National Infrastructure Protection Center NIPC Daily Open Source Report for 17 December 2002
Daily Overview . CERT has released Advisory CA-2002-36 - Multiple Vulnerabilities in SSH Implementations. (See item 11) . Security Focus has changed its threat condition rating from level 1 to level 2. Level 2 is defined, in part, as a condition that applies when knowledge or the expectation of attack activity is present, without specific events occurring and one that requires increased vigilance, such as a careful examination of vulnerable and exposed systems and increased monitoring of log. (See Internet Alert Dashboard) . The Houston Business Journal reports industry sources say political strikes in Venezuela are bound to begin affecting U.S. oil imports, refinery operations and fuel prices the longer the strikes go on. (See item 4) . Federal Computer Week reports the Immigration and Naturalization Service has issued a final rule requiring colleges and universities to begin reporting information about foreign students electronically on Jan. 30, 2003. (See item 10) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector Nothing to report. Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector Nothing to report. [return to top] Transportation Sector 1. December 17, ABC News Online - Police defuse parcel bomb at Rome airport. Italian police have defused parcel bombs at Rome's airport and a TV broadcasting office, bringing to four the devices disarmed in recent days in what government sources described as an anarchist campaign. Three of the four devices had been sent to offices of the Spanish airline Iberia in Italy. Bomb disposal experts defused a package sent to Iberia offices at Rome's Fiumicino airport early on Monday and hours later were called to deal with a package sent to state-run TV broadcaster RAI in central Rome. Each packet contained 50 grams of explosive powder with a fuse, a police spokesman said. "They were disarmed in a safe place, but they could have caused serious damage if they had been opened." Police said they were treating the incidents as related and a government source said they appeared to be the work of an anarchist group and may be linked to two Italians jailed in Spain more than 20 years ago. Source: http://www.abc.net.au/news/justin/nat/newsnat-17dec2002-1.htm 2. December 16, Helsingin Sanomat (Finland) - New security measures against terrorism for ships by 2004. The International Maritime Organization (IMO) accepted early Friday morning, at its Maritime Safety Committee meeting, an amendment to the international general agreement of securing lives at sea. One hundred eight countries signed the amendment. The antiterrorism measures apply to all ports where there is international traffic. Both passenger and cargo ports of signatory countries will henceforth need to tighten security by, for example, increasing camera surveillance, adding more perimeter fences, and improving lighting. Furthermore, at least in passenger ports, the ability to perform security checks of people and vehicles must be provided. Ships alike will have added security measures: passengers and crucial points for cargo transport will be monitored either by cameras or by staff. Airport-type security checks, however, will not be introduced at this point, although all ports will have to be prepared to bring in counter-measures against terrorism if the need should arise. For ports, the IMO agreement lists three levels of readiness according to which the security controls are carried out: normal, alertness, and emergency. In emergency situations virtually everybody will be checked. Source: http://www.helsinki-hs.net/news.asp?id=20021216IE7 3. December 16, Rocky Mountain News - Expect long lines at Denver airport security. Longer waits at Denver International Airport are coming with security changes that will begin taking effect before the holiday rush is over. Passengers can count on waiting longer at security checkpoints, and they might soon lose the option of checking in at the shorter lines on the concourse. Travelers will be asked to leave bags unlocked to expedite searches, and those who don't might find that security workers have cut their baggage locks to check for explosives. Denver International Airport will be one of a handful of U.S. airports that won't meet the Dec. 31 date for having in place a permanent system for screening all luggage bound for the bellies of airplanes. The plan approved by TSA last month will provide in-line electronic scanning of all bags. The project won't be completed until next fall. Until then, DIA's bags will be checked for explosives at check-in counters and curbside stations. A limited number of bags will be put through electronic scanners. Source: http://www.insidedenver.com/drmn/local/article/0,1299,DRMN_15_1612688,00 .html [return to top] Gas and Oil Sector 4. December 16, Houston Business Journal - Impact of Venezuela oil strikes beginning to flow into Houston. Political strikes in Venezuela are bound to begin affecting U.S. oil imports, refinery operations and fuel prices the longer the strikes go on, industry sources say. As of midweek, prospects for an early end to the political demonstrations that have virtually shut down Venezuela's petroleum industry seemed bleak. Oil tankers, which can take up to three days to fill, were backed up in long lines at Venezuelan ports waiting for loading orders that did not come. Once loaded, it takes five days for the tankers to reach the United States. Venezuela is an important supplier of crude oil to the U.S. Gulf Coast refineries. Many Gulf Coast refineries and petrochemical plants have installed special