[INFOCON] - NIPC Daily Open Source Report for 20 December 2002
National Infrastructure Protection Center NIPC Daily Open Source Report for 20 December 2002 Daily Overview . CERT has released Advisory CA-2002-3: Buffer Overflow in Microsoft Windows Shell. (See item 20) . Foundstone reports a buffer overflow exists in Microsoft Internet Explorer's automatic reading of MP3 or WMA file attributes in Windows XP which if placed in an accessed folder would compromise the system and allow for remote code execution. (See item 21) . The Associated Press reports Virginia State Police are investigating a report of suspicious behavior by a group of people aboard a state-operated car ferry near a nuclear-power plant in Surry County. (See item 4) . The Associated Press reports Venezuela's Supreme Court has ordered a temporary halt to an oil industry strike while it considers the legality of the work stoppage, which entered its 18th day Thursday. (See item 10) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking Finance Transportation Gas Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 17, Albuquerque Journal - Energy rule may raise rates. State regulators to vote on policy that pushes utilities to use renewable resources. New Mexico regulators are expected to approve a sweeping new energy rule today that will force the state's four major public utilities to invest hundreds of millions of dollars in alternative power sources. The rule almost two years in the making will order utilities to derive at least 10 percent of their energy from wind, geothermal, biomass, hydro or solar sources by 2011. Biomass is the burning of waste, such as materials from forest thinning. A dozen other states have approved such a mandate. Public Regulation Commission members say the rule is one of their most important decisions in recent years. Proponents including environmentalists and many ranchers say it will help reduce dependence on natural gas and coal-fired plants and will stimulate economic development in rural areas. But utilities say it will increase rates. The rule will allow utilities to recoup costs through green tariffs charging the customers who choose alternative energy more to buy it. Utilities say this will recover only a fraction of the investment costs and ratepayers will shoulder the bulk of the extra costs. The four utilities Public Service Company of New Mexico, El Paso Electric, Texas New Mexico Power and Xcel Energy favor a voluntary program over a mandatory one. But the PRC has made it clear it wants a mandatory program. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3527196 2. December 18, Reuters - FERC clears two banks to trade power. The Federal Energy Regulatory Commission on Wednesday cleared away a final obstacle for two banks to trade wholesale electricity in the battered U.S. power market. FERC commissioners voted to allow Bank of America Corp. and Switzerland's UBS AG to continue acquiring securities of U.S. publicly-traded utilities as part of their investment banking businesses. Both companies had sought assurances from FERC that they could carry on their investment banking activities while separate units traded wholesale power. The FERC order limits the banks to holding 1 percent or less of a public utility's voting class stock, and requires them to make quarterly reports to the agency. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3527156 3. December 18, Reuters - U.S. power supply adequate in 2003 despite cutbacks. U.S. electricity supply is more than adequate for next year despite a growing number of cancellations or delays of new power plants, industry experts say. Power companies -- including Duke Energy Corp. and NRG Energy Inc., a unit of utility Xcel Energy Inc. -- have already canceled or delayed construction of 164,000 megawatts of power generation capacity this year, more than double the year before, according to energy information provider Platts, a division of McGraw-Hill Cos. The cutbacks are the result of low electric wholesale prices and a credit crunch that has forced companies to slash capital spending, sell assets and restructure debt. Next year is likely to bring closings of older, inefficient plants and industry consolidation as weaker, unregulated energy companies are bought by stronger ones, experts said in recent interviews. In the near term, capacity is more than adequate nationwide, said Steve Piper, senior consultant at Platts. The oversupply stems from a building splurge in the late 1990s when companies that sell power plunged into new deregulated markets, Piper said. Source: http://www.energycentral.com/sections/newsroom/nr_article.cfm?id=3527161 Current Electricity Sector Threat Alert Levels: Physical:
[INFOCON] - USAF: Risk management perfect tool for holiday,winter season
