National Infrastructure Protection Center
NIPC Daily Open Source Report for 11 December 2002

Daily Overview

.       CERT has announced Vulnerability Note VU#630355 - "Netscape and
iPlanet Enterprise Servers fail to sanitize log files before they are
displayed using the administration client."  (See item 15)

.       Government Computer News reports the National Communications
System is introducing its first cellular priority telephone service,
available in New York by the end of the month and nationwide by next
December.  (See item 7)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      December 10, Reuters - Looking at it this low, historically we
have not been able to catch up to an average snow pack," Fox said. The
largest dams are on the Columbia River and its tributaries in Washington
and Oregon. Scott Pattee, Mount Vernon, Washington-based water supply
specialist with the NRCS noted that snowpack in the basin is around 33
percent of normal at the upper end and as low as 20 percent elsewhere.
He noted some key areas were faring even worse with the Yakima River
basin only around 10 to 11 percent of normal. Fox said the situation is
even more serious than the statistics suggest following months of dry
weather. Marianne Hallet, an NRCS water supply specialist based in
Davis, California, said the northern Sierra Nevada mountains in
California were running at 45 percent of normal, the central region at
59 percent and southern section at 93 percent. Source:

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

2.      December 10, MSNBC - Elaborate credit card con still works.  No
one broke into Doug and Sandy Roth's tiny Seattle office.  But somehow,
criminals managed to impersonate the couple's Prosynergy Corp. well
enough to convince Bank of America Merchant Services to ship some
$52,000 in credit card credits to various bank accounts based in Spain.
And the Roths knew nothing about it until Bank of America called a few
days ago and handed them the bill.  The simple but ingenious
"credit-back" scheme essentially lets a criminal exploit a fundamental
flaw in some credit card processors which allows consumers to buy
merchandise with one credit card, then allows them to return the
merchandise and receive a credit on a different card.  So, for example,
in some situations a consume can buy an item with an American Express
card, then return it, and get the credit on their Visa card.  Stealing
money from a stolen credit card this way can be easy - the criminal uses
a stolen credit card, buys a $100 item, then returns it, gets a $100
debit card credit, then withdraws that cash from an ATM.  Source: 

[return to top]

Transportation Sector

3.      December 10, CNN  - TSA says no major problem with hand-held
wands.  The Transportation Security Administration (TSA) denied Tuesday
that it has major problems with a certain brand of hand-held metal
detector in widespread use at airport security checkpoints.  Troubles
with the Garrett brand of wand commonly used by federal airport
screeners were outlined in an e-mail sent last month to airport security
directors by TSA official John Rooney.  The TSA confirms he wrote, "I
believe that we have a systemic problem on the reliability of the
Garrett SuperWand."  Federal screeners discovered that when the wand was
turned upside down the unit's battery sometimes disconnected, causing a
loss of power to the device.  But TSA spokeswoman Heather Rosenker said
only 79 wands were found to have the problem -- out of some 10,000
Garrett SuperWands the TSA uses.  Rosenker said the problem involves the
battery -- not the wand.  "The battery cap is made so that when you used
one type of battery (a Duracell 9-volt) rather than another (the
EverReady Heavy Duty) ... the way it fits in that compartment there
would not be a connection."  Rosenker said federal airport security
directors have been told to use the EverReady batteries in the wands.
Tuesday, she said the TSA will decide whether to order new battery
compartment doors, or to mandate that the larger battery be used in the
wands.  Source: 

4.      December 10, New York Times - New rule to limit boarding passes
from gate.  The Transportation Security Administration will require
nearly all airline passengers to obtain boarding passes before they
arrive at the security checkpoint rather than at the gate, the agency
said today.  The goal is to free workers to screen checked bags rather
than screen passengers.  Under the current system, travelers who are
identified by a government-approved computer system are searched a
second time, and more thoroughly, at the gate.  Under the new system
those more thorough searches will be carried out earlier, at the main
screening point.  Screeners need the boarding pass at the main screening
point, rather than the gate, because the pass indicates whether
travelers have been selected for more scrutiny.  "We're going to reduce
the hassle factor by reducing the amount of gate screening we are
doing," said Michael Jackson, the deputy transportation secretary.  Some
travelers are selected at random for extra scrutiny; others because the
government's computer program decides there is not enough information
about them.  In addition, some travelers are on a government watch list.
Adm. James M. Loy, the under secretary of transportation for security,
said some gate screening would continue to make sure that terrorists
were not able to predict the challenges they would face.  "We believe
random gate screening is an imperative part of a continuous deterrent
exercise," Admiral Loy said.  Source: 

[return to top]

