more than 40 percent of the
country's electricity and any shutdown is likely to raise power prices
for impoverished Bulgarians. The Balkan state's previously ruling
centre-right Union of Democratic Forces (UDF) and Socialist parties
accused the reformist government of betrayal. "The government has acted
against national interests and has violated the Constitution," the
Socialists said. The ruling National Movement for Simeon II -- led by
Saxe-Coburg, the former king who took over the premiership in July 2001
-- holds 115 seats in parliament, while its junior coalition partner,
the ethnic Turkish MRF party, has 20 seats. Opposition parties had
previously signalled they would not make waves before last week's NATO
summit in Prague to avoid damaging Bulgaria's chances of becoming a NATO

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

2.      November 25, Associated Press - U.S. charges 3 in massive ID
fraud.  Federal authorities charged three men with orchestrating a huge
identity-theft scheme in which credit information was allegedly stolen
from more than 30,000 victims.  Manhattan U.S. Attorney James Comey said
the arrests announced Monday mark the largest identity theft case in
U.S. history, with initial losses pegged at $2.7 million and growing.
More than 15,000 credit reports were stolen using passwords belonging to
Ford Motor Credit Corp. to access information from Experian, a
commercial credit history bureau, officials said.  Authorities say the
scheme began about three years ago when Philip Cummings, a help-desk
worker at a computer software company, agreed to give an unidentified
co-conspirator the passwords and codes for downloading consumer credit
reports.  Source:

3.      November 24, Milwaukee Journal Sentinel - Insurance co-op
created for cities, villages.  The threat of terrorism has persuaded an
insurance carrier to drop liability coverage for about 200 cities and
villages in Wisconsin, leading to the formation of a new statewide
self-insurance cooperative.  As part of a corporate retrenching
attributed to terrorist threats, Kemper Insurance Cos. has decided not
to renew coverage under a nearly 20-year-old program operated by the
League of Wisconsin Municipalities.  With Kemper dropping out at the end
of the year, league officials have invested $5 million to establish a
new self-insurance pool of the sort that became popular during an
insurance industry crunch in the 1980s.  Source:

4.      November 22, Financial Crimes Enforcement Network, U.S.
Department of the Treasury - The FinCHEN issued today its report on
Informal Value Transfer Systems (IVTS), including hawala, in its ongoing
effort to gain a more complete understanding of the nature of these
systems.  Hawala, an IVTS, is a method of monetary value transmission
that is used in some parts of the world to conduct remittances, most
often by individuals who seek legitimately to send money to family
members in their country of origin.  The report addresses the complexity
of IVTS, provides information for the law enforcement and financial
communities, and offers several recommendations to further the learning
curb about IVTS to help stem their use as potential avenues for money
laundering and other financial crimes.  Source:  Report: 

[return to top]

Transportation Sector

5.      November 24, Orange County Register - Port security lagging.
The Orange County Register reported on Sunday that the Los Angeles and
Long Beach, CA ports remain largely exposed to terrorist attacks that
could lead to mass casualties or "an ecological disaster," citing a
report to the federal government.  The vulnerabilities are detailed
publicly for the first time in a grant request submitted this year by
the nation's largest cargo port complex.  In the March 29 grant request
- which was obtained under the California Public Records Act - Port of
Long Beach officials described the state of security at the complex,
which handles 43 percent of the nation's container cargo traffic.  Among
the problems cited in the report were a shortage of patrol boats, law
enforcement officials, and surveillance cameras to monitor port
facilities, exposed above-ground tanks storing hazardous chemicals, lack
of an efficient cargo screening system, and lack of a system for
disseminating evacuation information.  As with most grant requests, Long
Beach city officials conceded, they relied on worst-case scenarios.  But
all the vulnerabilities described were identified through a risk
assessment by numerous public-safety agencies, including the city's Fire
Department, the U.S. Coast Guard, and Long Beach and Los Angeles police.