Risk management perfect tool for holiday, winter season by Lt. Col. Juan Gaud Electronic Systems Center chief of safety 12/18/2002 - HANSCOM AIR FORCE BASE, Mass. (AFPN) -- In our haste during this time o! f the year we often make decisions without giving much thought to the risks involved or how those risks might be eliminated or reduced. Operational Risk Management can be an excellent tool for mitigating the risks associated with the holiday and winter seasons. The six-step ORM process can be a helpful tool when making risk decisions but keep in mind that more often than not a streamlined version will work just as well. The six-steps are: identify the hazards; assess the risks; analyze risk control measures; make control decisions; implement risk control; and supervise and review. Here are a few instances where ORM can make a difference in your holiday planning. This time of the year finds many of us on the road, whether traveling to the mall to pick up that last minute gift or trekking across country to visit family. Before you go, take a few minutes to consider the risks. What will the weather be? Is your vehicle equipped to handle various weather conditions that might be encountered? Have you had enough rest to safely make the drive? When making travel plans allow yourself some flexibility so that if bad weather is forecasted, you can alter your schedule. Bad weather conditions combined with the stress of having to be somewhere at a certain time can make for particularly hazardous travel. You can mitigate some of the risks involved in traveling by taking a few minutes to make sure your vehicle is running properly and is equipped with those items that might be needed should you break down. Think ahead about potential problems that may be encountered and come up with plans to prevent or deal with those situations before they happen. Make sure you're rested and alert before you get on the road. Too often we overdo it around the holidays and find ourselves physically and mentally stressed to the max. It is better to take the time needed before traveling to make sure you are well rested and up to making the trip. No one ever wants to get the news that their friends or loved ones were injured or even killed in a car accident that may have been avoided. One of the best gifts you can give your family and friends this year is to arrive safely. Parties and festivities are wonderful occasions that bring people together to relax and share in the joy of the season. I highly encourage all office party planners to go through the ORM checklist when planning that holiday get-together. Face it, there are unforeseen risks lurking around every corner when planning an office party. Sometimes the most difficult problems are encountered in something as simple as choosing a location. Whatever your office decides to do this year, plan ahead for those unexpected challenges by using ORM. It could help make sure your gathering is a safe, fun and relaxing time for all. Since Oct. 1 there have been 12 airmen fatalities across the Air Force, that's a 300 percent increase over the total number of Air Force fatalities last year. Supervisors should take an active posture when it comes to practicing operational risk management; we owe it to our employees and to the Air Force. While we cannot always eliminate the risks, we can mitigate them. ORM can help keep the Grinch out of your holiday season, but only if you use it. Happy Holidays! (Courtesy of Air Force Materiel Command News Service) IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
[INFOCON] - News: London, Friday, December 20, 2002
_ London, Friday, December 20, 2002 _ INFOCON News _ IWS - The Information Warfare Site http://www.iwar.org.uk _ - To subscribe - send an email to [EMAIL PROTECTED] with subscribe infocon in the body To unsubscribe - send an email to [EMAIL PROTECTED] with unsubscribe infocon in the body - _ [News Index] [1] Terrorists on the Net? Who Cares? [2] Sklyarov reflects on DMCA case [3] Student gets merit award for school computer hack [4] Welsh Web designer pleads guilty to virus creation [5] Report criticizes administration's e-gov efforts [6] QA: Does the U.S. government have an open-source security plan? [7] Air combat C2 made easier [8] Malaysian Police Hunt Internet Scaremonger [9] Computer crime center opens [10] Feds Delay Launch of Cyber-Security Plan [11] E-card virus warning for Christmas [12] Sounding the alarm on video game ratings [13] Security flaw threatens Cisco website [14] Microsoft Baseline Security Analyzer V1.1 [15] Computer glitch causes £7m insurance error [16] German ISPs must block US Nazi sites [17] Air Force personnel misused government cards [18] Audio files figure in latest Microsoft vulnerability [19] Allbaugh leaving FEMA in March _ CURRENT THREAT LEVELS _ Electricity Sector Physical: Elevated (Yellow) Electricity Sector Cyber: Elevated (Yellow) Homeland Security Elevated (Yellow) DOE Security Condition: 3, modified NRC Security Level: III (Yellow) (3 of 5) _ News _ (See next email for comments. WEN) [1] Terrorists on the Net? Who Cares? By Noah Shachtman | Also by this reporter Page 1 of 1 02:00 AM Dec. 20, 2002 PT To all those Chicken Littles clucking frantically about the imminent threat of a terrorist attack on U.S. computer networks, a new report says: Knock it off. Online attacks are merely weapons of mass annoyance, no more harmful than the routine power failures, airplane delays and dropped phone calls that take place every day. The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously, said Jim Lewis, a 16-year veteran of the State and Commerce Departments. He compiled the analysis for the Center for Strategic and International Studies. http://www.wired.com/news/infostructure/0,1377,56935,00.html [2] Sklyarov reflects on DMCA case 14:24 Friday 20th December 2002 Lisa M. Bowman, CNET News.com The Russian software programmer talks about life after his arrest and how controversial copyright laws are affecting programmers Russian programmer Dmitry Sklyarov thinks it was unfair of prosecutors to play his videotaped deposition at the ElcomSoft trial