National Infrastructure Protection Center
NIPC Daily Open Source Report for 20 December 2002

Daily Overview

.       CERT has released Advisory CA-2002-3: "Buffer Overflow in
Microsoft Windows Shell."  (See item 20)

.       Foundstone reports a buffer overflow exists in Microsoft
Internet Explorer's automatic reading of MP3 or WMA file attributes in
Windows XP which if placed in an accessed folder would compromise the
system and allow for remote code execution.  (See item 21)

.       The Associated Press reports Virginia State Police are
investigating a report of suspicious behavior by a group of people
aboard a state-operated car ferry near a nuclear-power plant in Surry
County.  (See item 4)

.       The Associated Press reports Venezuela's Supreme Court has
ordered a temporary halt to an oil industry strike while it considers
the legality of the work stoppage, which entered its 18th day Thursday.
(See item 10)

NIPC Daily Report Fast Jump [click to jump to section of interest]
Banking & Finance

Gas & Oil

Emergency Law Enforcement

Government Operations
Information Technology
Cyber Threats and Vulnerabilities

Internet Alert Dashboard
NIPC Information

Power Sector

1.      December 17, Albuquerque Journal - Energy rule may raise rates.
State regulators to vote on policy that pushes utilities to use
renewable resources.  New Mexico regulators are expected to approve a
sweeping new energy rule today that will force the state's four major
public utilities to invest hundreds of millions of dollars in
alternative power sources.  The rule almost two years in the making will
order utilities to derive at least 10 percent of their energy from wind,
geothermal, biomass, hydro or solar sources by 2011.  Biomass is the
burning of waste, such as materials from forest thinning.  A dozen other
states have approved such a mandate.  Public Regulation Commission
members say the rule is one of their most important decisions in recent
years.  Proponents including environmentalists and many ranchers say it
will help reduce dependence on natural gas and coal-fired plants and
will stimulate economic development in rural areas.  But utilities say
it will increase rates.  The rule will allow utilities to recoup costs
through green tariffs charging the customers who choose alternative
energy more to buy it.  Utilities say this will recover only a fraction
of the investment costs and ratepayers will shoulder the bulk of the
extra costs.  The four utilities Public Service Company of New Mexico,
El Paso Electric, Texas New Mexico Power and Xcel Energy favor a
voluntary program over a mandatory one. But the PRC has made it clear it
wants a mandatory program.  Source:

2.      December 18, Reuters - FERC clears two banks to trade power.
The Federal Energy Regulatory Commission on Wednesday cleared away a
final obstacle for two banks to trade wholesale electricity in the
battered U.S. power market.  FERC commissioners voted to allow Bank of
America Corp. and Switzerland's UBS AG to continue acquiring securities
of U.S. publicly-traded utilities as part of their investment banking
businesses.  Both companies had sought assurances from FERC that they
could carry on their investment banking activities while separate units
traded wholesale power.  The FERC order limits the banks to holding 1
percent or less of a public utility's voting class stock, and requires
them to make quarterly reports to the agency.  Source:

3.      December 18, Reuters - U.S. power supply adequate in 2003
despite cutbacks.  U.S. electricity supply is more than adequate for
next year despite a growing number of cancellations or delays of new
power plants, industry experts say.  Power companies -- including Duke
Energy Corp. and NRG Energy Inc., a unit of utility Xcel Energy Inc. --
have already canceled or delayed construction of 164,000 megawatts of
power generation capacity this year, more than double the year before,
according to energy information provider Platts, a division of
McGraw-Hill Cos.  The cutbacks are the result of low electric wholesale
prices and a credit crunch that has forced companies to slash capital
spending, sell assets and restructure debt.  Next year is likely to
bring closings of older, inefficient plants and industry consolidation
as weaker, unregulated energy companies are bought by stronger ones,
experts said in recent interviews.  "In the near term, capacity is more
than adequate nationwide," said Steve Piper, senior consultant at
Platts.  The oversupply stems from a building splurge in the late 1990s
when companies that sell power plunged into new deregulated markets,
Piper said.  Source:

Current Electricity Sector Threat Alert Levels:  Physical: ELEVATED,
Scale:  Low, Guarded, Elevated, High, Severe   [Source: ISAC for the
Electricity Sector (ES-ISAC) -]