6.      November 24, USA Today - Armed pilots are months away.
President Bush signed legislation on Monday that allows airline pilots
to carry guns in cockpits, but it will be months before any take their
weapons aboard.  It is expected that fewer than half of the roughly
75,000 pilots will choose or qualify to carry a weapon while on board.
Before pilots will be allowed to arm themselves, the government must set
up a training program to make pilots proficient at shooting inside the
confined quarters of a cockpit.  The government also must write rules on
what weapons should be allowed, how pilots carry the guns to and from
the aircraft and whether they can carry them off duty.  The legislation
says the Transportation Security Administration (TSA) should begin
arming pilots within 90 days but gives the agency wide latitude to write
rules.  TSA spokesman Robert Johnson says it's too early to say what the
program will look like or how many pilots will eventually qualify.  But
one federal official said pilots should expect rigorous training and
standards that limit the number of pilots who participate.  Source: 

[return to top]

Gas and Oil Sector

7.      November 25, Associated Press - Tanker catches fire in Chinese
waters.  High winds and rough seas hampered attempts Monday to put out a
fire aboard a tanker carrying 20,000 tons of liquefied petroleum gas,
but officials said there was only a slight risk of explosion.  The fire
broke out late Saturday in the engine room of the Panamanian-registered
Gaz Poem, away from the ship's highly volatile cargo, said a spokesman
for the southern Chinese city of Shenzhen, who gave only his surname,
Zhu.  No one was injured and nearby vessels picked up the 34 crew
members from lifeboats, said a Hong Kong government spokeswoman who
identified herself as Tang.  She said the cause of the fire was not
known.  Strong winds and high waves prevented fire fighting vessels from
even approaching the Gaz Poem on Monday as the fire blazed for a second
day.  Source:

8.      November 25, TheStraitsTimes - A collision with a wayward
container caused the problems on board the oil tanker Prestige which led
it to sink off Spain's coast last week, a Sunday newspaper reported the
ship's captain as saying.
After 'a very loud sound' at the moment of impact, the Prestige began to
list badly and took on water, forcing him to fill the port ballast tanks
to stabilise the tanker, he said. The captain - who has been in Spanish
custody since his vessel sank last Tuesday - denied allegations that he
had refused to cooperate with the Spanish authorities by directing the
tanker towards the coast. He also confirmed his final destination was
Singapore, but contradicted Spain's claim that he wanted to call at
Source:,4386,157035,00.htm l?

[return to top]

Telecommunications Sector

Nothing to report.

[return to top]

Food Sector

9.      November 23, Reuters - USDA announces ground beef recall.
Fairbank Farms, a New York meat processing company, is voluntarily
recalling 320,000 pounds of fresh ground beef products that may be
contaminated with the E. coli bacteria, the U.S. Department of
Agriculture announced on Saturday.  The beef products were distributed
to retail stores nationwide.  E. coli 0157:H7 is a potentially deadly
bacteria that can cause bloody diarrhea and dehydration.  The USDA's
Food Safety and Inspection Service said it had received no reports of
illness.  The problem was discovered through microbiological sampling
that traced the bacteria back to the product.  Source: 

[return to top]

Water Sector

10.     November 25, Independent Online (South Africa) - Plot to poison
water foiled.  A group of far right-wing whites planned to kill millions
of black South Africans by poisoning water supplies to the inhabitants
of townships near Johannesburg, South Africa, the National Intelligence
Agency (NIA) has revealed.  A group calling itself the Boere Vryheids
Aksie (BVA) planned to poison the water supplied to at least three large
townships, according to the NIA.  In the plan to contaminate water
supplies, tetranium, an agricultural poison, would have been poured into
reservoirs serving Soweto, Atteridgeville, Soshanguve and Laudium -
townships inhabited by at least 10-million people.  Karl Lubonot, a
chemistry specialist, said the plot to poison water supplies would have
failed because of the large amount of chemicals needed.  Source:

