National Infrastructure Protection Center
NIPC Daily Open Source Report for 9 Dec 2002

Daily Overview

.       The National Infrastructure Protection Center has released
Information Bulletin 01-011: "Software Firm Investigation Serves as a
General Information Security Reminder." (See item 2)

.       CERT has released Vulnerability Note VU#865833 - "Microsoft
Windows Remote Desktop Protocol (RDP) Uses Weak Algorithm for Encrypting
Packets." (see item 17)

.       The Sun-Sentinel reports that in response to the recent aircraft
near-disaster in Kenya, the Fort Lauderdale airport, like many other
airports nationwide, has restricted public viewing areas near taxiways
and runways.  (See item 4)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      December 8, Associated Press - Report: nuclear plant owner finds
flaws.  Security guards at the Indian Point nuclear plant outside of New
York City do not believe they could protect the plant from an attack,
and said there was no encouragement to raise security concerns, a
published report said Sunday.  Only 19 percent of the security officers
stated that they could adequately defend the plant after the terrorist
event of Sept. 11," said a report conducted for the plant's owner and
obtained by The New York Times.  The 33-page report also said 59 percent
of the guards described a "chilled environment" for raising security
concerns, and that 12 percent said they had suffered retaliation for
doing so.  Entergy Nuclear Northeast, the company that owns Indian
Point's two active reactors, commissioned the report in November 2001 in
response to complaints by guards made both before and after the Sept. 11
terrorists attacks.  An Entergy spokesman told The Times many of the
security concerns had been resolved since the report was completed last
January.  Source:

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

2.      December 6, NIPC - NIPC Information Bulletin 01-011.  The
National Infrastructure Protection Center has released Information
Bulletin 01-011: "Software Firm Investigation Serves as a General
Information Security Reminder."  The U.S. Attorney's Office announced
today that it searched the Massachusetts offices of Ptech Inc. in
connection with allegations relating to an ongoing financial crime
investigation.  Ptech software is used by a customer base that includes
financial services and government market segments.  In this specific
regard, two things are worth noting.  First, the U.S. Attorney's
announcement in no way alleges that Ptech's products present any
security threat.  Second, based upon information available to it, the
NIPC is not aware of any information or indication that Ptech software
contains viruses, malicious codes, or otherwise performs in an anomalous
fashion.  The NIPC is taking this opportunity to remind the public that
sophisticated cyberattack capabilities can be extremely difficult to
detect and that nothing can guarantee the complete safety of any
software.  Source:

3.      December 3, Department of the Treasury - Treasury Department
Announces Interim Guidance On Terrorism Insurance for Insurance
Industry.  The interim guidance covers several mandates of the new
terrorism insurance law, including policyholder disclosure requirements
and the requirement that insurance companies make coverage for terrorism
risk, as defined by the Act, available to their policyholders.  The
interim guidance released today follows the National Association of
Insurance Commissioners' (NAIC) release of model disclosure forms last
week.  Treasury interim guidance states that use of the NAIC's model
disclosures constitutes compliance with the Act's disclosure
requirements while noting that the model disclosures are not the
exclusive means by which insurers may comply with the Act.  Source:  Interim Guidance: 

[return to top]

Transportation Sector

4.      December 6, Sun-Sentinel - Terrorism alert closes viewing park
at Lauderdale airport.  A small park on the west side of Fort
Lauderdale-Hollywood, Florida International Airport formerly frequented
by aviation buffs, photographers, and people who enjoy watching
airplanes has been closed after the terrorists' attempt to shoot down an
Israeli airliner with shoulder-launched missiles in Kenya.  In direct
response to that near disaster on Thanksgiving Day, the Fort Lauderdale
airport closed its popular aircraft viewing area, which is a located
very near the main runway.  Fort Lauderdale's is one of many airports
nationwide to restrict areas near taxiways and runways, either
temporarily or permanently, because of the coordinated two-pronged
terrorist attacks in Kenya.  Source:,0