[return to top]

Banking and Finance Sector

4.      December 19, Associated Press - 12 linked to Iraq
money-laundering plan.  A federal grand jury indicted 12 people on
money-laundering charges for allegedly helping to funnel more than $12
million to Iraq in violation of sanctions imposed during the first Bush
administration.  The indictment, unsealed Thursday, alleges that between
April 2000 and January 2002, a ring of people throughout the United
States collected money and sent it to a company called Alshafei Family
Connect, based in the Seattle suburb Edmonds.  The company, owned and
operated by Hussein Alshafei, an Iraqi native and naturalized U.S.
citizen, then shipped the money to London and other overseas cities and
eventually to Iraq, the indictment alleges.  The indictment includes one
count of conspiracy to launder money and 34 counts of money laundering.
It charges people in Dallas, Phoenix, St. Louis, Nashville, Tenn.,
Roanoke, Va., London, Jordan, the United Arab Emirates and Iraq.

[return to top]

Transportation Sector

5.      December 19, Associated Press - Ferry incident deemed
suspicious.  Virginia State Police are investigating a report of
suspicious behavior by a group of people aboard a state-operated car
ferry near a nuclear-power plant in Surry County.  The Virginia
Department of Transportation, which operates the ferry, reported the
incident to state police, said Erin Gregg, a VDOT spokeswoman.  "There
was an incident on Sunday in which people were asking questions that our
crews deemed most unusual," Gregg said Wednesday.  She declined to
provide any details.  The Smithfield Times reported Wednesday that four
people traveling Sunday on the ferry that crosses the James River from
Jamestown to Scotland appeared to be measuring the boat and asked crew
members about procedures that would be followed in a hijacking.  The
newspaper, citing police reports, said two members of the group also
asked crew members about the depth of the water at the power plant -
which is a few miles downriver from the ferry landing at Scotland - and
the size of the security force there.  Source: 

6.      December 19, Transportation Security Administration - TSA
updates new guidelines for passengers checking baggage.  On Thursday,
Under Secretary of Transportation for Security Adm. James M. Loy updated
Transportation Security Administration (TSA) guidelines for checking
baggage, saying they are important to having secure and enjoyable
holiday air travel.  Adm. Loy also urged passengers to leave their
checked bags unlocked, which will avoid the potential need to forcibly
open bags that require physical inspection.  Adm. Loy asked passengers
not to pack food or beverages in checked bags and to pack footwear on
top of other contents.  Passengers also were warned against putting film
in checked bags, because screening equipment will damage it, and to
leave gifts unwrapped should screening require them to be opened.  Put
scissors, pocket knives and other sharp items in checked bags; never
carried on.  The TSA has developed bag search plans with each of the
nation's airports.  Besides the large EDS machines, screening will be
done using congressionally approved methods including explosives trace
detector machines, explosives-sniffing dogs, passenger-bag matching and
hand searches.  Source:

7.      December 19, Associated Press - Security cuts tourism in U.S.
Travel executives say the nation's $91 billion foreign tourism industry
is in peril because of a growing perception overseas that the United
States has become overly security conscious.  In the year after the
terrorist attacks in New York and Washington, 66 million fewer visitors
tried to enter the United States, according to Immigration and
Naturalization Service figures.  And those who did try were sent back
home at a higher rate than the year before.  Travel industry executives
complain that the post-Sept. 11 security crackdown at airports -
especially some widely publicized incidents in which visitors were
searched, interrogated, and put on a plane back home - has discouraged
tourism.  INS officials recognize the concerns, but say their first
priority is to secure all borders.  Source:

8.      December 19, CNN - United Kingdom approves armed air marshals.
The British government has given the go-ahead for armed air marshals on
British passenger planes.  The announcement came a day after a senior UK
government official warned there was a "high probability" that
international terrorists would sooner or later launch an attack on the
UK - with aviation the most likely target.  Transport Secretary Alistair
Darling said on Thursday the capability now existed "to place covert,
specially-trained armed police officers aboard UK civil aircraft."  The
Department for Transport, which is responsible for overseeing the
national aviation program, would not say what flights the marshals would
operate on or what arms they would carry.  Source: 

