National Infrastructure Protection Center
NIPC Daily Open Source Report for 17 December 2002

Daily Overview

.       CERT has released Advisory CA-2002-36 - Multiple Vulnerabilities
in SSH Implementations.  (See item 11)

.       Security Focus has changed its threat condition rating from
level 1 to level 2.  Level 2 is defined, in part, as a condition that
applies when knowledge or the expectation of attack activity is present,
without specific events occurring and one that requires increased
vigilance, such as a careful examination of vulnerable and exposed
systems and increased monitoring of log.  (See Internet Alert Dashboard)

.       The Houston Business Journal reports industry sources say
political strikes in Venezuela are bound to begin affecting U.S. oil
imports, refinery operations and fuel prices the longer the strikes go
on.  (See item 4)

.       Federal Computer Week reports the Immigration and Naturalization
Service has issued a final rule requiring colleges and universities to
begin reporting information about foreign students electronically on
Jan. 30, 2003.  (See item 10)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

Nothing to report.

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

Nothing to report.

[return to top]

Transportation Sector

1.      December 17, ABC News Online - Police defuse parcel bomb at Rome
airport.  Italian police have defused parcel bombs at Rome's airport and
a TV broadcasting office, bringing to four the devices disarmed in
recent days in what government sources described as an anarchist
campaign.  Three of the four devices had been sent to offices of the
Spanish airline Iberia in Italy.  Bomb disposal experts defused a
package sent to Iberia offices at Rome's Fiumicino airport early on
Monday and hours later were called to deal with a package sent to
state-run TV broadcaster RAI in central Rome.  Each packet contained 50
grams of explosive powder with a fuse, a police spokesman said. "They
were disarmed in a safe place, but they could have caused serious damage
if they had been opened."  Police said they were treating the incidents
as related and a government source said they appeared to be the work of
an anarchist group and may be linked to two Italians jailed in Spain
more than 20 years ago.  Source:

2.      December 16, Helsingin Sanomat (Finland) - New security measures
against terrorism for ships by 2004.  The International Maritime
Organization (IMO) accepted early Friday morning, at its Maritime Safety
Committee meeting, an amendment to the international general agreement
of securing lives at sea.  One hundred eight countries signed the
amendment.  The antiterrorism measures apply to all ports where there is
international traffic.  Both passenger and cargo ports of signatory
countries will henceforth need to tighten security by, for example,
increasing camera surveillance, adding more perimeter fences, and
improving lighting.  Furthermore, at least in passenger ports, the
ability to perform security checks of people and vehicles must be
provided.  Ships alike will have added security measures: passengers and
crucial points for cargo transport will be monitored either by cameras
or by staff.  Airport-type security checks, however, will not be
introduced at this point, although all ports will have to be prepared to
bring in counter-measures against terrorism if the need should arise.
For ports, the IMO agreement lists three levels of readiness according
to which the security controls are carried out: normal, alertness, and
emergency.   In emergency situations virtually everybody will be
checked.  Source: 

3.      December 16, Rocky Mountain News - Expect long lines at Denver
airport security.  Longer waits at Denver International Airport are
coming with security changes that will begin taking effect before the
holiday rush is over.  Passengers can count on waiting longer at
security checkpoints, and they might soon lose the option of checking in
at the shorter lines on the concourse.  Travelers will be asked to leave
bags unlocked to expedite searches, and those who don't might find that
security workers have cut their baggage locks to check for explosives.
Denver International Airport will be one of a handful of U.S. airports
that won't meet the Dec. 31 date for having in place a permanent system
for screening all luggage bound for the bellies of airplanes.  The plan
approved by TSA last month will provide in-line electronic scanning of
all bags.  The project won't be completed until next fall.  Until then,
DIA's bags will be checked for explosives at check-in counters and
curbside stations.  A limited number of bags will be put through
electronic scanners.  Source:,1299,DRMN_15_1612688,00

[return to top]

Gas and Oil Sector

4.      December 16, Houston Business Journal - Impact of Venezuela oil
strikes beginning to flow into Houston.  Political strikes in Venezuela
are bound to begin affecting U.S. oil imports, refinery operations and
fuel prices the longer the strikes go on, industry sources say.  As of
midweek, prospects for an early end to the political demonstrations that
have virtually shut down Venezuela's petroleum industry seemed bleak.
Oil tankers, which can take up to three days to fill, were backed up in
long lines at Venezuelan ports waiting for loading orders that did not
come.  Once loaded, it takes five days for the tankers to reach the
United States. Venezuela is an important supplier of crude oil to the
U.S. Gulf Coast refineries.  Many Gulf Coast refineries and
petrochemical plants have installed special equipment and processes in
order to use the heavy crude oil produced in Venezuela because it is
cheaper than the light crude that comes from other sources such as the
Middle East.  Source:

5.      December 16, BBC news - Oil refinery blaze 'biggest for years'.
A major fire at an oil refinery in Worcestershire (United Kingdom) has
been brought under control.  At the height of the fire, more than 130
firefighters from Hereford and Worcester, Warwickshire and West Midlands
fire brigades fought the flames at the building in Redditch.  Twenty
engines were called to the scene at Claymore Lubricants' factory at the
Washford Industrial Estate, Hemming Road.  The alarm was raised at 0430
GMT by residents who heard gas cylinders exploding.  At one point, thick
black smoke could be seen for miles.  The factory, which contained
chemicals, was closed when the fire broke out and no one is believed to
have been injured.  Source: 

[return to top]

Telecommunications Sector

Nothing to report.

[return to top]

Food Sector

Nothing to report.

[return to top]

Water Sector

6.      December 16, Channel News Asia - High-tech measures to keep
Singapore's water safe from terrorist threats.  Singapore's DSO National
Laboratories has come up with high-tech solutions to keep Singapore's
water supply safe from any bio-chemical terrorist threats.  It is also
collaborating with its U.S. counterparts to come up with faster and more
accurate devices that give real-time results and save lives.  Toxispy is
one of several water monitoring devices developed.  It uses bacteria to
detect toxins like lead, mercury, arsenic and even nerve and blister
agents in water samples.  Solid Phased Micro-Extraction (SPME) device
which detects and identifies bio-chem contaminants in water has also
been developed.  The technology involved in the device is part of a new
Singapore-U.S. partnership aimed at getting real-time results over the
next three years.  Besides the Toxispy and the automated SPME, the DSO
is also working on harnessing DNA technology to give more accurate
results when testing for viruses and bacteria in water.  Source:

7.      December 14, Caledonian Record (Vermont) - Officials searching
for cause of contamination.  Littleton, NH town officials are continuing
their search for the source of the high levels of E. coli bacteria in
water that is leaking from a town storm pipe into the Ammonoosuc River.
"The problem is we can't find the problem," said Assistant Town Manager
Jason Hoch as he described Littleton's old storm-pipe system, which is
difficult to search in a logical fashion.  For over two weeks town crews
have been testing different pipes below the street surface, looking for
traces of E. coli.  The leaking pipe was brought to the attention to the
town after scientists from the New Hampshire Department of Environmental
Services (DES) tested the water for E. coli.  The test showed that there
was an E. coli count of over 15,000 per milliliter of water.  The state
standards for this bacteria count, for waste water facility treatments,
is 406 counts per 100 milliliter.  Although the water leading to the
river is contaminated with E. coli, DES officials have not said the
river itself is contaminated, although they are concerned about the
problem.  Source: 

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency & Law Enforcement Sector

8.      December 16, Associated Press - FEMA director to step down in
March.  Joe M. Allbaugh, the no-nonsense member of President Bush's
"Iron Triangle" of advisers who orchestrated his presidential run, said
Monday he will step down in March as director of the Federal Emergency
Management Agency.  Allbaugh, 50, told Bush and White House chief of
staff Andrew Card last summer that he would be leaving his post after
the first of the year.  He officially tendered his resignation Monday
afternoon in a meeting with the president.  Allbaugh will leave March 1,
when FEMA is scheduled to fold into the new Department of Homeland
Security.  His deputy, Mike Brown, is expected to be a leading candidate
to replace Allbaugh as FEMA's chief.  Source: 

[return to top]

Government Operations Sector

9.      December 16, Washington Post - Cleanup agent being cleared out
at D.C. postal plant.  The pumping of chlorine dioxide gas into the
Brentwood. postal facility to kill anthrax spores was completed 12 hours
ahead of schedule yesterday, Postal Service authorities said.  The gas
was being sucked back out of the sealed Northeast Washington building
and converted, through chemical treatments, into harmless saltwater.
Thousands of samples will be taken from the building over the next
several weeks and tested, a Postal Service spokesman said.  An
independent committee of scientists will review the results.  If the
committee finds no trace of anthrax, it could give a green light for the
postal facility to reopen in April.  Source: 

10.     December 12, Federal Computer Week - INS sets date for student
data.  The Immigration and Naturalization Service (INS) has issued a
final rule requiring colleges and universities to begin reporting
information about foreign students electronically on Jan. 30, 2003.  The
program is part of the Student and Exchange Visitor Information System
(SEVIS) that is being implemented to keep track of foreign students who
receive visas to study in the United States.  SEVIS establishes an
electronic reporting process to document a student's status.  The system
is considered an important part of the effort to improve homeland
security by keeping better track of foreign students.  In publishing the
final rule Dec. 10, INS noted that many colleges and universities
complained that complying with the rule would require time and money.
But INS said the Jan. 30 compliance date could be met with little cost
to the schools.  Source:  INS
press release:

[return to top]

Information Technology Sector

Nothing to report.