5.      December 6, Associated Press - Vehicle inspections at entry
gates proposed by DFW.  A plan at Dallas-Fort Worth, Texas International
Airport to reclaim parking spaces lost amid tightened security would
involve vehicle inspections at entry gates.  Under the proposal, a
non-intrusive vehicle inspection of every vehicle entering the airport
would be conducted at the plazas, said Jim Crites, the airport's
executive vice president of operations.  It's part of a plan to boost
revenues and put nearly 3,000 near-terminal parking spaces back in
service while keeping security intact in the wake of last year's
terrorist attacks.  Airport officials want to reopen 2,900 short-term
parking spaces that were closed to limit potential threats to terminal
buildings.  The spaces are on top of terminal parking garages.  Keeping
the spaces off limits is costing the airport about $9 million a year in
parking revenue, contributing to an expected $6.7 million shortfall in
budgeted parking revenues in fiscal 2003, Mr. Crites said.  The
Transportation Security Administration has given some airports waivers
allowing them to reopen terminal spaces once airport officials proved
that any terminal within 300 feet of parking could sustain an explosion
of an undisclosed magnitude.  Source: 

6.      December 6, Associated Press - One dies as plane hits Miami
bank.  A small plane crashed into the Federal Reserve Bank Building in
Miami, Florida during a holiday party Thursday night, killing the pilot,
the authorities said.  No one inside the building was injured.  A
Federal Aviation Administration spokeswoman said it appeared to be an
accident.  More than 100 people, including the bank's current and former
directors, were in the one-story building when the aircraft slammed into
the northeast side, exploded and burst into flames.  The bank building
is just north of the United States Southern Command, which oversees
American military activities in 32 nations and 12 dependencies in Latin
America and the Caribbean.  Source:

7.      December 6, Daily Press - Truck-lockup plan in the works.  The
federal government plans to adopt a rule requiring the locking of all
trucks on the road, a requirement that could have a far-reaching effect
on the trucking and freight-delivery industry.  The Transportation
Security Administration said it wanted the rule because it was worried
about terrorists secretly accessing unlocked trucks to hide
remote-controlled bombs or other weapons aimed at cities or
strategically sensitive locations.  "Every truck that's on the road in
the United States should be kept locked, and I'm steadfast in my
commitment to getting that to happen," said George Rodriguez, director
of cargo security for the maritime- and land-security division of the
TSA.  Federal officials said that now, only 20 percent to 30 percent of
truck trailers and cargo areas were locked consistently.  Under the
proposed change, trucking and shipping companies would be required to
install locks on their trailers and storage areas.  Drivers and trucking
companies would be ticketed and face federal fines for not having or
using the locks, Rodriguez said Thursday.  Source:,0,21692.story?

[return to top]

Gas and Oil Sector

8.      December 6, Associated Press - Venezuela's oil exports stopped
and protesters faced off in the streets Friday.  As political violence
loomed, President Hugo Chavez's government said it was ready to restart
talks with the opposition on new elections.  Captains anchored tankers
offshore, tugs stopped guiding ships from Venezuela's oil-rich Lake
Maracaibo and dock crews stopped loading oil and natural gas.
Operations at several refineries were shutting down in a process that
takes several days.  Since it no longer could fill orders, Venezuela's
state oil monopoly freed buyers and sellers from fulfilling their
contracts, said Jorge Kamkoff, a company vice president.  Crude oil
futures at the New York Mercantile Exchange rose as Venezuela's crisis
deepened.  Source: 

9.      December 5, Reuters - Canada's energy regulator said on Thursday
it had approved a C$190 million ($122 million) expansion of the pipeline
that ships natural gas to the U.S. Northeast from Nova Scotia, but
suspended the go-ahead date because the new gas volumes are still
uncertain.  Maritimes & Northeast Pipeline applied to the National
Energy Board for a 400 million cubic feet a day expansion after striking
a deal with EnCana Corp. to accommodate volumes from its proposed Deep
Panuke development off the Nova Scotia coast.  EnCana, North America's
top independent oil explorer and producer, said last month it no longer
believed the C$1.1 billion project will start up by the 2005 target
date, blaming regulatory delays.  The NEB said it did not give an
immediate green light because EnCana, in its deal with the pipeline, has
the right to cut the expected contract volume by as much as 200 million
cubic feet a day until July.  Source:

[return to top]