Gas and Oil Sector

5.      December 10, The Virginian-Pilot - Firm wants emergency gas
facility for peak use.  Virginia Natural Gas (VNG) is building a
temporary processing operation in Chesapeake for liquefied natural gas
that would help meet peak heating demand on extra-cold days over the
next three winters.  VNG adds 6,000 to 7,000 customers each year and has
to make sure it would have enough gas to serve those customers on the
most frigid day ever experienced.  The operation would store 50,000
gallons of liquid gas and convert it by heat into vapor to send through
the distribution system.  VNG has applied for a waiver of federal
gas-pipeline safety standards for the project, specifically regarding
the construct ion of two storage tanks.  Source: 

6.      December 9, Petroleum Finance Week - Oil will dominate 2030's
energy picture, but supply vulnerability grows.  Global oil demand is
expected to rise by about 1.6 percent per year, driven primarily by the
transportation sector.  OPEC producers will satiate most of that demand
as output from North America and the North Sea declines.  With
production increasingly concentrated in a small number of countries, the
vulnerability of importers to supply disruptions will only intensify.
"Supply security has moved to the top of the energy policy agenda," the
International Energy Agency's World Energy Outlook 2002 states.  "The
governments of oil- and gas-importing countries will need to take a more
proactive role in dealing with the energy security risks inherent in
fossil-fuel trade.  They will need to pay more attention to maintaining
the security of international sea-lanes and pipelines.  And they will
look anew at ways of diversifying their fuels as well as the geographic
sources of those fuels."  Source:{C7D86D6A-

[return to top]

Telecommunications Sector

7.      December 9, Government Computer News - NCS unveils priority
cellular service.  The National Communications System is introducing its
first cellular priority telephone service, said Peter Fonash, chief of
the NCS technology and programs division.  The service will be available
in New York by the end of the month and will be rolled out nationwide by
next December, Fonash said at the E-Gov Homeland Security Conference in
Washington.  The service mirrors the Government Emergency
Telecommunications Service, which gives 70,000 government users priority
access to the nation's wireline telecom networks.  The National Security
Council mandated the wireless priority service in the wake of last
year's terrorist attacks.  As a stopgap measure, special phones were
distributed for the Winter Olympics in Salt Lake City, giving priority
access to the VoiceStream satellite service, and 5,000 phones have been
distributed in Washington and New York.  Source.

[return to top]

Food Sector

8.      December 10, Food Production Daily - Sausage casing technology
break through.  A collaborative effort between casings supplier Viskase
and specialty chemical company Rhodia Food has resulted in NOJAX AL, a
cellulose casing that effectively reduces the risk of listeria
monocytogenes surface contamination in the production of hot dogs and
other cooked sausage products.  Developed in the U.S., the innovation
involves the application of a natural antimicrobial system developed by
Rhodia to a meat surface via the cellulose casing manufactured and
marketed by Viskase as NOJAX AL.  The technology has won a Generally
Recognized as Safe endorsement from the United States Food and Drug
Administration and is fully approved for use.  According to the
companies, after cooking and peeling away the casing, the resultant
surface treatment on the hot dog or sausage demonstrates the definite
killing of listeria within the first few hours of package life, thus
providing an effective safeguard in the event of a post-processing
contamination episode.  Source:   

9.      December 9, Business Journal (Minneapolis) - Report says local
chicken and turkey products contain antibiotic resistant bacteria.
Brand-name chicken and turkey products sold in Minneapolis and St. Paul,
Minnesota contain high levels of antibiotic-resistant bacteria,
according to a study performed on behalf of the Sierra Club and the
Minneapolis-based Institute for Agriculture and Trade Policy.  The two
groups said that tests showed that 95 percent of whole chickens sold in
the area were contaminated with food poisoning caused by Campylobacter
bacteria.  Salmonella bacteria, which cause intestinal diseases, were
found in 45 percent of ground turkey and 62 percent of those bacteria
were resistant.  Animals are routinely treated with antibiotics even if
they are not sick.  This practice creates new strains of bacteria that
are resistant against the antibiotics commonly used to treat humans when
they are infected by these bacteria.  Source:

[return to top]

Water Sector

10.     December 10, Water Tech Online - Water Environment Federation
offers second round of wastewater security training.  The Water
Environment Federation (WEF) is conducting a series of wastewater
security training seminars that run through May.  WEF said in a news
release that the seminars are through a cooperative agreement with the
United States Environmental Protection Agency, and will provide publicly
owned treatment works with the necessary tools to initiate a
vulnerability assessment and develop a security plan designed for each
utility's specific needs.  The seminars will help wastewater utilities
evaluate and determine approaches for reducing their vulnerability to
man-made threats and natural disasters, WEF said.  Twelve workshops will
focus on the VSAT wastewater, wastewater security training software
developed by the Association of Metropolitan Sewerage Agencies in
collaboration with PA Consulting Group and Scientech Inc.  Source:  