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency Law Enforcement Sector

11.     November 23, New York Times - Justice Dept. seeks to use new
power in terror inquiries.  The Justice Department plans to assign
federal lawyers in counterintelligence to terrorism task forces in New
York and Washington to help secure secret warrants against suspects,
officials say.  The deployments, along with other changes under
discussion by top Justice Department officials, are seen as a crucial
first step in breaking down the wall between intelligence gathering and
law enforcement, officials said.  A senior official said two lawyers
from the department's Office of Intelligence Policy and Review in
Washington had already been chosen to work in field offices with FBI
investigators and local prosecutors.  Officials said that the lawyers
were expected to be transferred within weeks to joint terrorism task
forces in New York and Washington and that lawyers should soon be
assigned to other large field offices.  Source:

[return to top]

Government Operations Sector

12.     November 25, Associated Press - Bush signs homeland security
bill.  President Bush signed legislation Monday creating a new
Department of Homeland Security devoted to preventing domestic terror
attacks.  The president picked Tom Ridge as the department's first
secretary.  Bush said he will nominate Navy Secretary Gordon England to
be Ridge's deputy, and Asa Hutchinson, the head of the Drug Enforcement
Administration, to be undersecretary of border and transportation
security.  Source: 

13.     November 25, Government Computer News - Experts advocate
standard public warning system.  The nation needs a sophisticated
national warning system that relies on IT to spread warning messages far
and wide, government and industry public-safety experts said today.  The
Partnership for Public Warning-which includes representatives of IT
companies and agencies such as the Federal Emergency Management Agency,
FBI and Nuclear Regulatory Commission-conducted a workshop to generate
its report entitled "Developing a Unified All-Hazard Public Warning
System."  In its report, the panel called for a single standard protocol
for issuing alerts, notifications and warnings for all types of hazards
so that authorities can communicate emergency-related information
broadly and quickly.  Source:

14.     November 25, Wall Street Journal - War on terrorism provokes
massive Federal R&D move.  Congress recently approved an 18% increase in
military R&D, to $58.8 billion for the current fiscal year - more money,
after accounting for inflation, than the Pentagon ever spent on research
during the Cold War.  Early next year, the National Institutes of Health
is in line for a similar-size boost to around $26 billion, partly to
examine biological-warfare defenses.  In all, the federal government
will likely spend about $115 billion on R&D in the year ending Sept. 30,
far more than Japan and the 15 European Union governments will spend
collectively.  Source:,,SB1038177170693645788,00.html 

15.     November 25, St. Louis Post-Dispatch - 13 nations are added to
immigrant registration program.  The Justice Department will require
male visitors from 13 additional nations to show up for fingerprinting
and questioning at immigration offices nationwide starting Dec. 2.  The
new registration rules were published Friday in the Federal Register.
They will apply to males 16 and older from a number of nations:
Afghanistan, Algeria, Bahrain, Eritrea, Lebanon, Morocco, North Korea,
Oman, Qatar, Somalia, Tunisia, United Arab Emirates and Yemen.  The
rules apply to those who entered the United States on visitor visas
before Sept. 30 and who plan to stay at least through Jan. 10.  Source:

16.     November 22, Government Executive - White House science team
outlines anti-terrorism focus.  The Bush administration's science and
technology policy team has identified five areas related to fighting
terrorism that likely will receive additional investment as the fiscal
2004 budget is developed for release early next year, according to White
House science adviser John Marburger.  The research areas are
information infrastructure development, behavioral and risk management,
terrorist-related crime and networks, public health and crisis response
intervention and socioeconomic intervention, and international policy,
Marburger said in a speech to the Consortium of Social Science
Associations on Monday.  Source: 

[return to top]

Information Technology Sector

17.     November 25, The Washington Post - Homeland Security Bill
heralds IT changes.  Some new language in the homeland security bill
increases penalties for a range of computer crimes.  The bill also
establishes law enforcement and corrections technology centers to
develop investigative technologies to fight cybercrime.  These
cybersecurity components were added the same week that Congress approved
legislation that would triple federal funding for computer security
research.  In addition, the legislation includes a proposal passed by
the Senate this year to establish an information technology equivalent
of the National Guard: the Net Guard.  This measure organizes a
volunteer force of federal, state local and private programmers and
engineers that could be called upon in an emergency to help restore
communications networks and other vital systems.  Source :