Telecommunications Sector

10.     December 6, AT&T - Advisory: bogus email message sent to AT&T
customers.  AT&T released a notice stating that it has become aware of a
fraudulent email scam involving a bogus email message sent to AT&T
customers.  The notice states that "the email address includes
"," and the email message itself states that AT&T needs
certain information from customers in order to verify billing records.
This message is unauthorized and should be disregarded.  The requested
information includes items such as social security number, credit card
numbers, birth dates, mother's maiden name (a key password verification
question) and "driver's licence" (spelled incorrectly).  AT&T Security
has traced the fraudulent messages to an international email address
known for this type of fraud, and has shut it down.  However, customers
should be aware that the bogus operation could resurface elsewhere.  If
any AT&T customer receives an email message that has "" in
the address and requests verification of billing data, they should not
respond with any information whatsoever.  Instead, they should forward
the fraudulent email message to AT&T Security at [EMAIL PROTECTED]  AT&T
has notified the proper authorities and they are in the process of
investigating."  Source:,1847,11147,00.html

11.     December 5, ZDNet News - Wireless digs hole in homeland
security.  Security needs to become a priority for users and makers of
wireless networking equipment in order to stop insecure connections from
being used to attack federal and corporate systems, network experts said
Wednesday.  Speaking at the 802.11 Planet Conference, security
professionals pointed to a lack of focus on hardening the wireless
infrastructure as a flaw in government discussions about protecting the
nation's critical infrastructure.  In July, President's Bush's special
adviser on cybersecurity, Richard Clarke, told security experts that
users and makers of wireless equipment were among the five top groups
responsible for the Internet's insecurity.  Source.

[return to top]

Food Sector

12.     December 5, United Press International - Pork sausage recalled.
Crofton & Sons Inc. of Tampa, Fla., on Thursday, recalled 8,600 pounds
of ready-to-eat, fresh and frozen pork sausage products because of
possible contamination with Listeria monocytogenes.  The recall was
initiated after a sample taken by the Florida Department of Agriculture
& Consumer Services tested positive for listeria.  The USDA's Food
Safety and Inspection Service said they have received no reports of
illness associated with the product.  Source: 

13.     December 4, Amarillo Globe-News (Amarillo, Texas) - Preparation
for terror strikes under way.  Konrad Eugster, retired executive
director of the Texas Veterinary Medical Diagnostic Laboratory System,
said at the Amarillo Farm & Ranch Show that the threat is real from
rogue nations and terrorist groups for the possible introduction of
diseases such as foot and mouth.  "Terrorists won't place the virus on
one farm.  Within a 24-hour period, we could have outbreaks all over the
country," Eugster said.  Texas A&M University' s Institute for
Countermeasures Against Agricultural Bioterrorism will be used to
organize all current anti-bioterrorism activities in agriculture and
better position total resources for addressing the problems.  The
Institute's researchers are working on plant and animal breeding
programs for genetic resistance, working toward a better understanding
of the diseases and creating better vaccines, and creating a systems
approach to prevention and management of disease, Eugster said.
Eugster, also, discussed a number of counter measures that are coming
online, including air testing ports that measure air from individuals
for foreign animal diseases; hand-held rapid disease detection devices;
hand-held computer devices to assess risk on individual farms; and new
foot and mouth vaccines.  Source: 

[return to top]

Water Sector

Nothing to report.

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency Law Enforcement Sector

14.     December 4, Federal Emergency Management Agency - Multi-hazard
mapping site a big success, FEMA Says.  Little more than six months
after it was introduced, a website designed to give the public access to
a nationwide coverage of digitally available multi-hazard maps and
supporting data from federal, state and local sources is operating at an
annual rate of more than 800,000 hits and 225,000 unique visitors,
according to officials of FEMA.  The maps can be viewed with a typical
web browser.  The user can view maps by hazard theme or create a custom
view showing areas of hazard overlap.  In addition, FEMA says, more
sophisticated users such as state or local government technicians can
download Geographic Information Systems (GIS) files--an important tool
in land-use planning, hazard mitigation, and disaster preparedness and
response--and upload their own hazard map data.  Source:  Map Site: 

[Return to top]