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency Law Enforcement Sector

11.     December 10, Washington Times - Fire fighting planes grounded
for safety.  A fleet of government planes used to battle wildfires has
been grounded by the Bush administration after an independent study
found lax inspections led to an "unacceptable" safety record.  A
blue-ribbon panel was convened by the Forest Service and Bureau of Land
Management in August after two crashes - in which the wings came off of
fixed-wing planes - killed five firefighters.  Nineteen government-owned
P-58 Barons and four Sherpa (Shorts 330) smokejumper aircraft were
suspended from service because of concerns raised in the report.
Additionally, the government will no longer hire independent contractors
to fly C-130A or PB4-Y aircraft previously used as air tankers.  Source: 

[return to top]

Government Operations Sector

12.     December 10, Computerworld  - White House official: CIOs key to
homeland.  Private-sector CIOs will play a key role in the work of the
new U.S. Department of Homeland Security, according to Lee Holcomb,
director of infrastructure for the White House Office of Homeland
Security.  Holcomb, who delivered the keynote address here today at the
Homeland Security 2002 conference, heads the IT side of the effort to
merge 22 federal agencies into the one new department.  "The first thing
we're doing with CIOs is trying to identify where are those common
technologies and, where we can, seek enterprise licenses" so the
department is using the same systems, he said.  Holcomb and other
federal CIOs involved in the creation of the Department of Homeland
Security spent the summer consulting with companies such as
Hewlett-Packard Co., Exxon Mobil Corp., Raytheon Co. and others that
have recently merged with other companies and faced big IT integration
projects.  The things all of them put in place by Day 1 had to do with
communication."  Holcomb said his goal is to develop an "enterprise
architecture" for the department, a continuation of work he did while
serving as CIO at NASA from 1997 until earlier this year.  Source:,10801,7

[return to top]

Information Technology Sector

13.     December 5, Computerworld - Task force report looks at accuracy
of Whois data.  It's a question that continues to plague the Internet
Corporation for Assigned Names and Numbers (ICANN), domain name
registrars, the U.S. Congress, and myriad federal agencies: How best to
ensure the accuracy of Whois data?  Last week, the Domain Name
Supporting Organization's (DNSO) Whois Task Force issued a report
offering policy recommendations to ensure the accuracy of information
contained in the Whois database, the directory that lists names and
contact information of people who register domain names.  Although the
report addresses how best to rapidly correct data determined to be
inaccurate after a complaint is lodged, it doesn't address proactive
measures that could be used to screen out incorrect data during the
registration process.  That issue, according to Marilyn Cade, co-chair
of the task force, is something that needs to be addressed, given the
growth of "spoofed" Web sites that have been used to try and defraud
people online.  Source.,

[return to top]

Cyber Threats and Vulnerabilities

14.     December 9, CERT/CC - Vulnerability Note VU#780737 -- Pine MUA
contains buffer overflow in addr_list_string().  Pine is a mail user
agent (MUA) written and distributed by the University of Washington.
Some versions contain a buffer overflow vulnerability in email address
handling.  Versions of Pine prior to 4.50 contain a remotely exploitable
buffer overflow in the addr_list_string() function.  Due to incorrect
calculation of string length in est_size(), a message From: header that
contains a long string of escaped characters can cause a buffer being
used by the addr_list_string() function to overflow.  It is important to
note that the From: header is under full control of the remote user
sending mail and as such can contain any characters that they supply.
An attacker can construct a message with a crafted From: header that
will cause Pine to crash with a segmentation fault and possibly dump
core.  Source.

15.     December 9, CERT/CC - Vulnerability Note VU#630355 -- Netscape
and iPlanet Enterprise Servers fail to sanitize log files before they
are displayed using the administration client.  IPlanet Enterprise
Server and Netscape Enterprise Server versions prior to 4.1. SP12 have a
vulnerability involving the rendering of <DEFANGED_SCRIPT> tags embedded in the
web logs when viewed through the administration client.  Requests made
to web servers are routinely logged by the web server to a log file,
even if these requests are invalid or malicious in some way.  Normally,
this presents no security problems, and in fact allows administrators to
record possible attacks against their system.  However, in iPlanet
Enterprise Server and Netscape Enterprise server versions prior to 4.1.
SP12, these malicious log entries are not correctly sanitized before
being viewed through the browser based administration client.  This
allows a remote attacker to embed malicious <DEFANGED_SCRIPT> tags in the URL of
requests, which may be later executed by the administrator when
reviewing the logs.  When the malicious script embedded in the log files
is viewed through the administration client, the administrator has
already authenticated to the web server, and has additional privileges.