equipment and processes in order to use the heavy crude oil produced in Venezuela because it is cheaper than the light crude that comes from other sources such as the Middle East. Source: http://www.bizjournals.com/industries/energy/oil_gas/2002/12/16/houston_ story7.html 5. December 16, BBC news - Oil refinery blaze 'biggest for years'. A major fire at an oil refinery in Worcestershire (United Kingdom) has been brought under control. At the height of the fire, more than 130 firefighters from Hereford and Worcester, Warwickshire and West Midlands fire brigades fought the flames at the building in Redditch. Twenty engines were called to the scene at Claymore Lubricants' factory at the Washford Industrial Estate, Hemming Road. The alarm was raised at 0430 GMT by residents who heard gas cylinders exploding. At one point, thick black smoke could be seen for miles. The factory, which contained chemicals, was closed when the fire broke out and no one is believed to have been injured. Source: http://news.bbc.co.uk/2/hi/uk_news/england/2579735.stm [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector Nothing to report. [return to top] Water Sector 6. December 16, Channel News Asia - High-tech measures to keep Singapore's water safe from terrorist threats. Singapore's DSO National Laboratories has come up with high-tech solutions to keep Singapore's water supply safe from any bio-chemical terrorist threats. It is also collaborating with its U.S. counterparts to come up with faster and more accurate devices that give real-time results and save lives. Toxispy is one of several water monitoring devices developed. It uses bacteria to detect toxins like lead, mercury, arsenic and even nerve and blister agents in water samples. Solid Phased Micro-Extraction (SPME) device which detects and identifies bio-chem contaminants in water has also been developed. The technology involved in the device is part of a new Singapore-U.S. partnership aimed at getting real-time results over the next three years. Besides the Toxispy and the automated SPME, the DSO is also working on harnessing DNA technology to give more accurate results when testing for viruses and bacteria in water. Source: http://www.channelnewsasia.com/stories/singaporelocalnews/view/27256/1/. html 7. December 14, Caledonian Record (Vermont) - Officials searching for cause of contamination. Littleton, NH town officials are continuing their search for the source of the high levels of E. coli bacteria in water that is leaking from a town storm pipe into the Ammonoosuc River. "The problem is we can't find the problem," said Assistant Town Manager Jason Hoch as he described Littleton's old storm-pipe system, which is difficult to search in a logical fashion. For over two weeks town crews have been testing different pipes below the street surface, looking for traces of E. coli. The leaking pipe was brought to the attention to the town after scientists from the New Hampshire Department of Environmental Services (DES) tested the water for E. coli. The test showed that there was an E. coli count of over 15,000 per milliliter of water. The state standards for this bacteria count, for waste water facility treatments, is 406 counts per 100 milliliter. Although the water leading to the river is contaminated with E. coli, DES officials have not said the river itself is contaminated, although they are concerned about the problem. Source: http://www.caledonian-record.com/pages/local_news/story/217eb78c6 [return to top] Chemical Sector Nothing to report. [return to top] Emergency & Law Enforcement Sector 8. December 16, Associated Press - FEMA director to step down in March. Joe M. Allbaugh, the no-nonsense member of President Bush's "Iron Triangle" of advisers who orchestrated his presidential run, said Monday he will step down in March as director of the Federal Emergency Management Agency. Allbaugh, 50, told Bush and White House chief of staff Andrew Card last summer that he would be leaving his post after the first of the year. He officially tendered his resignation Monday afternoon in a meeting with the president. Allbaugh will leave March 1, when FEMA is scheduled to fold into the new Department of Homeland Security. His deputy, Mike Brown, is expected to be a leading candidate to replace Allbaugh as FEMA's chief. Source: http://www.washingtonpost.com/wp-dyn/articles/A62176-2002Dec16.html [return to top] Government Operations Sector 9. December 16, Washington Post - Cleanup agent being cleared out at D.C. postal plant. The pumping of chlorine dioxide gas into the Brentwood. postal facility to kill anthrax spores was completed 12 hours ahead of schedule yesterday, Postal Service authorities said. The gas was being sucked back out of the sealed Northeast Washington building and converted, through chemical treatments, into harmless saltwater. Thousands of samples will be taken from the building over the next several weeks and tested, a Postal Service spokesman said. An independent committee of scientists will review the results. If the committee finds no trace of anthrax, it could give a green light for the postal facility to reopen in April. Source: http://www.washingtonpost.com/wp-dyn/articles/A59328-2002Dec15.html 10. December 12, Federal Computer Week - INS sets date for student data. The Immigration and Naturalization Service (INS) has issued a final rule requiring colleges and universities to begin reporting information about foreign students electronically on Jan. 30, 2003. The program is part of the Student and Exchange Visitor Information System (SEVIS) that is being implemented to keep track of foreign students who receive visas to study