National Infrastructure Protection Center
NIPC Daily Open Source Report for 12 December 2002

Daily Overview

.       The Wichita Business Journal reports SC Telecom is working on
fixing the remaining internal problems in its system after overseas
hackers (from Asia and the Middle East) broke into it.  (See item 8)

.       Reuters reports cyber crooks, trying to steal credit card
information from online auction house eBay Inc.'s 55 million users, set
up a fake Web site that mimicked the firm.  (See item 5)

.       CERT has announced Vulnerability Note VU#810921 - "Cobalt RaQ4
contains vulnerability allowing remote root compromise."  (See item 14)

.       CERT has announced Vulnerability Note VU#210409 - "Multiple FTP
clients contain directory traversal vulnerabilities."  (see item 15)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      December 11, The Japan Times online - Tepco may shut down all
its nuclear reactors.  All of the 17 nuclear reactors run by Tokyo
Electric Power Co. (Tepco), the nation's largest utility, may have to be
shut down temporarily next spring.  In addition to shutdowns for regular
checkups, Tepco needs to carry out unscheduled inspections at some
facilities following revelations it falsified reports on nuclear reactor
defects.  Tepco had planned to keep the No. 2 and No. 6 reactors running
at the Fukushima No. 1 power station, but the company recently told the
Fukushima Prefectural Government it intends to shut them down sometime
between late March and early April in response to the prefecture's call
for thorough inspections, a company official said.  But the possibility
of all reactors simultaneously being down cannot be ruled out, the
official said.  Power supply "will be in an extremely severe situation,
but we are considering (the shutdowns) because we believe our primary
task is to restore confidence," another Tepco official said.  In late
August, it was revealed Tepco had falsified safety reports and covered
up defects found during safety checks carried out in the 1980s and 1990s
at the Fukushima No. 1 and No. 2 nuclear power stations, and at the
Kashiwazaki-Kariwa Nuclear Power Station in Niigata Prefecture.  In a
related development, the House of Councilors passed two nuclear reactor
regulation bills into law Thursday, aiming to prevent reactor-facility
defects from being covered up by plant operators.  The laws have revised
the Electric Utility Law and the Nuclear Reactor Regulation Law.  They
place company inspections in the framework of law and toughen
punishments for violators.  Source: 

2.      December 10, Chattanooga Times/Free Press - Tennessee Valley
Authority's nuclear power program makes turnaround.  Tennessee Valley
Authority's nuclear power program, rated as one of the industry's most
troubled in the 1980's, has since become one of the best performing
businesses in the state, as statewide quality group announced Monday.
"TVA now has the safest and most efficient plants in the country," said
Marie B. Williams, president of the Tennessee Quality Award group.
"With nuclear power, safety is obviously the most critical.  But TVA has
also managed to deliver more reliable power at less cost from its
nuclear plants," she said.  TVA had a different reputation in the past -
in 1985, TVA idled all five of its operating nuclear reactors when it
was unable to meet tougher federal safety standards adopted after the
1979 accident at the Three Mile Island plant in Pennsylvania.  It took
seven years before TVA could restart its oldest nuclear plant, at Browns
Ferry in Alabama.  TVA now operates five nuclear reactors at Browns
Ferry, Sequoyah and Watts Bar.  Nuclear power supplies nearly one fifth
of TVA's electricity.  Source:

3.      December 11, PRNewswire - Dominion Virginia Power line crews
Wednesday battled the season's second ice storm in a week, this time in
the Shenandoah Valley and Northern Virginia.  As of 4:30 p.m. Wednesday,
the storm had affected a total of about 99,000 customers and power had
been restored to all but 36,000. The company expects it may be late
Friday before all customers have their lights back on.  Staunton,
Harrisonburg, Leesburg, Herndon and Fairfax were the areas most affected
by the freezing rain and ice. Outages in Northern Virginia were expected
to increase into Wednesday night.  In anticipation of the storm, the
company staged additional line crews, contractors and tree trimmers in
the areas where the storm was projected to do the most damage. Dominion
also recalled employees that had been sent to help North Carolina
utilities recover from the freezing rainstorm that struck last week.
Dominion reminds customers to stay away from downed power lines. All
downed power lines should be considered energized and dangerous. If
customers see a downed power line or need to report an outage, call
Dominion's Customer Service Center, toll-free, at 1-888-667-3000.
Dominion has a diversified and integrated energy portfolio consisting of
about 24,000 megawatts of generation. Dominion also serves more than 3.8
million franchise natural gas and electric customers in five states.

4.      December 11, Reuters - Duke Power said 127,000 homes and
businesses remained without power in North and South Carolina as of
Wednesday morning, almost a week after a deadly ice and snow storm
damaged power lines. Duke Power, a subsidiary of Duke Energy Corp. ,
said in a statement it expected to have 100 percent restoration by
midnight Saturday. At its peak, the storm knocked out electricity to 1.3
million Duke Power customers early Thursday, Dec. 5 in what the company
has called the worst weather-related damage in its history. The storm
dumped snow and ice from Texas through the Carolinas and up into New
England, and was blamed for over 20 deaths, primarily from automobile
accidents. Duke Power provides over 2 million customers in North and
South Carolina with electricity. Source:

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

5.      December 11, Reuters - Internet watchdog warns of fake eBay web
site.  Fraudsters trying to steal credit card information from online
auction house eBay Inc.'s 55 million users appear to have set up a fake
Web site that mimicked the firm, a private Internet watchdog said on
Wednesday.  The scam involved e-mails that asked recipients to log on to
a Florida-based Web site,, and re-enter financial data
for eBay, said Dean White, the Asia-Pacific coordinator of a U.S. group,
SANS Institute Internet Storm Center.  The scam e-mail, provided to
Reuters by White, is headed "Ebay (sic) billing error" and begins: "Dear
Ebay Member, We at Ebay are sorry to inform you that we are having
problems with the billing information of your account." White said the
mail, aimed at eBay's registered customers but possibly mass-mailed to
other Internet users, began appearing on December 6.  Source: 

[return to top]

Transportation Sector

6.      December 11, Associated Press - 25 Chicago airport workers
arrested.  Twenty-five Chicago airport workers have been charged with
criminal violations and the security clearances of 553 others have been
canceled in a crackdown on employees using fake IDs, officials announced
Tuesday.  Those arrested include ramp agents, truck drivers, members of
cleaning crews, a baggage handler, an airline cabin service attendant
and a number of food service workers at O'Hare International and Midway
airports.  Six of those arrested were charged with making false
statements about previous criminal records - four for drug offenses, one
for burglary and another for robbery, federal officials said.  Sixteen
were charged with using bogus Social Security numbers and three with
re-entering the country after they had been deported.  The arrests and
canceling of security clearances were part of a nationwide sweep dubbed
Operation Tarmac designed to shore up airport security in the wake of
the Sept. 11 attacks.  Source: 

[return to top]

Gas and Oil Sector

7.      December 11, Reuters - Venezuela loads oil tanker but most
vessels wait.  Venezuela began loading on Wednesday its first crude oil
cargo in several days, but there were no clear signs that a strike by
foes of President Hugo Chavez would end, oil industry sources said.  The
loading seems to be an isolated event and did not mark a significant
break in the week-long halt to crude and products shipments from the
world's No. 5 oil exporter, they said.  Shippers said more than 40
vessels remained off the country's oil ports without berthing
instructions.  "It's going to be slow, but they are going to move some
of the ships.  They are trying to move the ships for Citgo, our
affiliate," PDVSA board member Jorge Kamkoff told Reuters.  Citgo is the
international refining and marketing arm of PDVSA.  Source:

[return to top]

Telecommunications Sector

8.      December 10, Wichita Business Journal - SC Telcom hit by
international hackers.  SC Telecom in Wichita Kansas is working on the
remaining internal problems in its system after hackers broke into it.
Janice Fairbairn, director of business development for the company says
any problems for customers have been cleared up.  "By Monday (Dec. 2)
DSL was working and by Tuesday (Dec. 3), dial-up was working," she says.
The situation was reported to federal authorities, who are now
investigating, she says.  Fairbairn says the company was the victim of
highly sophisticated, overseas hackers.  One of the hackers was traced
to Asia, another to the Middle East, she says.  "Our security is really
good, but they are really smart," she says.  The company has about 4,000
customers.  Source.