Government Operations Sector

15.     December 5, Government Executive - Law allows contractors to
help guard military bases.  The Defense Department can use contractors
to guard military bases in limited cases under the 2003 Defense
Authorization Act signed Monday by President Bush.  Section 332 of the
law allows military installations to hire contract security guards to
meet new base security requirements prompted by the Sept. 11 terrorist
attacks.  The provision amends an existing statute (Section 2465 of
Title 10 of the U.S. Code), which prohibits Defense from using
contractors as security guards or firefighters. Source: 

16.     December 4, National League of Cities - Homeland Security duties
will mean service cuts.  More than half of large cities say providing
homeland security has made it harder to perform their normal public
safety responsibilities, according to a new survey of 221 cities by the
National League of Cities  (NLC).  Among all cities, 24 percent said
re-deploying public safety personnel or shifting funds for homeland
security has made it harder to meet normal public safety
responsibilities. Among larger cities (100,000-plus in population), 51
percent reported the shifts had hurt their ability to perform normal
public safety duties.  Thirty-six percent of all cities and 65 percent
of larger cities reported re-deploying personnel or shifting funds.

[return to top]

Information Technology Sector

Nothing to report.

[return to top]

Cyber Threats and Vulnerabilities

17.     December 6, CERT/CC - Vulnerability Note VU#865833 - Microsoft
Windows remote desktop protocol (RDP) uses weak algorithm for encrypting
packets.  RDP is based on, and is an extension of, the T.120 protocol
family standards. It is a multichannel-capable protocol that allows for
separate virtual channels for carrying device communication and
presentation data from the server, as well as encrypted client mouse and
keyboard data.  Microsoft's implementation of RDP does not encrypt the
checksums of the session data.  Therefore, a determined attacker could
apply cryptanalytic techniques to recover encrypted session traffic.
Note that Microsoft has listed the following mitigating factors: An
attacker would need the ability to capture an RDP session in order to
exploit this vulnerability.  In most cases, this would require that the
attacker have physical access to the network media.  Because encryption
keys are negotiated on a per-session basis, a successful attack would
allow an attacker to decrypt only a single session and not multiple
sessions.  Thus, the attacker would need to conduct a separate
cryptanalytic attack against each session he or she wished to
compromise.  Source.

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed:  26 November 2002 Last Changed: 23 November 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:   PE FUNLOVE.4099
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s);
21(ftp); 25(smtp); 4662; 139(netbios-ssn); 445(microsoft-ds);
53(domain); 27374 (asp) 
Source:; Internet Storm Center

[return to top]

General Information

18.     December 6, Associated Press - Guidelines Aim to Tighten Lab
Security.  Scientific labs now have detailed guidelines about how to
protect dangerous pathogens as federal officials work to pump up
regulation.  Recommendations issued Thursday are the most detailed ever
produced by the Centers for Disease Control and Prevention.  Among them:
monitor areas where pathogens are stored, keep specimens locked up, and
confine access to those authorized to work with these agents.  Next
week, the CDC will publish regulations requiring tighter security at
labs that handle select agents, 42 pathogens and toxins that pose the
greatest dangers to the public's health.  The new rules will require
every lab that possesses a select agent to register with the CDC or the
Agriculture Department and undergo an inspection.  The rules will also
require background checks for people who work with select agents and
require all labs to develop a biosecurity plan.  Source: 

19.     December 5, Popular Science - Radioactive patients set off
subway alarms.  Americans undergoing radioactive medical treatments risk
setting off anti-terrorism sensors in public places, and subsequent
strip searches by police, warn doctors at the Albert Einstein College of
Medicine in New York. A 34-year-old patient who had been treated with
radioactive iodine for Graves disease, a thyroid disorder, returned to
their clinic three weeks later complaining he had been strip-searched
twice in Manhattan subway stations. Christopher Buettner and Martin
Surks report the case in a letter to the Journal of the American Medical
Association.  "Police had identified him as emitting radiation and had
detained him for further questioning."  Buettner and Surks contacted the
Terrorism Task Force of the New York City Police Department to determine
how to prevent other patients being detained.  A letter describing the
isotope used and its dose, its biological half-life and the date and
time of treatment, plus a 24-hour contact telephone number for the
patient's physician should help, the police said.  But even in the
best-case scenario, a patient will have to wait while the contents of
the letter are verified, say the doctors. "They may choose not to use
public transportation to avoid this inconvenience," they write.  Source: 

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to