National Infrastructure Protection Center
NIPC Daily Open Source Report for 27 November 2002

Daily Overview

.       Internet Security Systems has lowered its AlertCon Internet
threat indicator to Level 1, which warrants routine security.  (See
Internet Alert Dashboard)

.       CERT announces Advisory CA-2002-34: Buffer Overflow in Solaris X
Window Font Service, which could allow an attacker to execute arbitrary
code or cause a denial of service.  (See item 11) 

.       According to ZDNet News, an Internet attack flooded domain name
manager UltraDNS with a deluge of data late last week, causing
administrators to scramble to keep up and running the servers that host
.info and other domains.  (See item 12)

.       According to the Toronto Star, the outbreak of a highly
infectious virus, believed to be the Norwalk virus, has shut down a
Toronto hospital's emergency room.  (See item 14)

.       Reuters reports the Philippine government said Tuesday it has
banned imports of ammonium nitrate, and will phase out its use by
farmers within six months, since the widely available fertilizer is
being used by militants to make bombs.  (See item 13)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      November 26, Associated Press - Electric cable damage worse than
thought.  Utility officials say damage done to underwater power cables
in Long Island Sound is worse than first thought.  Divers working over
the weekend discovered that two more underwater power cables had been
severed when a drifting barge dragged its anchor across them.  Utility
and environmental officials also said an oil-like sheen has been sighted
on the water near the site where the cables have been leaking insulating
fluid.  The Long Island Power Authority shares ownership of the cable
with Northeast Utilities (NU).  NU spokesman Frank Poirot said all seven
cables had been severed during a similar December 1996 incident in which
a barge dragged its anchor across the conduits.  The repairs in that
incident, which Poirot said cost millions of dollars, took almost a year
to complete.  Source:,0,7793125.stor

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

Nothing to report

[return to top]

Transportation Sector

2.      November 26, U. S. Department of State - President Bush signs
port security bill into law.  President Bush signed into law November 25
a bill aimed at improving security at U.S. seaports and preventing
terrorists from using the maritime transportation system to mount
attacks on the United States.  The "Maritime Transportation Security
Act" will strengthen security through the required development of
security plans for ports and an improved identification and screening
system of port personnel, President Bush said in a prepared statement.

3.      November 25, Port of Los Angeles - Los Angeles mayor signs
landmark port security agreement.  On Tuesday, the last day of his Asian
tourism and trade mission, Los Angeles Mayor Jim Hahn signed a major
agreement to initiate a Port of Los Angeles international container
security program.  "This agreement will elevate security standards for
containers moving between Hong Kong and Los Angeles," said Mayor Hahn.
Mayor Hahn signed a Memorandum of Understanding (MOU) with Modern
Terminals Limited Managing Director Erik Bogh Christensen to test new
security enhancements - including tamper-proof locks and other security
systems - for Port of Los Angeles-bound cargo before leaving for the
United States.  The agreement with Modern Terminals is significant
because Hong Kong is the largest port in the world and is the largest
point of embarkation for goods being shipped to Los Angeles, the busiest
port in the U.S.  Approximately one-third of the Hong Kong cargo bound
for Los Angeles is processed by Modern Terminals.  The pilot project
will be partially funded by a congressional appropriation through the
U.S. Department of Transportation under the "Operation Safe Commerce"
program.  Source: 

4.      November 23, Scripps Howard News Service - DOT says 'hazmat'
cargo label may draw terrorists.  Concerned that terrorists might use
hazardous-materials warning signs as readily as emergency workers,
federal officials are looking for more secure ways of identifying what's
on trucks and trains.  But firefighters and other rescue workers are
sharply opposed to removing the brightly colored diamond-shaped placards
required for containers hauling everything from explosives and
radioactive materials to corrosives and poisons.  Ever since 9/11,
federal officials have urged companies transporting hazardous materials
to be more vigilant, most recently focusing on threats to railroads.
Railroad officials were among the first to suggest last year that
terrorists might use the signs and widely available guidebooks that go
with them to assist in target selection.  "We understand the security
concerns, but we're very wary of taking this established tool away from
emergency responders for something new that everyone in the field may
not fully understand or have the equipment to use," said Craig Sharmin,
director of government relations for the National Volunteer Fire
Council. The U.S. Transportation Department, after meeting with industry
officials about placards and other "hazmat" rules that might affect
security, requested that its research center in Cambridge, Mass., study
alternatives to placards.  Source: 

5.      November 22, General Accounting Office - Aviation security:
registered traveler program policy and implementation issues.  On
Friday, November 22, the General Accounting Office (GAO) released a
report on the policy and implementation issues related to the registered
traveler program.  The aviation industry and business traveler groups
have proposed the registered traveler concept as a way to reduce long
waits in airport security lines caused by heightened security screening
measures implemented after the September 11 attacks.  Under a variety of
approaches related to the registered traveler program concept,
individuals who voluntarily provide personal background information and
who clear background checks would be enrolled as registered travelers.
Because these individuals would have been pre-screened through the
program enrollment process, they would be entitled to expedited security
screening procedures at the airport.  Through a detailed literature
review and interviews with stakeholders, GAO found support for this
program, but also found concerns that such a program could create new
aviation security vulnerabilities.  Source: 

[return to top]

Gas and Oil Sector

6.      November 26, Dow Jones Newswires - Venezuela's Fedecamaras: 80%
of oil workers will strike.  The president of Venezuela's business
chamber umbrella organization, Fedecamaras, said on Tuesday that 80% of
workers in the country's critical oil sector will heed the call to
strike beginning Dec. 2.  Workers at the country's state-run oil
company, Petroleos de Venezuela SA, or PdVSA, will be allowed to make
individual decisions about striking, local daily El Universal reported
Tuesday.  Meanwhile, also speaking on television, Oil Minister Rafael
Ramirez said the strike will not affect operations because the strike
"doesn't represent the will of the majority of oil workers who are
committed to maintaining and strengthening the industry."  Venezuela
depends on oil for about 75% of exports, half of government income and a
third of gross domestic product.  Oil workers bringing production and
shipping to a standstill was seen as the main catalyst for President
Hugo Chavez's brief ouster in April.  Source:

[return to top]

Telecommunications Sector

Nothing to report.

[return to top]

Food Sector

Nothing to report.

[return to top]

Water Sector

7.      November 26, NBC4 (Amarillo, TX) - Texline water tests positive
for E. coli.  Texline, TX officials have warned residents of a possible
E. coli outbreak that threatens their water supply.  City officials
learned about the possible outbreak Monday when workers building a new
water tank found that a water sample was contaminated with E. coli.
Officials then did random sample tests throughout the city and nearly
half of those tested positive for the bacteria.  City officials do not
know if the entire city is contaminated, but they have been flushing out
the water system with chlorine just to be sure.  Texas state health
inspectors will conduct their own tests in the city.  If state samples
come back positive, drinking supplies will be put on an "unsafe" status
indefinitely until the bacteria is completely flushed out.  Source: 

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency Law Enforcement Sector

8.      November 26, Federal Computer Week - FEMA launches  The Federal Emergency Management Agency on Nov. 25
launched a pilot version of its new web portal -, a
one-stop portal for emergency preparedness and response information.
The portal will support more than 4 million members of the first
responder community - firefighters, police officers and emergency
medical technicians - pulling together several systems, simplifying
services and eliminating duplication in the process.  Source: 

[return to top]

Government Operations Sector

Nothing to report.

[return to top]

Information Technology Sector

9.      November 26, Federal Computer Week - AKO offers secure portal
lessons.  In developing its own secure portal, the Air Force might be
able to take some lessons learned from the Army Knowledge Online (AKO)
portal, which has more than 1 million accounts, including about 6,000
with Secret Internet Protocol Router Network (SIPRNET) access, said
Robert Coxe, the Army's former chief technology officer who managed AKO.
The Air Force is in the initial phases of developing a secure portal
that will provide air operations centers with access to the data they
need to make critical warfighting decisions.  Such information currently
is maintained in disparate systems.  The system will provide the air
operations centers with point-and-click access to an integrated set of
secure information and will run on the Defense Department's Secret
Internet Protocol Router Network.  Lt. Gen. Leslie Kenne, deputy chief
of staff for warfighting integration at Air Force headquarters, said the
Air Force SIPRNET Portal is being tested as a way to eliminate the
"disconnect between the force and the unit level" and will enable users
to simply access the information they want and need to conduct air
operations.  Source.

10.     November 25, ComputerWorld - DARPA establishes new information
gathering and analysis office.  The Defense Advanced Research Projects
Agency (DARPA) has established a new Information Awareness Office (IAO)
to develop technology for information gathering and analysis on a huge
scale.  The IAO aims to foster the development of information systems to
"counter asymmetric threats by achieving total information awareness
useful for preemption, national security warning and national security
decision-making," according to the DARPA Web site.  The threat "is
characterized by collections of people loosely organized in shadowy
networks that are difficult to identify and define," DARPA says.  The
IAO plans to develop technology that will allow understanding of the
intent of these networks, their plans and potentially define
opportunities for disrupting or eliminating the threats.  The program
has already demonstrated the feasibility of extracting relationships
from text.  In the coming year, DARPA plans to expand that capability to
include Web pages, financial transactions, communications, travel
records and the like.   DARPA Web site:

[return to top]

Cyber Threats and Vulnerabilities

11.     November 25, CERT/CC - Advisory CA-2002-34: buffer overflow in
Solaris X window font service.  The Solaris X Window Font Service (XFS)
daemon ( contains a remotely exploitable buffer overflow
vulnerability that could allow an attacker to execute arbitrary code or
cause a denial of service.  Exploitation of this vulnerability can lead
to arbitrary code execution on a vulnerable Solaris system.  This
vulnerability was discovered by ISS X-Force.  A remote attacker can
execute arbitrary code with the privileges of the daemon
(typically nobody) or cause a denial of service by crashing the service.

12.     November 25, ZDNet News - Attack targets .info domain system -
UltraDNS.  An Internet attack flooded domain name manager UltraDNS with
a deluge of data late last week, causing administrators to scramble to
keep up and running the servers that host .info and other domains.  The
assault sent nearly 2 million requests per second to each device
connecting the network to the Internet--many times greater than
normal--during the four hours of peak activity that hit the company
early Thursday morning, said Ben Petro, CEO of UltraDNS.  "This is the
largest attack that we've seen," Petro said.  He stressed that it didn't
affect the company's core domain name system (DNS) services, but
administrators had to work fast to get the attack blocked by the
backbone Internet companies from which UltraDNS gets its connectivity.
The attack came almost exactly a month after a similar attack targeted
the DNS root servers, the databases that hold the critical information
computers need to maintain top-level domains.  Such domains act as the
white pages of the Internet, matching domain names - such as - with numerical Internet addresses.  Source.

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed:  26 November 2002 Last Changed: 23 November 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:  WORM_KLEZ.H
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 21(ftp);
1433(ms-sql-s); 139(netbios-ssn); 4662; 25(smtp); 445(microsoft-ds);
53(domain); 8080(webcache)
Source:; Internet Storm Center

[return to top]

General Information

13.     November 26, Reuters - Philippine government bans fertilizer
that can be used for making bombs.  The Philippine government said
Tuesday it has banned imports of ammonium nitrate, and will phase out
its use by farmers within six months, since the widely available
fertilizer is being used by militants to make bombs.  Police reports
indicate that bombs that killed about a dozen people in the Philippine
city of Zamboanga last month were partly made of ammonium nitrate.  The
fertilizer may have been used in last month's bombing that killed more
than 180 people on the Indonesian resort island of Bali, and was an
ingredient in the 1995 Oklahoma City bombing that killed 168 people.
"We have decided to impose an import ban on this chemical for the sake
of national security," Agriculture Secretary Leonardo Montemayor told
reporters.  Ammonium nitrate is often used by farmers as a soil nutrient
and an inducer of mango flowers.  The Philippines is a major exporter of
mangoes and related products.  Source:;jsessionid=B3VZFLW53RYHQCRBAE0C

14.     November 26, Toronto Star (Canada) - Virus closes Sunnybrook
emergency room in Toronto, Canada.  The outbreak of a highly infectious
virus has shut down Toronto's Sunnybrook hospital's emergency room.  So
far, 41 people - 28 hospital staff and 13 patients - have contracted
what is believed to be the Norwalk virus.  Ambulances are being
redirected to other hospitals and patients wanting to walk in to the ER
are being asked to head to another care center.  While the virus and its
origin have yet to be identified, Dr. Mary Vearncombe, the hospital
epidemiologist who is leading the containment of the outbreak, says all
signs are pointing to Norwalk.  Results confirming the diagnosis are
expected today.  This is not the only Norwalk-like virus outbreak in
Toronto, said Dr. Allison McGeer, director of infection control for
Mount Sinai Hospital.  "There are a number of other outbreaks around the
city, in long-term-care facilities," she said.  Sunnybrook is managing
to keep its trauma-care centre open, said hospital spokesperson Craig
DuHamel. Patients in high need, such as those who've been in a car
accident or suffered serious personal injury, are being admitted
directly to the critical-care ward.  Source:

15.     November 26, Associated Press - France arrests six in shoe bomb
probe.  The six suspects, Algerians and Pakistanis, were taken into
custody in a suburban Paris roundup of alleged associates of "shoe
bomber" Richard Reid, officials said, speaking on condition of
anonymity.  The officials did not say what role the militants, who were
not identified by name, allegedly played in the bomb plot.  The move
against Reid's alleged associates is part of a string of
terrorism-related arrests in recent days in France, as fears are rising
of a potential terrorist strike in Europe.  Source: 

16.     November 26, Associated Press - Report: al-Qaeda operative in
Africa killed by Algerian military.  An Islamic militant killed by
Algerian security forces in a raid more than two months ago has been
identified as a man Washington considers to be a top al-Qaeda operative
in Africa, Algeria's official news agency reported Monday.  Emad
Abdelwahid Ahmed Alwan, sometimes known as Abu Mohammed, was shot and
killed in a Sept. 12 raid in the eastern Batna region, about 270 miles
east of the capital, Algiers, the official APS news agency reported.
Ahmed Alwan, a 37-year-old native of Yemen, was identified after a
two-month investigation by government experts, the report said.  He was
a leader of Osama bin Laden's al-Qaeda terrorist network for northern
and western Africa, it said.  Source:

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to