[return to top]

Food Sector

9.      December 11, Associated Press - Drug-resistant germs found in
chicken.  Consumer Reports magazine said it found bacteria in almost
half the chickens it bought from stores nationwide, and much of the
bacteria was drug-resistant.  The magazine's survey found the bacterium
campylobacter in 42 percent of 484 fresh broiler chickens tested, and
salmonella in 12 percent.  The report said 90 percent of the
campylobacter samples and 34 percent of the salmonella resisted
treatment by commonly used antibiotics.  The increasing prevalence of
drug-resistant bacteria is often blamed on doctors' over-prescribing
antibiotics and patients' misusing them.  Others point to the widespread
use of antibiotics in livestock.  Source: 

10.     December 9, Reuters - USDA announces ground beef recall.
Grocery store chain Publix is voluntarily recalling 120 pounds of ground
beef that may be contaminated with a potentially deadly E. coli
bacteria, the U.S. Agriculture Department said on Monday.  USDA said
various ground beef products sold at a Publix store in Coconut Creek,
Florida, are being recalled.  The department said the ground beef may
contaminated with E. coli 0157:H7, one of the most deadly of food-borne
bacteria.  No illnesses have been reported from the potentially tainted
food, the USDA said.  Source: 

[return to top]

Water Sector

Nothing to report.

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency Law Enforcement Sector

11.     November 20, Savannah Now - Police are investigating the theft
of more than $70,000 worth of rescue equipment from the Walthourville
Fire and Rescue station. Firefighters at the all-volunteer department in
Liberty County discovered the items missing during their weekly training
on Tuesday, when they went to inspect the equipment. Stored in one of
the fire trucks, the missing machinery ranged from the "jaws of life,"
used to extract car accident victims to bolt cutters and axes, said
Assistant Fire Chief Thomas Hines. "We are just in shock," Hines said.
"Everything they took they can now get in just about any lock and any
door." The equipment is insured and should be replaced soon, Hines said.
Meanwhile, area fire departments have called Walthourville officials to
offer assistance and lend equipment. "We are still able to respond to
calls," Hines said. "We might just have to call in another fire
department if there is extrication needed." Source:

[return to top]

Government Operations Sector

12.     December 11, Washington Post - Spy satellite effort viewed as
lagging.  The delays and funding problems in the Future Imagery
Architecture (FIA) program come as the nation's combat and intelligence
personnel are more dependent than ever on satellites to track
terrorists, detect troop movements and identify nuclear, chemical and
biological weapons sites in potentially hostile states.  Unless the
problem is fixed, according to one senior intelligence official, current
spy satellites could stop working before the first next-generation
satellite is launched in the next few years, leaving the country with a
gap in coverage.  The senior intelligence official said a
"reprogramming" of about $625 million and possibly as much as $900
million, from other intelligence programs this year should be enough to
get the program back on schedule so that spy satellite coverage is
maintained without interruption.  "The tradeoffs are not nearly as bad
as a gap in imagery coverage," the official said.  Source:

[return to top]

Information Technology Sector

13.     December 10, Federal Computer Week - CDC gears up systems
against terror.  In the 15 months since the terrorist attacks on
America, the Centers for Disease Control and Prevention (CDC) has
ratcheted up its systems and created new ones for a rapid response
against a terrorist act.  The Sept. 11, 2001, attacks and the mail-borne
anthrax threat last fall tested CDC's ability to deliver public health
services quickly, CDC Director Julie Gerberding said.  The events taught
the public health agency what it needed to do to respond more quickly
and effectively to future threats, she said.  "We are highly prepared.
We are certainly far more prepared than we were a year ago," Gerberding
told attendees at the E-Gov Homeland Security conference, sponsored by
Federal Computer Week Media Group, in Washington, D.C.  As events
unfolded after Sept. 11, she said CDC officials realized that one of the
most critical parts of their jobs was communicating to the public and to
other public health officials.  "If we don't get the communications
right, we fail.  Since the terrorist attacks, CDC has developed networks
to alert public health officials to potential threats, and it is
gathering data from hospitals nationwide as part of a concerted effort
to look for patterns that might signal bioterrorism.  Source.

[return to top]

Cyber Threats and Vulnerabilities

14.     December 11, CERT/CC - Vulnerability Note VU#810921 -- Cobalt
RaQ4 contains vulnerability allowing remote root compromise.  A remotely
exploitable vulnerability exists in Cobalt RaQ 4 Server Appliances with
the Security Hardening Package (SHP) installed.  The Cobalt RaQ 4 is a
Sun Server Appliance.  Sun describes the Cobalt RaQ4 as follows: The
Cobalt RaQTM4 is a server appliance that provides a dedicated
Web-hosting platform and offers new capabilities for high-traffic,
complex Web sites and e-commerce applications.  The RaQ 4 server
appliance offers a full suite of Internet services with remote
administration capabilities, pre-packaged in a single rack-unit (1RU)
industry-standard enclosure.  The RaQ 4 is pre-configured with Apache
Web server, Sendmail, File Transfer Protocol (FTP) server, Domain Name
System (DNS), the Linux operating system, FrontPage Server extensions,
and support for Active Server Pages (ASP), PHP and common gateway
interface (CGI) scripts.  A remotely exploitable vulnerability in the
SHP may allow a remote attacker to execute arbitrary code on a Cobalt
RaQ 4 server appliance.  The vulnerability occurs in a cgi script that
does not properly filter input. Specifically, overflow.cgi does not
adequately filter input destined for the email variable.  Source.

15.     December 10, CERT/CC - Vulnerability Note VU#210409 -- Multiple
FTP clients contain directory traversal vulnerabilities.  Multiple File
Transfer Protocol (FTP) clients contain directory traversal
vulnerabilities that allow a malicious FTP server to overwrite files on
the client host.  In a typical file transfer operation, one participant
(the client) requests a file while a second participant (the server)
provides the requested file.  Before processing each request, many
server implementations will consult an access control policy to
determine whether the client should be permitted to read, write, or
create a file at the requested location.  If the client is able to craft
a request that violates the server's access control policy, then the
server contains a vulnerability.  Since most vulnerabilities of this
type involve escaping a restricted set of directories, they are commonly
known as "directory traversal" vulnerabilities.  Directory traversal
vulnerabilities are most often reported in server implementations, but
recent research into the behavior of FTP clients has revealed several
vulnerabilities in various FTP client implementations.  To exploit these
vulnerabilities, an attacker must convince the FTP client user to access
a specific FTP server containing files with crafted filenames.  Source.

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed: 26 November 2002  Last Changed: 23 November 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:   WORM_FRIENDGRT.B
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s);
21(ftp); 25(smtp); 4662; 8080(webcache); 445(microsoft-ds);
139(netbios-ssn); 27374(asp)
Source:; Internet Storm Center

[return to top]

General Information

16.     December 11, Reuters - AMA wants protection for doctors giving
smallpox shots.   The American Medical Association (AMA) wants federally
backed liability protections in place before initiation of any smallpox
vaccine program.  Amid growing speculation that a smallpox vaccination
program could be started in the next few weeks, the AMA's House of
Delegates voted Tuesday to specifically request initiation of the
liability program before starting vaccinations.  The Homeland Security
Act, which was approved by Congress and signed by President Bush last
month, includes the liability protections but this coverage doesn't take
effect until January 24, 2003, AMA Trustee Dr. Timothy Flaherty said.
"This action just covers the interim before that date," said Flaherty,
who added that the AMA had no precise knowledge about a start date for a
smallpox vaccination program.  He said that the liability coverage would
offer protection to vaccine manufacturers as well as to physicians and
other providers who administer the vaccinations.  Source:

17.     December 10, Milwaukee Journal Sentinel (Wisconsin) - Proposal
aims to contain chronic wasting disease.  In an effort to save the
captive deer and elk industry in Wisconsin, the state agriculture board
Tuesday approved tough restrictions to curb the spread of chronic
wasting disease.  The rules bar deer and elk farmers from shipping their
animals off their property unless they're enrolled in a monitoring
program, and require testing for the deadly disease under certain
circumstances.  Agriculture Secretary James Harsdorf said requiring
farmers to monitor and test their herds will show other states that have
purchased Wisconsin animals "that we're very serious about battling
chronic wasting disease."  The permanent rules will go before the
Legislature by Jan. 1. Lawmakers can hold public hearings or make
changes, but if no action is taken, then the rules become law.  An
agriculture official said the earliest the rules can go into effect is
May 1, but the board can extend the emergency rules through June 1 if
needed.  Source: 

18.     December 10, Federal Computer Week - Report suggests ID
alternatives.  A national identification system is one approach to
strengthening identity security, but a white paper published by a
coalition of government organizations also proposes a "confederated"
system in which Americans could use multiple identifiers for clusters of
agencies and/or businesses.  This approach would enable individuals to
sign on to an account once and have access to different accounts among
several entities they commonly transact with, according to the National
Electronic Commerce Coordinating Council's (NECCC) white paper.
Agencies and companies would have to develop policies, procedures and an
interoperable technical framework to support such an arrangement.  The
advantage to this system over a national ID system is that no single
identifier would follow an individual everywhere.  Another advantage is
that there is no single point of failure like that in a national ID
system, in which there would be centralized control.  Source: 

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to