[return to top]

Cyber Threats and Vulnerabilities

18.     November 25, CERT/CC - Vulnerability Note VU#740619: SSH Secure
Shell for Servers fails to remove child process from master process
group.  A locally exploitable privilege escalation vulnerability exists
in SSH Secure Shell versions 2.0.13 - 3.2.1.  Secure Shell for Servers,
developed by SSH Communications Security, does not properly remove the
child process from the master process group after non-interactive
command execution.  Quoting from the SSH Communications Security
Advisory: when used in non-interactive connections, a defect in process
grouping of SSH Secure Shell processes may allow malicious activity.  If
executing a command without a pty (including running commands and
subsystems) the child process remains in the process group of the master
process.  On platforms relying on getlogin() (mainly the different BSD
variants) malicious users can at least send misleading messages to
syslog and others applications (getlogin() call will return "root").

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 2 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed: 25 November 2002  Last Changed: 23 November 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:   WORM_KLEZ.H
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 21(ftp);
1433(ms-sql-s); 139(netbios-ssn); 4662; 25(smtp); 445(microsoft-ds);
53(domain); 8080(webcache)
Source:; Internet Storm Center

[return to top]

General Information

19.     November 24, North County Times (San Diego) - Officials find
more fruit flies.  San Diego, CA agriculture investigators found more
Mexican fruit flies Saturday, and may have found more larvae about a
half-mile from the grove where the insects were found Thursday, county
officials said.  The Mexican fruit fly wreaks havoc on fruit by using it
as a place to reproduce.  Thirty San Diego county agriculture
investigators began placing 500 traps Saturday in a 9-by-9-mile square
area to try to identify the epicenter of the infestations.  "I'm fairly
certain that a quarantine will be coming, but we won't know for several
days where the core area is and we can't draw the quarantine lines until
we know where the center of the infestation is," said San Diego
Agriculture Commissioner Kathleen Thuner.  The Farm Bureau of San Diego
County estimates that up to $75 million in crops are at risk in an area
where as many as 1,000 growers have ranches.  In 1999, a similar
outbreak in Fallbrook, California resulted in a 72-square-mile
quarantine area that lasted eight months and cost avocado and citrus
growers an estimated $3.5 million.  Source: 

20.     November 23, New York Times - U.S. says capture of an al-Qaeda
leader may provide clues to thwarting terror attacks.  The officials
said that as the United States continued to interrogate the terrorist
leader, Abd al-Rahim al-Nashiri, electronics specialists were studying a
cellphone's electronic memory and the hard drive of a computer for
information about possible imminent attacks by the terror network in the
Persian Gulf and elsewhere.  Both the cellphone and computer were in
Nashiri's possession when he was captured.  They would not say what
information had been found so far, although they continued to express
optimism that Nashiri would eventually disclose vital information about
al-Qaeda's plans and the whereabouts of the rest of its leaders,
including Osama bin Laden.  Source: 

21.     November 22, General Accounting Office - Homeland security:
CDC's oversight of the select agent program.  The General Accounting
Office (GAO) publicly released its November 22 letter to Secretary of
Health and Human Services, Tommy G. Thompson regarding the Center for
Disease Control and Prevention's (CDC) Select Agent Program.  The Select
Agent Program is responsible for regulating the transfer of 42
biological agents and toxins to limit their distribution to only those
laboratories that have the appropriate safety and security controls for
handling biologic agents.  The GAO has found that the CDC can improve
its management of the Select Agent Program to reduce the likelihood of
unauthorized access to biological agents.  Improvements include
inspection and approval of facilities registering to transfer select
agents, monitoring of the transfer of and shipment of select agents,
accuracy of CDC databases of registered facilities and select agent
transfers, and CDC organizational structure to improve oversight.

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to