rather than calling him to the stand. But after a legal saga that's included a surprise arrest outside his Las Vegas hotel room, three weeks in jail, and visa tangles that almost prevented him from coming back to the US for trial, Sklyarov has decided not to worry about situations over which he has no control. During my life I'm trying not to spend too much time trying to find what means for me things I cannot change, Sklyarov, 27, said in his first interview since testifying in the criminal copyright case of ElcomSoft, his employer. http://news.zdnet.co.uk/story/0,,t269-s2127886,00.html [3] Student gets merit award for school computer hack By John Leyden Posted: 20/12/2002 at 13:06 GMT High school student Reid Ellison did exactly the opposite of what most students would do when he hacked into his school computer records - he marked his grades down. The bright 15-year old changed his grades at Anzar High School in San Juan Bautista, California from a A to a D+. However, Reid didn't get into trouble for his actions. Far from it. The intrusion was sanctioned by his school as part of his coursework and his success in
[INFOCON] - Assessing the Risks of Cyber Terrorism, Cyber War andOther Cyber Threats
(Usually I send my detailed comments only onto the IWS Limited List, but as the paper
is so interesting I make an exception. I like the paper, even though the definition of
Cyberterrorism is not the greatest one and I do not like the bit about the WWII as it
is too simplistic ('know thy military history'), but the rest is good. WEN.
Key sentence: '... but a brief review suggests that while many computer networks
remain very vulnerable to attack, few critical infrastructures are equally vulnerable.
...' as Scada systems Co are usually not connected to the Internet.
'... A preliminary review of these factors suggests that computer network
vulnerabilities are an increasingly serious business problem but that their threat to
national security is overstated. Modern industrial societies are more robust than they
appear at first glance. Critical infrastructures, especially in large market
economies, are more distributed, diverse, redundant and self-healing than a cursory
assessment may suggest, rendering them less vulnerable to attack. In all cases, cyber
attacks are less effective and less disruptive than physical attacks. ...'
'Know thy military history'
It is annoying to see people mention examples in military history if they lack
knowledge and make mistakes:
The author looks at the Strategic Bombing Campaign during WWII, but unfortunately you
cannot really compare it to CNI attacks as even though the UK had a ministry for
economic warfare its advice was mostly ignored by Bomber Harris who preferred to
'flatten German cities' whilst the US urged the UK to attack the real Centre of
Gravity.
'... What the survey [.S. Strategic Bombing Survey, Summary Report (European War),
1945] found, however, is that industrial societies are impressively resilient.
Industrial production actually increased for two years under the bombing.'
It is always risky to quote such an old survey as they might 'slightly bias' -- the
Air Force wanted to make a business case for its bombers, ..., --especially if the
academic in question lacks a detailed knowledge of the German War Economy. (Instead of
reading a summary report I would recommend to read the 'The Effects of Strategic
Bombing on the German War Economy' report which was published a month later. It gives
a far more detailed overview. (Before someone asks, I do not have a url for it as I
got a copy of it, but I do have some old notes from a Defence Economics course which
focuses on economic warfare during WWII and two unpublished papers on the Nazi War
Economy. If someone wants them please email me)).
Another example:
'... Comparing aerial and cyber attacks on hydroelectric dams helps provide a measure
for cyber-threats. Early in World War II, the Royal Air Force mounted a daring attack
on dams in the Ruhr, a chief source of electrical power for German industry. The raid
was a success, the dams breached by bombs and, for a period of time, the electrical
supply in the region was disrupted. ...'
This attack was based on wrong intelligence. An argument was put forwarded by the UK
Ministry of Production (not the Ministry of Economic Warfare) that it would great
opportunity to stop German industrial production in the Ruhr as the dam provided the
electricity for those industries. Therefore without electricity German industry in the
Ruhr would be forced to stop. The Ministry of Economic Warfare (MEW) questioned the
assumptions on which this raid was based and concluded that the RAF might be able to
hit the dam, but in the end the Germans have other means to produce electricity, such
as coal fired plants to produce electricity. MEW was right and they said that worst
which will happen that there would be massive flooding below the dam, some productions
might be cut, but in the end the German will just compensate with coal fired plants.
Anyway back to cyberterrorism. Some good quotes from the paper:
Risk to National Security:
' ... However, from a strategic military perspective, attacks that do not degrade
national capabilities are not significant. From this perspective, if a cyber-attack
does not cause damage that rises above the threshold of the routine disruptions that
every economy experiences, it does not pose an immediate or significant risk to
national security.
