National Infrastructure Protection Center
NIPC Daily Open Source Report for 18 December 2002

Daily Overview

.       CERT has received reports of increased scanning of port 445.
This may be evidence of the propagation of a worm known as W32/Lioten.
(See item 15)

.       Infoworld reported a security vulnerability in the Macromedia
Flash player which can allow an attacker to gain control over a user's
PC; a new Flash Player version without the vulnerability is available
from Macromedia.  (See item 16) 

.       ABC News reports the Oak Ridge National Laboratory in Tennessee
is proposing "Sensor Net", a national defense system that would put
biological, radiological and chemical weapons detectors at existing
cell-phone towers across the United States.  (See item 21)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      December 17, Reuters - American Electric Power seeks to sell
Texas power plants.  American Electric Power (AEP) said Tuesday that its
Central Power and Light (CPL) subsidiary filed a plan with the Texas
utility regulator to sell all of its power plants in the state.  AEP of
Columbus, Ohio, told the Public Utility Commission of Texas that it
wanted to sell the plants in order to capture stranded costs, which is
the amount the book value exceeds the market value of the assets.  The
plants include eight gas plants, two coal plants, one hydro facility,
and a stake in the South Texas nuclear project.  AEP, like many U.S.
energy traders, has cut back on its merchant power trading this year to
concentrate on the sale of electricity generated a its plants and its
power distribution subsidiaries.  The sale does not include power plants
owned by other AEP subsidiaries in Texas - West Texas Utilities or
Southwestern Electric Power Co. - since AEP is not seeking stranded cost
recovery for those assets.  AEP, one of the biggest power marketers in
North America, owns more than 42,000 megawatts of generating capacity in
the U.S. and around the world and distributes power to more than 5
million customers in 11 U.S. states.  Source:

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

2.      December 17, New York Times - Effort to cut off al-Qaeda funds
hits snags.  The United Nations group formed to stop the flow of funds
to al-Qaeda has concluded that serious problems in international efforts
to track the terrorist network's finances have left it "still able to
receive money," according to a report circulated here today.  In the
report Michael Chandler, who heads the monitoring group, says a
continuing lack of intelligence-sharing and cooperation between
governments means that al-Qaeda operatives can still move across borders
and get financial support.  Al-Qaeda is still receiving money through
front groups disguised as charities, the report finds; it adds that the
group has begun to rely more heavily on "local funding sources" to avoid
sending money through banks and other more strictly regulated
institutions.  Source: 

3.      December 12, Wall Street & Technology - To Catch a Thief: The
Patriot Act has firms investigating how technology can help prevent them
from being a clearing house for criminals.  For financial-services
firms, meeting the act's requirements will be a huge challenge in 2003,
because, on top of developing a program, many will have to select and
install a comprehensive anti-money laundering (AML) software solution.
"I think the major challenge is implementing the capability to monitor
transactions, to keep track of what their customers are doing across all
of their business lines," says Neil Katkov, the Celent Communications
analyst who authored the firm's Sept. 2002 report on AML.  The
securities and investment firms facing the most difficult AML challenge,
he says, are hedge funds and "the private client part of investment
banks."  The private-client divisions of banks face an uphill battle
monitoring and analyzing funds, says Katkov, because "a lot of what they
do involves offshore banking, tax sheltering and overseas trading."

[return to top]

Transportation Sector

4.      December 17, Associated Press - Australia to post sky marshals
on some flights to Singapore.  Australia will soon post sky marshals on
flights to Singapore under an agreement being negotiated between the two
countries, and hopes for a similar deal with Indonesia, the government
said Tuesday.  Justice Minister Chris Ellison said Singapore's home
affairs minister agreed to the plan during a meeting Monday in the
city-state.  Once details are worked out, Australia will begin placing
air security officers on some of the 4,000 flights each year by flag
carrier Qantas, Ellison said.  Source:

5.      December 17, Washington Post - 'Smart' traffic system a failure.
A high-tech phone service launched six years ago to give Washington, DC
area motorists personally tailored traffic reports will fold today.
Local governments spent $8 million on SmarTraveler, calling it an
essential public service in a region plagued by traffic jams.  The money
was supposed to cover start-up costs until the private operator could
turn a profit.  Five other areas also invested millions in SmarTraveler,
but all have abandoned it as a profit-making venture.  Those that still
use it, including Boston and Florida, pay for it.  The financial
collapse of SmarTraveler in the capital region highlights the data gap
that has made delivering complete real-time traffic information more
difficult than anticipated 10 years ago.  The information provided often
did not keep pace with motorists' demand for detailed, up-to-the-minute
traffic reports, experts said.  Local and state governments, they say,
have not installed enough roadside cameras, in-road vehicle speed
sensors, coordinated computer databases and other high-tech tools needed
to make real-time traffic reports widespread and reliable.  That is a
national concern, because states and cities are working on implementing
511, a phone service akin to 911 that would give up-to-the-minute local
traffic information when dialed anywhere in the country.  Some of the
problems SmarTraveler encountered must be solved before 511 will work,
transportation experts say.  Source: 

[return to top]

Gas and Oil Sector

6.      December 17, New York Times - Oil prices rise rapidly.  Oil
prices shot to their highest level in two months yesterday as traders
grappled with the severity of reduced crude oil supplies caused by
strikes in Venezuela, the world's fifth-largest oil exporter.  The price
of crude oil for January delivery rose $1.66, to $30.10 a barrel, on the
New York Mercantile Exchange, an increase of 5.8 percent.  It was the
biggest single-day gain since January. Oil prices are now up more than
50 percent from those a year earlier.  Oil selling for $30 a barrel does
not threaten a return to recession, economists said, but "it is
certainly enough to forestall a more sustained recovery in the economy
when the recovery is still very tepid," said Mark Zandi, chief economist
at, a consulting firm in West Chester, PA.  Prices at $35 to
$40 a barrel are much more of a threat, economists said.  While that may
seem far-fetched now, continuing conflict in Venezuela could combine
with war in Iraq to disturb oil supplies so profoundly that even OPEC
would lack the spare production capacity to make up for shortfalls,
industry experts warned.  Source: 

7.      December 17, BBC News - Venezuela crisis may affect US war
plans.  The continuing strike in the Venezuelan oil industry could have
an impact on preparations for a U.S.-led war in Iraq.  Humberto Calderon
Berti, a former Energy Minster and senior official of Venezuela's state
oil firm, has said he does not think the U.S. will make a decision to
proceed until the crisis in his country is resolved.  The U.S. does have
a large strategic reserve it can draw on and has recently been adding to
it as an insurance against war-related disruptions.  The U.S.
administration could almost certainly go to war at a time when both
Venezuela and Middle Eastern supplies were unreliable.  But it would
surely prefer not to.  Source:

8.      December 16, Platts Global Energy - California gas demand to
grow 2%/year through 2012: CEC.  Natural gas demand in California will
grow about 2% annually between 2002 and 2012, according to a report last
week by the staff of the California Energy Commission.  And to
accommodate that growth, interstate pipeline infrastructure to gas
supplies in the US Southwest, Rocky Mountains and Canada need to be
expanded, the report asserted.  Within California, the infrastructure of
utility Pacific Gas and Electric likely will need expanding between 2007
and 2012, according to CEC staff, which said Southern California Gas
appears to have sufficient capacity through 2012.  Over the next decade,
the US Southwest will remain California's main supplier of gas, the
report said.  But the state is expected to shift its supply base
somewhat due to lower gas prices in the Rocky Mountain region and in
Canada. Source: 

[return to top]

Telecommunications Sector

9.      December 17, New York Times - Limits sought on wireless Internet
access.  The Defense Department, arguing that an increasingly popular
form of wireless Internet access could interfere with military radar, is
seeking new limits on the technology.  Industry executives met last week
with Defense Department officials to try to discuss the initiative,
which includes a government proposal now before the global overseer of
radio frequencies.  Military officials say the technical restrictions
they are seeking are necessary for national security.  They are asking
the American industry, and companies in other countries, to create and
install even more sensitive versions of dynamic frequency selection -
something that the companies say may cause the technology to operate
incorrectly.  Although industry executives acknowledge that high-speed
wireless Internet access will soon crowd the radio frequencies used by
the military, they say new types of frequency spectrum sharing
techniques could keep civilian users from interfering with radar
systems.  An estimated 16 million WiFi-enabled computers and other
devices are already in use in this country and overseas.  Source.

[return to top]

Food Sector

Nothing to report.

[return to top]

Water Sector

10.     December 16, Water Tech Online - Water security pilot programs
get federal funding.  The U.S. Environmental Protection Agency (EPA) has
allocated $500,000 to create a pilot project that will provide system
operators with real-time information about the safety and quality of
their water supplies.  The funds were awarded to the United States
Geological Survey (USGS), which will purchase and set up the monitoring
equipment for the pilot project at one or two yet-to-be-chosen drinking
water systems in New Jersey, the EPA said in a news release.  In order
to expedite the real-time monitoring pilot, EPA is working with USGS and
the Rutgers University Center for Information, Integration and
Connectivity to create a Regional Drinking Water Safety and Security
Consortium, officials said.  The lessons learned from this pilot project
will enable water-supply operators across the country to set up similar
systems, officials said.  Source:  

[return to top]

Chemical Sector

Nothing to report.

[return to top]

Emergency & Law Enforcement Sector

Nothing to report.

[return to top]

Government Operations Sector

11.     December 17, Associated Press - New U.S. rules put on Saudi,
Pakistani men.  The latest registration notice affects males from Saudi
Arabia and Pakistan who are age 16 or older and entered the United
States on or before Sept. 30, 2002.  If they plan to stay in the United
States into late February, they will have until Feb. 21, 2003, to
register and provide documentation to the Immigration and Naturalization
Service about their visit.  The announcement coincides with a deadline
yesterday for registration for a similar program affecting men from
Iraq, Iran, Libya, Sudan and Syria.  Men from Afghanistan, Algeria,
Bahrain, Eritrea, Lebanon, Morocco, North Korea, Oman, Qatar, Somalia,
Tunisia, the United Arab Emirates and Yemen face a registration deadline
of Jan. 10.  Source: 

12.     December 17, Washington Post - Crews begin anthrax cleanup of
State Dept. mail site in N. Virginia.  Technicians have begun gutting
the State Department's diplomatic mail facility in Northern Virginia,
launching an arduous decontamination effort more than a year after a
terrorist mailing sickened a sorting contractor with the inhaled form of
anthrax.  Workers will use everything from industrial-grade vacuums and
circular saws to soapy water and in their efforts to clean out and
reinhabit the 75,000-square-foot facility in Sterling, federal officials
said yesterday as they outlined decontamination plans to Loudoun County
supervisors.  Until October 2001, diplomatic pouches, packages and
letters to U.S. embassies and consulates around the world had passed
through the building.  Federal authorities said they hope to scour,
remodel and their complex by 2004.  They sought yesterday to allay any
concerns that their complicated cleanup 500 feet from a suburban
subdivision could pose a threat to residents.  Source: 

13.     December 17, Washington Post - President Bush Tuesday ordered
the military to begin deploying a national missile defense system by
2004.  Defense officials, who asked not to be identified said Bush was
going ahead with an ambitious schedule to field 10 ground-based
interceptors at Fort Greeley, Alaska, by 2004 and an additional 10
interceptors by 2005 or 2006.  Another Bush administration official said
that the interceptors could also possibly be deployed at Vandenberg Air
Force base in California.  Bush and Defense Secretary Donald Rumsfeld
have stressed the proliferation of weapons of mass destruction and
missile technology have sharply increased the need for such a defense
against attack from "rogue states" such as Iran, Iraq and North Korea.

[return to top]

Information Technology Sector

14.     December 17, - Businesses to discuss cybercrime
charter.  Members of the United Kingdom blue chip user organization The
Infrastructure Forum (Tif) will get their first chance to examine in
detail the cybercrime confidentiality charter drawn up by the National
Hi-Tech Crime Unit (NHTCU).  The charter, designed to encourage
businesses to report hacker attacks by minimizing the disruption of an
investigation and keeping the information out of the media, was unveiled
by the British police earlier this month.  The chief executive of Tif,
David Roberts, told the charter was a positive move towards
getting companies to report cybercrime.  "It's a necessary thing to be
able to do because organizations are not going to freely disclose
information unless they know it is not going to be used in a way that
will get into the public [domain]," Roberts said.  Security is still the
dominant issue for users, according to Roberts.  Source.

[return to top]

Cyber Threats and Vulnerabilities

15.     December 17, CERT/CC - W32/Lioten.  The CERT/CC has received
reports of increased scanning destined to port 445/tcp.  Several reports
have indicated that this is evidence of propagation of a worm known as
W32/Lioten. Systems involved in this activity have been discovered to
contain an artifact named Iraqi_oil.exe.  At this time, it appears that
it may affect at least Windows 2000 and Windows XP systems.  For more
information, please see CERT Incident Note IN-2002-06, which is
available at  The
CERT/CC is interested in receiving reports of this activity.  If you
experience such activity or have more information, please send mail to
[EMAIL PROTECTED] with the following text included in the subject line:
"[CERT#38858]".  Source: 

16.     December 17, InfoWorld - Macromedia patches security hole in
Flash software.  A security vulnerability in the widely used Macromedia
Flash player can allow an attacker to gain control over a user's PC,
eEye Digital Security warned Monday.  A specially formatted Flash file
can cause a header overflow in the Flash software, potentially giving an
attacker control over a PC, eEye said in a security advisory.
Exploiting an overflow flaw generally allows attackers to load malicious
code onto a victim's system and to run that code.  The vulnerability is
serious because Flash is widely used on various operating systems and
because vulnerable versions of the software are delivered as part of
many software packages, said eEye.  Affected are all versions of the
Macromedia Flash Player prior to Version, which was released
late last week to fix the issue, Macromedia said.  All users are advised
to upgrade to the new version.  The eEye advisory is available at Source:

17.     December 16, Newsfactor Network - Microsoft changes its flaw
severity rating system.  Last month, when a gaping security hole was
found in Internet Explorer that could allow a hacker to take control of
a user's hard drive, Microsoft initially labeled the flaw's severity
"moderate."  Soon afterward, Microsoft's "moderate" rating decision came
under attack by the tech community, led by postings to the Bugtraq
mailing list.  On December 6th, Microsoft issued a follow-up patch to
the original fix, this time listing the flaw as "critical."  Just last
month, Microsoft altered the way it rates security threats by adding an
"important" rating between "moderate" and "critical."  According to this
new system, the IE bugs in question initially rated lower on the
severity scale than they would have a month earlier.  Such ratings are
often decisive factors in determining whether -- and when -- an
organization chooses to implement a patch, according to Julie Giera of
Giga Information Group.  When making a severity rating, "the vendor
usually looks at the severity of the problem and the size of the
customer audience that it would affect," she said.  For smaller
organizations, the rating may be one of the only factors used to
distinguish between patches that must be deployed and others that need
not be.  Although they consume an IT department's time and resources to
test and deploy, patches are among the best responses to threats.  A
recent Gartner study shows that through 2005, 90 percent of all
cyberattacks will involve known vulnerabilities for which a patch or
solution already exists.  Source.

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 2 out of 4

Last Changed:  26 November 2002 Last Changed: 17 December 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA: WORM_KLEZ.H 
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s); 53
(domain); 139 (netbios-ssn) 445(microsoft-ds); 27374 (asp); 135; 4662;
21 (ftp)
Source:; Internet Storm Center

[return to top]

General Information

18.     December 17, NewYork Times - Ottawa, justifying Algerian's
arrest, says al-Qaeda is operating in Canada.  The assessment, by the
Canadian Security and Intelligence Service, was contained in court
documents released in connection with the detention of an Algerian
immigrant suspected of ties to senior al-Qaeda members, including Abu
Zubaydah, a lieutenant of Osama bin Laden, the group's leader.  Zubaydah
is being held at an undisclosed location by American authorities.  The
Algerian, Mohammed Harkat, 34, of Ottawa, was described in the documents
as a member of al-Qaeda whose ties to Zubaydah date to the early 1990's.
Harkat was taken into custody last week and faces deportation.  In its
brief to the federal court in Ottawa, the intelligence service said bin
Laden's supporters and network "have the capability and conviction to
provide support for terrorist activities in North America."  Source: 

19.     December 17, United Press International - France foils possible
terror attack.  Three men arrested in the Paris region may have been
plotting a biological or chemical attack, France's Interior Minister
said Tuesday.  "This is not a small affair," Interior Minister Nicolas
Sarkozy told the National Assembly.  "This is serious.  When one finds
people who have this material we do well to arrest them."  Police seized
empty containers, vials of suspicious-looking fluids and powders and an
outfit designed for protection against chemical and biological risks,
Sarkozy said, adding that at least $5,000 in cash and false documents
were also found during Monday's police raid in the Paris suburb of
Seine-Saint-Denis.  If the tests identify chemical or biological
elements, the results would confirm European fears that attacks would
take more deadly forms seen with biological or chemical weapons.

20.     December 17, New York Times - Universities destroy biological
agents.  As federal officials search for more powerful tools to
investigate biological terrorism, universities across the country are
destroying collections of laboratory agents crucial for understanding
how biological weapons work and tracing their sources.  New federal laws
require only that such biological materials be registered, but many
universities are pressing researchers to clean out their freezers and
destroy materials they are not currently working on.  While there is no
official count of how many biological specimens have been destroyed,
concern that laboratories have gone overboard prompted the White House
to ask institutions, through the American Society of Microbiologists, to
reconsider their haste in doing away with specimens that could prove
"difficult or impossible to replace," said Rachel Levinson, of the White
House Office on Science and Technology Policy.  Source: 

21.     December 16, ABC News - Lab develops new ways to identify and
fight terrorist attacks.  The Oak Ridge National Laboratory in Tennessee
is pursuing Sensor Net, a national defense system based on the existing
network of some 30,000 cell-phone towers across the United States.  The
plan is to put biological, radiological and chemical weapons detectors
at hundreds, maybe even thousands, of cell-phone towers.  They would be
linked by small computers that would not only send out a nationwide
alarm to law enforcement, but would compute how a weapons-plume would
spread and send that information out to local emergency crews.  Both the
U.S. Department of Energy and the National Oceanic and Atmospheric
Administration are funding Sensor Net research, and are enthusiastic
about its possibilities.  Source:

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to