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed: 26 November 2002  Last Changed: 23 November 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:  PE_FUNLOVE.4099
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s);
21(ftp); 25(smtp); 4662; 8080(webcache); 445(microsoft-ds);
139(netbios-ssn); 27374(asp)
Source:; Internet Storm Center

[return to top]

General Information

16.     December 10, CNN - Iraq dossier hints at 'dirty bomb.'  Iraq's
declaration of its weapons programs could identify countries or firms
that supplied its nuclear, chemical and biological weapons programs,
according to a table of contents obtained Monday by CNN.  In a letter
that accompanies the nearly 12,000-page document, Foreign Minister Naji
Sabri said the dossier's publication "entails risk" of releasing
information that violates nonproliferation standards.  Sabri called the
report "currently accurate, full and complete," but told the U.N.
Security Council it contains information that could aid countries
seeking to develop nuclear, chemical or biological weapons.  The
nine-page preface to the report being circulated among council members
Monday refers to a terminated "radiation bomb project" -- possibly a
so-called radiological weapon, or "dirty bomb."  The contents pages also
include references to procurement of petrochemicals for Iraq's nuclear
weapons program and to "foreign technical assistance" and "relations
with companies, representatives and individuals" under its chemical
weapons declaration.  Diplomatic sources said Security Council members,
including the United States, were concerned some of the information
might serve as a "training manual" for stockpiling and hiding weapons,
and they did not want it to fall into the wrong hands.  Source: 

17.     December 9, Platts Energy News - U.K. officials confirmed
intelligence that suggests North Korea obtained a large amount of
6000-grade aluminum from Pakistan, which purchased the material from
other sources by violating Western country export control prior to
shipping it to North Korea.  In October, a few days after the U.S.
announced the Democratic People's Republic of Korea (DPRK) had started a
crash program to enrich uranium with centrifuges, Western officials told
Nucleonics Week that enough aluminum to make several thousand rotor
tubes was obtained by the SPRK for that program from Pakistan.  They
identified the material as so-called 6000-grade aluminum, which has a
high tensile strength and has applications in centrifuge uranium
enrichment applications.  The Sunday Times newspaper reported on Dec 8
that the aluminum was manufactured and exported to Pakistan by an
undisclosed UK firm.  Source: 

18.     December 10, CNN  - U.S.: Scuds found on ship off Yemen.
Pentagon officials said Tuesday that U.S. military weapons specialists
have found at least a dozen Scud missiles aboard a ship stopped en route
from North Korea, several hundred miles off the coast southeast of Yemen
in the Indian Ocean.  Scuds are the type of ballistic missiles that
Iraqi leader Saddam Hussein used to attack both Saudi Arabia and Israel
during the Persian Gulf War.  But U.S. officials said there is no
indication the ship was headed to Iraq.  They said there was every
suggestion it was headed to the Horn of Africa.  U.S. intelligence had
been monitoring the ship since it left North Korea several days ago
headed for the Arabian Sea region, officials said.  Although the ship
did not have a flag, the aide said its crew was North Korean.  As to
ownership or nationality of the ship, a senior official told CNN it
appeared to be a "stateless vessel" and said there was not much in the
way of official paperwork on the ship.  News of the ship's interception
came amid increased tension between the United States and North Korea.

19.     December 10, New York Times - Israel vaccinates soldiers and
health workers.  Israel has successfully vaccinated more than 15,000
soldiers and public health workers against smallpox on a voluntary basis
since July with virtually no severe side effects, senior Israeli
officials say.  Israel uses the Lister vaccine strain, different from
the strain used by the United States.  Dr. Boaz Lev, the director
general of Israel's Ministry of Health, said that Lister was less
virulent than the American strain and has fewer side effects.  Lev said
Israeli doctors and health professionals had screened out those with
health conditions that precluded safe inoculation, like pregnant women
and people with ailments that suppress the immune system.  Five percent
of those vaccinated reported side effects like fevers, headaches, muscle
pain, fatigue and weakness.  Source:

20.     December 10, Salt Lake Tribune (Utah) - Hospitals face
medication shortages.  At hospitals across the country, physicians,
pharmacists, and nurses are coping with a potentially dangerous problem
of medication shortages.  About 80 percent of the shortages involve
injected drugs difficult to manufacture because they must be sterile.
Experts cite other factors as well.  They include fewer drug companies
making low-profit vaccines and medicines, sole manufacturers ending
production, sudden spikes in demand, shortages of ingredients, and aging
plants that no longer meet sterility standards being shut down at least
temporarily.  The problem is most critical at hospitals and nursing
homes, where patients usually are very sick, said Mark Goldberger, the
Food and Drug Administration's drug shortage coordinator.  Source:   

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

This message has been 'sanitized'.  This means that potentially
dangerous content has been rewritten or removed.  The following
log describes which actions were taken.

[ score: 1 ]
00026   Rewrote HTML tag:

[ score: 2 ]
00027   Rewrote HTML tag:

Anomy 0.0.0 :
$Id:,v 1.34 2000/12/29 16:04:34 bre Exp $

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to