9.      December 18, USA Today - Air marshals charge new policies could
endanger passengers.  Confidential documents obtained by USA Today and
interviews with nearly three dozen former air marshals from 11 regional
offices raise questions about whether program officials may be
compromising security as they try to put marshals aboard as many flights
as possible.  Despite policies that require at least two marshals on
each assigned flight, marshals in the New York field office were told
they would have to fly alone if their partners call in sick, documents
show.  Aviation security analysts contend putting lone marshals on
flights might enable a group of unarmed hijackers to take a gun from a
marshal, a possibility that would leave passengers more vulnerable than
if no marshal were aboard.  In addition, marshals must accept any seat
an airline offers, "even if your assigned seat is not 'tactically'
sound," a memo sent Nov. 22 by managers to marshals in New York says.
Such a policy contradicts the program's standard operating procedures.
Those rules call for marshals to have unobstructed access to the jet's
aisle and, preferably, to sit near the cockpit to protect it from
hijackers.  Even if they believe their cover has been blown before a
flight, marshals in the Atlanta field office have been told they must
continue with their missions.  Marshals say that could leave them - and
passengers - vulnerable to attack because an unarmed terrorist might
then be able to gain access to a weapon.  Source: 

[return to top]

Gas and Oil Sector

10.     December 19, Associated Press - Court orders halt to Venezuela
oil strike.  Venezuela's Supreme Court ordered a temporary halt to an
oil industry strike while it considers the legality of the work
stoppage, which entered its 18th day Thursday.  The Supreme Court said
it was considering a motion filed by an executive with the state-owned
oil monopoly asking the justices to declare the strike illegal.  The
court said it will hear arguments on the motion within four days.  In
the meantime, it ordered striking oil employees and executives to resume
work.  There was no immediate reaction from dissident executives at the
oil company, which employs 40,000 people.  But a spokesman for striking
workers, Alfredo Gomez, told Dow Jones Newswires they will ignore the
court order.  Source:

11.     December 18, Business Wire - FERC Grants Dynegy Preliminary
Approval for Hackberry LNG Terminal.  The Federal Energy Regulatory
Commission (FERC) made a preliminary determination, approving Hackberry
LNG Terminal LLC's certificate application for its proposed Hackberry,
La.  Liquefied Natural Gas (LNG) Terminal/Gasification project. Dynegy
announced plans to construct the Hackberry Terminal in July 2001.  The
planned facility will be located on the company's existing liquefied
petroleum gas (LPG) terminal in Hackberry, La. and will be capable of
receiving and processing 1.5 billion cubic feet per day (Bcf/day).

12.     December 18, PRNewswire - CMS Trunkline LNG Company Receives
Federal Approval to expand LNG terminal.  CMS Energy Corporation's
liquefied natural gas (LNG) unit received approval today from the
Federal Energy Regulatory Commission (FERC) to expand its Lake Charles,
LA, LNG terminal, the largest operating LNG terminal in the country.
CMS Trunkline LNG Company plans to expand the facility to approximately
to approximately 1.2 billion cubic feet per day of send out capacity, up
from its current send out capacity of 630 million cubic feet per day.
The company also plans to expand the terminal's storage capacity to 9
billion cubic feet from its current storage capacity of 6.3 billion
cubic feet.  This expansion is supported by a long-term contract with BG
LNG Services, Inc., a subsidiary of BG Group of the United Kingdom.

[return to top]

Telecommunications Sector

Nothing to report.

[return to top]

Food Sector

13.     December 19, Grand Island Independent (Nebraska) - Nebraska
prepared for bioterrorism.  Preparations to protect Nebraska's $9
billion annual agricultural industry from bioterrorist attacks and the
introduction of foreign animal diseases were well in place before
President Bush signed the Homeland Security Act last month, Lt. Gov.
Dave Heineman said.  Prior to the terrorist attacks on Sept. 11, 2001,
Heineman said, Nebraska had already begun to develop a comprehensive
response plan.  The goal was to protect the state's livestock industry
from potential outbreaks of foreign animal diseases, such as mad-cow
disease or foot-and-mouth disease.  Greg Ibach, deputy director of the
Nebraska Department of Agriculture and coordinator of that department's
responsibility in homeland security, said the state has developed a
contagious animal disease health plan.  After 9-11, Ibach said, the
state continued to fine-tune its response in case of a bioterrorist
attack or the outbreak of a foreign animal disease by further defining
the chain of command.  Source: 