It is particularly important to consider that in the larger context of economic
activity, water system failures, power outages, air traffic disruptions and other
cyber-terror scenarios are routine events that do not affect national security. On a
national level, where dozens or even hundreds of different systems provide critical
infrastructure services, failure is a routine occurrence at the system or regional
level, with service denied to customers for hours or days. ...'
Attack on CIP:
* Water
'... In the United States, the water supply infrastructure would be an elusive target
for cyber attack. There are 54,064 separate water systems in the U.S. Of
[INFOCON] - Study Finds Internet Showed Resilience in TerroristAttacks
(The study is available at http://books.nap.edu/books/0309087023/html/index.html. WEN) Study Finds Internet Showed Resilience in Terrorist Attacks (Analysis explores how to brace information technologies for future attacks) (1050) The Internet sustained minimal damage when terrorists attacked New York City's World Trade Center in September 2001 even though the attack occurred at one of the world's greatest hubs for information traffic. A study issued by the National Research Council (NRC) November 20 offers that conclusion at the same time that it reveals Internet vulnerabilities in crisis situations and suggests ways to ameliorate those in case of future attacks. The terrorist attacks provoked a national emergency during which we could see how the nation and the world use the Internet in a crisis, said Craig Partridge, chair of the NRC committee that wrote the report, and chief scientist at BBN Technologies in Cambridge, Massachusetts. Overall, the Internet displayed not only its resilience on September 11, but also its role as a resource, said Partridge in a press release issued by the NRC. In the immediate aftermath of the attacks, quick fixes of equipment and networks were mounted to correct the Internet disruption that occurred in New York and surrounding areas, the study found. Those problems do suggest that Internet service providers and users need to develop better contingency plans for possible outages in the future. Following is the text of the NRC press release: (begin text) National Academy of Sciences National Research Council Office of News and Public Information Nov. 20, 2002 Internet Damage From Sept. 11 Terrorist Attacks in New York City Was Limited, But Better Contingency Plans Are Needed WASHINGTON -- The overall effect of the damage to the Internet on Sept. 11, 2001, when the collapse of the World Trade Center buildings destroyed communications equipment and networks, was minimal, says a new report from the National Academies' National Research Council. Internet service providers and users need to address some operational issues, however, to better prepare for and respond to future emergencies in light of the useful role the Internet played after the attacks. New York City, one of the nation's most important communication hubs, is home to many Internet users, private data networks, and Internet service providers. Multiple fiber-optic grids run beneath its streets, and many trans-Atlantic cables come ashore nearby. Telecommunications facilities not only serve the many thousands of Internet customers in the city but also interconnect service providers throughout the region and in other countries. The terrorist attacks provoked a national emergency during which we could see how the nation and the world use the Internet in a crisis, said Craig Partridge, chair of the committee that wrote the report, and chief scientist, BBN Technologies, Cambridge, Mass. New York City is a 'super hub' of Internet links and services, and the collapse of the World Trade Center buildings damaged some of those links and services, often in subtle and surprising ways. Overall, the Internet displayed not only its resilience on Sept. 11, but also its role as a resource. Serious effects on the Internet were isolated to New York City and a few other locations. Most of the damage was quickly remedied through improvisation, the rapid deployment of new equipment, and the rerouting of Internet traffic to bypass failed parts. Although the events of Sept. 11 do not necessarily indicate how the Internet might behave in response to a direct attack on the network, they do shed light on possible vulnerabilities, the report says. Key businesses and services that use the Internet need to review their dependency on it and plan accordingly. For example, a New York City hospital learned that its doctors had come to rely on wireless handheld computers fed through an external Internet connection. When this link was briefly broken by the collapse of the towers, doctors had trouble accessing medical information. Contingency plans, more coordination with local authorities, and a means of restoring service remotely also are needed to better deal with electrical power failures. As a whole, the attacks affected Internet services very little compared with other telecommunications systems. Telephone service was disrupted in parts of lower Manhattan, and cell-phone service suffered more widespread congestion problems. Nearly one-third of Americans had trouble placing a phone call on the day of the attacks. The Internet, however, experienced only a small loss of overall connectivity and data loss, the report says. With phone service impaired, some individuals used instant messages on their wireless handheld devices and cellular phones to communicate instead. Web sites were created to distribute lists of missing persons and other information to help people try to locate loved ones. The attacks also caused a surge in demand