[return to top]

Cyber Threats and Vulnerabilities

11.     December 16, CERT/CC - Advisory CA-2002-36 Multiple
Vulnerabilities in SSH Implementations.  Multiple vendors'
implementations of the secure shell (SSH) transport layer protocol
contain vulnerabilities that could allow a remote attacker to execute
arbitrary code with the privileges of the SSH process or cause a denial
of service.  The vulnerabilities affect SSH clients and servers, and
they occur before user authentication takes place.  Rapid7 has developed
a suite (SSHredder) of test cases that examine the connection
initialization, key exchange, and negotiation phase (KEX, KEXINIT) of
the SSH transport layer protocol.  The test suite has demonstrated a
number of vulnerabilities in different vendors' SSH products.  These
vulnerabilities include buffer overflows, and they occur before any user
authentication takes place.  SSHredder was primarily designed to test
key exchange and other processes that are specific to version 2 of the
SSH protocol; however, certain classes of tests are also applicable to
version 1.  The impact will vary for different vulnerabilities and
products, but in severe cases, remote attackers could execute arbitrary
code with the privileges of the SSH process.  Both SSH servers and
clients are affected, since both implement the SSH transport layer
protocol.   Affected users should apply the appropriate patch or upgrade
as specified by your vendor.  Source: 

12.     December 16, The Register - Home user insecurity spurs email
virus growth in 2002.  The ratio of viruses to legitimate emails has
increased over the course of this year.  According to a review of 2002
by managed services firm MessageLabs, the ratio of viruses to clean
emails is now one in 202, compared to one every 380 emails last year.
According to MessageLabs' report (compiled for the year to December 14),
the top five most active viruses in 2002 were Klez.H (with 4,918,018
copies), Yaha.E (1,096,683), Bugbear.A (842,333), Klez.E (380,937) and
last year's worst SirCam.A with 309,832.  According to MessageLabs,
viruses have become less of a problem for businesses this year as
administrators are becoming more aware of the steps they need to take to
prevent virus outbreaks.  For home users the picture is different.  Many
consumers still do not have any protection in place and so easily become
infected with viruses like Klez, which are harder to spot and trace.  As
a result, a higher percentage of viral messages can be traced back to
home users.  Industry sectors which deal with consumers, such as the
retail, leisure and entertainment industries, are also becoming more at
risk from infection.  During the year, MessageLabs has also noticed a
marked increase in crackers emailing Trojans in direct attacks against
users.  Although these attacks are numerically relatively small, they do
represent a disturbing trend in the war against malware.  Source: 

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4

Security Focus ThreatCon: 1 out of 4

Last Changed:  26 November 2002 Last Changed: 17 December 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA:   WORM_KLEZ.H
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s);
445(microsoft-ds); 21(ftp); 4662; 68(bootpc); 1080(socks); 113(auth);
Source:; Internet Storm Center

[return to top]

General Information

13.     December 16, San Antonio Express-News (Texas) - Resistant
bacteria spur concerns.  Outbreaks of a common skin infection are
becoming more common and occasionally life-threatening as the bacteria
develop resistance to common antibiotics.  The bug is called
methicillin-resistant staphylococcus aureus, or MRSA.  Doctors often see
bacteria that are resistant to common antibiotics in hospitals.  What is
new is that it now is striking healthy people who haven't been in the
hospital or around anyone who has been in the hospital.  The behavior of
this infection is not unexpected, said Dr. Edwin Charlebois, an
associate professor of medicine at University of California at San
Francisco.  "It's like when penicillin was introduced in hospitals," he
said.  "It didn't take long to see penicillin-resistance."  When about
50 percent of the bacteria in the hospital were resistant to penicillin,
the resistant bacteria appeared in the community, he added.  Now, about
50 percent of MRSA cases in hospitals are resistant to the next line of
antibiotics.   Source: 

14.     December 15, Concord Monitor (New Hampshire) - Fighting
terrorism from the ground up.  New Hampshire has received nearly
$200,000 in counter-terrorism money from the U.S. Department of
Agriculture in recent weeks to protect itself against such acts as the
stealthy deposit of pestiferous bugs.  About $120,000 will pay for
hiring an entomologist and an assistant to search for the Asian
long-horned beetle, emerald ash borer, day lily rust, and a variety of
other dangerous plant pests and diseases.  Another $63,000 will pay for
expanding the state's diagnostic lab, mapping the state's farms, and
training large-animal veterinarians around the state to spot foreign
animal diseases that can afflict humans, according to the state
veterinarian, Dr. Steve McGinnis.  Source: 

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to