14.     December 19, AgWeb News - California declares state of emergency
in Mexican fruit fly infestation.  Governor Gray Davis has declared a
state of emergency in the fight against a Mexican fruit fly infestation
in San Diego, CA.  The current area of infestation in Northern San Diego
County grows an estimated $75 million worth of crops annually.  Left
unchecked, the Mexican fruit fly could infest the entire state of
California.  The estimated impact to the state economy for such an
infestation would range from $750 million to $2 billion annually,
including the loss of jobs in both rural and urban communities and lost
trading opportunities.  The emergency declaration will enable state
agencies to pool resources and work cooperatively with the California
Department of Food and Agriculture (CDFA) in addressing the response to
the infestation.  Source:

[return to top]

Water Sector

Nothing to report.

[return to top]

Chemical Sector

15.     December 19, U.S. Chemical Safety and Hazard Investigation Board
- Powerful explosion kills 4 in Pakistan.  A powerful explosion ripped
through a chemical storage warehouse in the southern port city of
Karachi on Thursday killing four people, police said.  It was not clear
what caused the explosion.  The dead all worked or lived in the
single-story building, which was used both as a residence and as a
storage area rented out by a pharmaceutical company, said police
spokesman Javed Baluch.  One of the victims was a woman, he said.
Firefighters used front-end loaders and drills to dig through the debris
to unearth the bodies.  The surrounding Korangi neighborhood, located in
the east of the city, was cordoned off during the excavation, but no
evacuation was ordered.  A strong, pungent odor hung over the area, but
firefighter Israr Ahmad said it was still not known what kind of
chemical was being stored in the warehouse.  Police said they were
questioning some of the employees of the pharmaceutical firm to find
out.  Source: 

[return to top]

Emergency Law Enforcement Sector

16.     December 19, Reuters - EU, U.S. to swap details on crime, terror
suspects.  European Union justice ministers endorsed on Thursday a
landmark deal which will allow the EU's law enforcement agency Europol
and U.S. agencies to swap personal details on crime and terrorist
suspects.  A majority of ministers also approved the results of talks
with the United States on extradition and cooperation in crime and
terror probes, but Germany could not accept draft agreements proposed by
EU president Denmark, diplomats said.  The proposed extradition accord,
part of the bloc's pledge to support Washington's fight against
terrorism, had raised concerns in Europe over the U.S. use of the death
penalty and possible military tribunals to try terrorist suspects.  But
diplomats said talks between senior U.S. officials and Denmark on
extradition and mutual legal assistance deals had the safeguards needed
on capital punishment and human rights.  Source:

17.     December 19, Associated Press - FBI tests suspicious letter to
senator.  The contents of a suspicious envelope that arrived at Sen.
Jeff Bingaman's office in Albuquerque has been sent to the state crime
lab for testing.  The Democratic senator's staff called the FBI after
opening the envelope Monday and discovering a wrapped package that
contained a powdery substance, said FBI supervisory agent Doug Beldon.
"The responding agents ran a preliminary field test on the substance
which indicated a very small possibility that the substance could be
botox, which might contain botulism," Beldon said.  Beldon said
additional testing indicated the substance was not botox, but as a
precaution, the FBI sent the envelope and its contents to the state
crime lab for more testing.  Beldon expected the results Friday.

[return to top]

Government Operations Sector

18.     December 19, New York Times - U.S. drops Armenian men from list
of visitors who must register.  Reversing course, the Department of
Justice has dropped Armenia from the list of countries whose adult male
citizens living temporarily in the United States must register with
immigration authorities.  The turnabout, on Tuesday, followed loud
complaints from the government of Armenia and Armenian groups in the
United States over a notice, published by the department in the Federal
Register last Friday, that added Armenia, Pakistan and Saudi Arabia to
18 countries already listed in the so-called special registration
program.  Source:

[return to top]

Information Technology Sector

19.     December 18, CNET News - Web services specifications focus on
security.  A group of companies published a series of specifications
designed to make Web services more secure.  The proposed specifications
describe how companies can establish policies on exchanging information
among trading partners and how to make disparate security systems
interoperate.  IBM and Microsoft co-authored the specifications with
input from a limited number of companies, including BEA Systems, RSA
Security and VeriSign.  The most notable proposal, WS-Security, is a
technology that allows businesses to send messages that have a digital
signature to ensure that a document has not been altered during its
transmission.  WS-Trust is a proposed standard method for establishing
secure communications between companies, including interactions that
involve third-party certification authorities.  Two related standards,
WS-SecureConversations and WS-SecurityPolicy, will make it easier to
maintain security during multistep transactions such as building and
submitting an electronic purchase order, the companies said.  The second
group of proposed specifications, which includes WS-Policy,
WS-PolicyAttachments and WS-PolicyAssertions, are designed to provide
mechanisms that let businesses describe their security requirements in
connection with Web services applications, including how to work with
third-party authenticating services.  Source.

[return to top]

Cyber Threats and Vulnerabilities

20.     December 19, CERT/CC - CERT Advisory CA-2002-37: Buffer Overflow
in Microsoft Windows Shell.  A buffer overflow vulnerability exists in
the Microsoft Windows Shell  function used to extract attribute
information from audio files.  This function is invoked automatically
when a user browses to a folder containing .MP3 or .WMA files.  An
attacker can exploit this vulnerability by enticing a victim to read a
malicious email message, visit a malicious web page, or browse to a
folder containing a malicious .MP3 or .WMA file.  Therefore, an attacker
can either execute arbitrary code (which would run with the privileges
of the victim) or crash the Windows Shell.  Source: 

21.     December 18, Foundstone - Exploitable Windows XP Media Files.  A
buffer overflow exists in Microsoft Internet Explorer's automatic
reading of MP3 or WMA (Windows Media Audio) file attributes in Windows
XP.  An attacker could create a malicious MP3 or WMA file, which if
placed in an accessed folder on a Windows XP system, would compromise
the system and allow for remote code execution.  The MP3 does not need
to be played, it simply needs to be stored in a folder that is browsed
to, such as an MP3 download folder, the desktop, or a NetBIOS share.
This vulnerability is also exploitable via Internet Explorer by loading
a malicious web site.  Microsoft's WMA files also suffer from a similar
vulnerability.  A Windows XP user visiting the site using Internet
Explorer would be remotely compromised without any warning or download
of files regardless of Internet Explorer security settings.  Microsoft
has issued Security Bulletin MS02-072 with a critical severity rating
for this vulnerability.  A patch is available at:

Internet Alert Dashboard
Current Alert Levels

Internet Security Systems 
AlertCon: 1 out of 4
Security Focus ThreatCon: 1 out of 4

Last Changed:  26 November 2002 Last Changed: 17 December 2002
Current Virus and Port Attacks
Virus:  #1 Virus in USA: PE_FUNLOVE.4099
Source:, Trend World Micro Virus
Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
United States]
Top 10 Target Ports     137(netbios-ns); 80(http); 1433(ms-sql-s);
53(domain); 445(microsoft-ds); 443(https); 3389(ms-term-serv); 4662;
25(smtp); 21(ftp)
Source:; Internet Storm Center

[return to top]

General Information

22.     December 19, La Crosse Tribune (Wisconsin) - Bass virus found in
more pools.  Largemouth bass virus is moving down river.  Fisheries
workers conducting routine fall surveys discovered a number of
largemouth bass with open wounds at over-wintering areas in Pools 10 and
11 on the Mississippi River.  Overall, 22 percent of bass collected had
skin lesions, but infection rate was as high as 38 percent at some
locations.  Several diseased fish were sent to the U.S. Fish and
Wildlife Service La Crosse Fish Health Center in Onalaska, WI.  The
virus was first identified in 1995 at a reservoir in South Carolina in
which a large number of fish had died.  Biologists linked the fish kill
to largemouth bass virus and have since located the virus in 17 states.

23.     December 19, New York Times - NY State plans to alert doctors in
case of terror attacks.  New York State plans to create the first
statewide alert system intended to inform every practicing physician in
the state of suspected biological and chemical terrorist attacks and
other public health emergencies, the state health commissioner is to
announce today.  The new system, known as the New York State Physicians
Intranet, will use e-mail and a Web site to inform doctors across the
state of possible terrorist attacks within minutes of an event being
reported to the State Health Department.  It will also provide
information on how to deal with medical emergencies like an infectious
disease outbreak or a chemical attack, said Gerald Imber of World
Medical Leaders, the company that will run the alert system.  Source: 

24.     December 19, Associated Press - Pakistani police arrest nine
suspected al-Qaeda operatives.  Police arrested nine suspected al-Qaeda
operatives including two Americans and a Canadian in a joint raid with
FBI agents in Lahore on Thursday.  Relatives said FBI officials searched
the home for at least two hours and seized four computers and CDs.  "We
got information about these people, and today the police went there and
made these arrests. We can say they are suspected al-Qaeda," Pakistan's
information minister, Sheikh Rashid Ahmed, told The Associated Press in
a telephone interview.  Rashid said some of the nine men arrested are
suspected of possibly having smuggled weapons to be used in terrorist
attacks.  Those arrested were Dr. Javed Ahmad, his two sons, two
brothers, three nephews and one uncle.  Two of the men were naturalized
Americans and one a naturalized Canadian, but there was no immediate
information on their names or hometowns.  Source: 

25.     December 19, New York Times - British antiterror squads arrest
seven men suspected of having ties to al-Qaeda.  Antiterror police
squads arrested seven men in early wednesday morning raids on houses in
London and Edinburgh today.  Police officials said the men were being
held for questioning at an undisclosed place in Scotland under the
Terrorism Act of 2000, a law that permits the detention of suspects in
terror plots.  The men were described as being in their early 30's and
of North African origin.  The BBC, citing security sources, said that
the men were accused of involvement in fund-raising and logistical
support, and that they were believed to be loosely connected to a
network associated with al-Qaeda.  Source: 

26.     December 18, Reuters - Birds may spread ebola virus.  Birds may
be able to carry and spread the Ebola virus U.S. researchers said on
Tuesday.  Researchers said Ebola, which has killed several hundred
people in Congo Republic, the neighboring Democratic Republic of Congo,
and Gabon since it was first identified in 1976, resembled some bird
viruses.  David Sanders and colleagues at Indiana's Purdue University
found that the outer protein shell of Ebola is similar to those of
several viruses carried by birds.  "We knew these viruses were inwardly
similar, and now we see their outer similarity as well," Sanders, a
biologist, said in a statement.  "While bird transmission of Ebola is by
no means certain, the resemblance among all these viruses should
encourage health officials to be on guard for it" said Sanders.  Source: 

[return to top]

NIPC Products & Contact Information

The National Infrastructure Protection Center (NIPC) serves as a
national critical infrastructure threat assessment, warning,
vulnerability, and law enforcement investigation and response entity.
The NIPC provides timely warnings of international threats,
comprehensive analysis and law enforcement investigation and response.
The NIPC provides a range of bulletins and advisories of interest to
information system security and professionals and those involved in
protecting public and private infrastructures.  By visiting the NIPC
web-site (, one can quickly access any of the
following NIPC products:

2002 NIPC Advisories - Advisories address significant threat or incident
information that suggests a change in readiness posture, protective
options and/or response.

2002 NIPC Alerts - Alerts address major threat or incident information
addressing imminent or in-progress attacks targeting specific national
networks or critical infrastructures.

2002 NIPC Information Bulletins - Information Bulletins communicate
issues that pertain to the critical national infrastructure and are for
informational purposes only.

2002 NIPC CyberNotes - CyberNotes is published to support security and
information system professionals with timely information on cyber
vulnerabilities, malicious scripts, information security trends, virus
information, and other critical infrastructure-related best practices. 

2002 NIPC Highlights - The NIPC Highlights are published on a monthly
basis to inform policy and/or decision makers of current events,
incidents, developments, and trends related to Critical Infrastructure
Protection (CIP).  Highlights seeks to provide policy and/or decision
makers with value-added insight by synthesizing all source information
to provide the most detailed, accurate, and timely reporting on
potentially actionable CIP matters.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to