in the United States. SEVIS establishes an electronic reporting process to document a student's status. The system is considered an important part of the effort to improve homeland security by keeping better track of foreign students. In publishing the final rule Dec. 10, INS noted that many colleges and universities complained that complying with the rule would require time and money. But INS said the Jan. 30 compliance date could be met with little cost to the schools. Source: http://www.fcw.com/fcw/articles/2002/1209/web-ins-12-12-02.asp INS press release: http://www.ins.usdoj.gov/graphics/publicaffairs/factsheets/02.12FINALRU_ FS.htm [return to top] Information Technology Sector Nothing to report. [return to top] Cyber Threats and Vulnerabilities 11. December 16, CERT/CC - Advisory CA-2002-36 Multiple Vulnerabilities in SSH Implementations. Multiple vendors' implementations of the secure shell (SSH) transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place. Rapid7 has developed a suite (SSHredder) of test cases that examine the connection initialization, key exchange, and negotiation phase (KEX, KEXINIT) of the SSH transport layer protocol. The test suite has demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before any user authentication takes place. SSHredder was primarily designed to test key exchange and other processes that are specific to version 2 of the SSH protocol; however, certain classes of tests are also applicable to version 1. The impact will vary for different vulnerabilities and products, but in severe cases, remote attackers could execute arbitrary code with the privileges of the SSH process. Both SSH servers and clients are affected, since both implement the SSH transport layer protocol. Affected users should apply the appropriate patch or upgrade as specified by your vendor. Source: http://www.cert.org/advisories/CA-2002-36.html 12. December 16, The Register - Home user insecurity spurs email virus growth in 2002. The ratio of viruses to legitimate emails has increased over the course of this year. According to a review of 2002 by managed services firm MessageLabs, the ratio of viruses to clean emails is now one in 202, compared to one every 380 emails last year. According to MessageLabs' report (compiled for the year to December 14), the top five most active viruses in 2002 were Klez.H (with 4,918,018 copies), Yaha.E (1,096,683), Bugbear.A (842,333), Klez.E (380,937) and last year's worst SirCam.A with 309,832. According to MessageLabs, viruses have become less of a problem for businesses this year as administrators are becoming more aware of the steps they need to take to prevent virus outbreaks. For home users the picture is different. Many consumers still do not have any protection in place and so easily become infected with viruses like Klez, which are harder to spot and trace. As a result, a higher percentage of viral messages can be traced back to home users. Industry sectors which deal with consumers, such as the retail, leisure and entertainment industries, are also becoming more at risk from infection. During the year, MessageLabs has also noticed a marked increase in crackers emailing Trojans in direct attacks against users. Although these attacks are numerically relatively small, they do represent a disturbing trend in the war against malware. Source: http://www.theregister.co.uk/content/56/28585.html Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 17 December 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 445(microsoft-ds); 21(ftp); 4662; 68(bootpc); 1080(socks); 113(auth); 27374(asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 13. December 16, San Antonio Express-News (Texas) - Resistant bacteria spur concerns. Outbreaks of a common skin infection are becoming more common and occasionally life-threatening as the bacteria develop resistance to common antibiotics. The bug is called methicillin-resistant staphylococcus aureus, or MRSA. Doctors often see bacteria that are resistant to common antibiotics in hospitals. What is new is that it now is striking healthy people who haven't been in the hospital or around anyone who has been in the hospital. The behavior of this infection is not unexpected, said Dr. Edwin Charlebois, an associate professor of medicine at University of California at San Francisco. "It's like when penicillin was introduced in hospitals," he said. "It didn't take long to see penicillin-resistance." When about 50 percent of the bacteria in the hospital were resistant to penicillin, the resistant bacteria appeared in the community, he added. Now, about 50 percent of MRSA cases in hospitals are resistant to the next line of antibiotics. Source: http://news.mysanantonio.com/story.cfm?xla=saen&xlb=180&xlc=896026 14. December 15, Concord Monitor (New Hampshire) - Fighting terrorism from the ground up. New Hampshire has received nearly $200,000 in counter-terrorism money from the U.S. Department of Agriculture in recent weeks to protect itself against such acts as the stealthy deposit of pestiferous bugs. About $120,000 will pay for hiring an entomologist and an assistant to search for the Asian long-horned beetle, emerald ash borer, day lily rust, and a variety of other dangerous plant pests and diseases. Another $63,000 will pay for expanding the state's diagnostic lab, mapping the state's farms, and training large-animal veterinarians around the state to spot foreign animal diseases that can afflict humans, according to the state veterinarian, Dr. Steve McGinnis. Source: http://www.cmonitor.com/stories/news/state2002/1215_beetles_2002.shtml [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk