National Infrastructure Protection Center NIPC Daily Open Source Report for 18 December 2002
Daily Overview . CERT has received reports of increased scanning of port 445. This may be evidence of the propagation of a worm known as W32/Lioten. (See item 15) . Infoworld reported a security vulnerability in the Macromedia Flash player which can allow an attacker to gain control over a user's PC; a new Flash Player version without the vulnerability is available from Macromedia. (See item 16) . ABC News reports the Oak Ridge National Laboratory in Tennessee is proposing "Sensor Net", a national defense system that would put biological, radiological and chemical weapons detectors at existing cell-phone towers across the United States. (See item 21) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 17, Reuters - American Electric Power seeks to sell Texas power plants. American Electric Power (AEP) said Tuesday that its Central Power and Light (CPL) subsidiary filed a plan with the Texas utility regulator to sell all of its power plants in the state. AEP of Columbus, Ohio, told the Public Utility Commission of Texas that it wanted to sell the plants in order to capture stranded costs, which is the amount the book value exceeds the market value of the assets. The plants include eight gas plants, two coal plants, one hydro facility, and a stake in the South Texas nuclear project. AEP, like many U.S. energy traders, has cut back on its merchant power trading this year to concentrate on the sale of electricity generated a its plants and its power distribution subsidiaries. The sale does not include power plants owned by other AEP subsidiaries in Texas - West Texas Utilities or Southwestern Electric Power Co. - since AEP is not seeking stranded cost recovery for those assets. AEP, one of the biggest power marketers in North America, owns more than 42,000 megawatts of generating capacity in the U.S. and around the world and distributes power to more than 5 million customers in 11 U.S. states. Source: http://hsweb01.screamingmedia.com/PMA/pma_newsarticle1_national.htm?SMDO CID=reuters_pma_2002_12_17_eng-reuters_pma_AEP-SEEKS-TO-SELL-BLN-OF-TEXA S-POWER-PLANTS&SMContentSet=0 Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 2. December 17, New York Times - Effort to cut off al-Qaeda funds hits snags. The United Nations group formed to stop the flow of funds to al-Qaeda has concluded that serious problems in international efforts to track the terrorist network's finances have left it "still able to receive money," according to a report circulated here today. In the report Michael Chandler, who heads the monitoring group, says a continuing lack of intelligence-sharing and cooperation between governments means that al-Qaeda operatives can still move across borders and get financial support. Al-Qaeda is still receiving money through front groups disguised as charities, the report finds; it adds that the group has begun to rely more heavily on "local funding sources" to avoid sending money through banks and other more strictly regulated institutions. Source: http://www.nytimes.com/2002/12/17/international/17QAED.html 3. December 12, Wall Street & Technology - To Catch a Thief: The Patriot Act has firms investigating how technology can help prevent them from being a clearing house for criminals. For financial-services firms, meeting the act's requirements will be a huge challenge in 2003, because, on top of developing a program, many will have to select and install a comprehensive anti-money laundering (AML) software solution. "I think the major challenge is implementing the capability to monitor transactions, to keep track of what their customers are doing across all of their business lines," says Neil Katkov, the Celent Communications analyst who authored the firm's Sept. 2002 report on AML. The securities and investment firms facing the most difficult AML challenge, he says, are hedge funds and "the private client part of investment banks." The private-client divisions of banks face an uphill battle monitoring and analyzing funds, says Katkov, because "a lot of what they do involves offshore banking, tax sheltering and overseas trading." Source: http://www.wallstreetandtech.com/story/currentIssue/WST20021212S0004 [return to top] Transportation Sector 4. December 17, Associated Press - Australia to post sky marshals on some flights to Singapore. Australia will soon post sky marshals on flights to Singapore under an agreement being negotiated between the two countries, and hopes for a similar deal with Indonesia, the government said Tuesday. Justice Minister Chris Ellison said Singapore's home affairs minister agreed to the plan during a meeting Monday in the city-state. Once details are worked out, Australia will begin placing air security officers on some of the 4,000 flights each year by flag carrier Qantas, Ellison said. Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021217/ap_wo_en_po/a s_gen_australia_singapore_sky_marshals_2 5. December 17, Washington Post - 'Smart' traffic system a failure. A high-tech phone service launched six years ago to give Washington, DC area motorists personally tailored traffic reports will fold today. Local governments spent $8 million on SmarTraveler, calling it an essential public service in a region plagued by traffic jams. The money was supposed to cover start-up costs until the private operator could turn a profit. Five other areas also invested millions in SmarTraveler, but all have abandoned it as a profit-making venture. Those that still use it, including Boston and Florida, pay for it. The financial collapse of SmarTraveler in the capital region highlights the data gap that has made delivering complete real-time traffic information more difficult than anticipated 10 years ago. The information provided often did not keep pace with motorists' demand for detailed, up-to-the-minute traffic reports, experts said. Local and state governments, they say, have not installed enough roadside cameras, in-road vehicle speed sensors, coordinated computer databases and other high-tech tools needed to make real-time traffic reports widespread and reliable. That is a national concern, because states and cities are working on implementing 511, a phone service akin to 911 that would give up-to-the-minute local traffic information when dialed anywhere in the country. Some of the problems SmarTraveler encountered must be solved before 511 will work, transportation experts say. Source: http://www.washingtonpost.com/wp-dyn/articles/A64166-2002Dec16.html [return to top] Gas and Oil Sector 6. December 17, New York Times - Oil prices rise rapidly. Oil prices shot to their highest level in two months yesterday as traders grappled with the severity of reduced crude oil supplies caused by strikes in Venezuela, the world's fifth-largest oil exporter. The price of crude oil for January delivery rose $1.66, to $30.10 a barrel, on the New York Mercantile Exchange, an increase of 5.8 percent. It was the biggest single-day gain since January. Oil prices are now up more than 50 percent from those a year earlier. Oil selling for $30 a barrel does not threaten a return to recession, economists said, but "it is certainly enough to forestall a more sustained recovery in the economy when the recovery is still very tepid," said Mark Zandi, chief economist at Economy.com, a consulting firm in West Chester, PA. Prices at $35 to $40 a barrel are much more of a threat, economists said. While that may seem far-fetched now, continuing conflict in Venezuela could combine with war in Iraq to disturb oil supplies so profoundly that even OPEC would lack the spare production capacity to make up for shortfalls, industry experts warned. Source: http://www.nytimes.com/2002/12/17/business/worldbusiness/17OIL.html 7. December 17, BBC News - Venezuela crisis may affect US war plans. The continuing strike in the Venezuelan oil industry could have an impact on preparations for a U.S.-led war in Iraq. Humberto Calderon Berti, a former Energy Minster and senior official of Venezuela's state oil firm, has said he does not think the U.S. will make a decision to proceed until the crisis in his country is resolved. The U.S. does have a large strategic reserve it can draw on and has recently been adding to it as an insurance against war-related disruptions. The U.S. administration could almost certainly go to war at a time when both Venezuela and Middle Eastern supplies were unreliable. But it would surely prefer not to. Source: http://news.bbc.co.uk/2/hi/business/2584167.stm 8. December 16, Platts Global Energy - California gas demand to grow 2%/year through 2012: CEC. Natural gas demand in California will grow about 2% annually between 2002 and 2012, according to a report last week by the staff of the California Energy Commission. And to accommodate that growth, interstate pipeline infrastructure to gas supplies in the US Southwest, Rocky Mountains and Canada need to be expanded, the report asserted. Within California, the infrastructure of utility Pacific Gas and Electric likely will need expanding between 2007 and 2012, according to CEC staff, which said Southern California Gas appears to have sufficient capacity through 2012. Over the next decade, the US Southwest will remain California's main supplier of gas, the report said. But the state is expected to shift its supply base somewhat due to lower gas prices in the Rocky Mountain region and in Canada. Source: http://www.platts.com/archives/94541.html [return to top] Telecommunications Sector 9. December 17, New York Times - Limits sought on wireless Internet access. The Defense Department, arguing that an increasingly popular form of wireless Internet access could interfere with military radar, is seeking new limits on the technology. Industry executives met last week with Defense Department officials to try to discuss the initiative, which includes a government proposal now before the global overseer of radio frequencies. Military officials say the technical restrictions they are seeking are necessary for national security. They are asking the American industry, and companies in other countries, to create and install even more sensitive versions of dynamic frequency selection - something that the companies say may cause the technology to operate incorrectly. Although industry executives acknowledge that high-speed wireless Internet access will soon crowd the radio frequencies used by the military, they say new types of frequency spectrum sharing techniques could keep civilian users from interfering with radar systems. An estimated 16 million WiFi-enabled computers and other devices are already in use in this country and overseas. Source. http://www.nytimes.com/2002/12/17/technology/17WIRE.html?tntemail1 [return to top] Food Sector Nothing to report. [return to top] Water Sector 10. December 16, Water Tech Online - Water security pilot programs get federal funding. The U.S. Environmental Protection Agency (EPA) has allocated $500,000 to create a pilot project that will provide system operators with real-time information about the safety and quality of their water supplies. The funds were awarded to the United States Geological Survey (USGS), which will purchase and set up the monitoring equipment for the pilot project at one or two yet-to-be-chosen drinking water systems in New Jersey, the EPA said in a news release. In order to expedite the real-time monitoring pilot, EPA is working with USGS and the Rutgers University Center for Information, Integration and Connectivity to create a Regional Drinking Water Safety and Security Consortium, officials said. The lessons learned from this pilot project will enable water-supply operators across the country to set up similar systems, officials said. Source: http://www.watertechonline.com/news.asp?mode=4&N_ID=36832 [return to top] Chemical Sector Nothing to report. [return to top] Emergency & Law Enforcement Sector Nothing to report. [return to top] Government Operations Sector 11. December 17, Associated Press - New U.S. rules put on Saudi, Pakistani men. The latest registration notice affects males from Saudi Arabia and Pakistan who are age 16 or older and entered the United States on or before Sept. 30, 2002. If they plan to stay in the United States into late February, they will have until Feb. 21, 2003, to register and provide documentation to the Immigration and Naturalization Service about their visit. The announcement coincides with a deadline yesterday for registration for a similar program affecting men from Iraq, Iran, Libya, Sudan and Syria. Men from Afghanistan, Algeria, Bahrain, Eritrea, Lebanon, Morocco, North Korea, Oman, Qatar, Somalia, Tunisia, the United Arab Emirates and Yemen face a registration deadline of Jan. 10. Source: http://www.washingtonpost.com/wp-dyn/articles/A63975-2002Dec16.html 12. December 17, Washington Post - Crews begin anthrax cleanup of State Dept. mail site in N. Virginia. Technicians have begun gutting the State Department's diplomatic mail facility in Northern Virginia, launching an arduous decontamination effort more than a year after a terrorist mailing sickened a sorting contractor with the inhaled form of anthrax. Workers will use everything from industrial-grade vacuums and circular saws to soapy water and in their efforts to clean out and reinhabit the 75,000-square-foot facility in Sterling, federal officials said yesterday as they outlined decontamination plans to Loudoun County supervisors. Until October 2001, diplomatic pouches, packages and letters to U.S. embassies and consulates around the world had passed through the building. Federal authorities said they hope to scour, remodel and their complex by 2004. They sought yesterday to allay any concerns that their complicated cleanup 500 feet from a suburban subdivision could pose a threat to residents. Source: http://www.washingtonpost.com/wp-dyn/articles/A64516-2002Dec16.html 13. December 17, Washington Post - President Bush Tuesday ordered the military to begin deploying a national missile defense system by 2004. Defense officials, who asked not to be identified said Bush was going ahead with an ambitious schedule to field 10 ground-based interceptors at Fort Greeley, Alaska, by 2004 and an additional 10 interceptors by 2005 or 2006. Another Bush administration official said that the interceptors could also possibly be deployed at Vandenberg Air Force base in California. Bush and Defense Secretary Donald Rumsfeld have stressed the proliferation of weapons of mass destruction and missile technology have sharply increased the need for such a defense against attack from "rogue states" such as Iran, Iraq and North Korea. Source: http://www.washingtonpost.com/wp-dyn/articles/A1349-2002Dec17.html [return to top] Information Technology Sector 14. December 17, vnunet.com - Businesses to discuss cybercrime charter. Members of the United Kingdom blue chip user organization The Infrastructure Forum (Tif) will get their first chance to examine in detail the cybercrime confidentiality charter drawn up by the National Hi-Tech Crime Unit (NHTCU). The charter, designed to encourage businesses to report hacker attacks by minimizing the disruption of an investigation and keeping the information out of the media, was unveiled by the British police earlier this month. The chief executive of Tif, David Roberts, told vnunet.com the charter was a positive move towards getting companies to report cybercrime. "It's a necessary thing to be able to do because organizations are not going to freely disclose information unless they know it is not going to be used in a way that will get into the public [domain]," Roberts said. Security is still the dominant issue for users, according to Roberts. Source. http://www.vnunet.com/News/1137655 [return to top] Cyber Threats and Vulnerabilities 15. December 17, CERT/CC - W32/Lioten. The CERT/CC has received reports of increased scanning destined to port 445/tcp. Several reports have indicated that this is evidence of propagation of a worm known as W32/Lioten. Systems involved in this activity have been discovered to contain an artifact named Iraqi_oil.exe. At this time, it appears that it may affect at least Windows 2000 and Windows XP systems. For more information, please see CERT Incident Note IN-2002-06, which is available at http://www.cert.org/incident_notes/IN-2002-06.html. The CERT/CC is interested in receiving reports of this activity. If you experience such activity or have more information, please send mail to [EMAIL PROTECTED] with the following text included in the subject line: "[CERT#38858]". Source: http://www.cert.org/current/current_activity.html#W32Lioten 16. December 17, InfoWorld - Macromedia patches security hole in Flash software. A security vulnerability in the widely used Macromedia Flash player can allow an attacker to gain control over a user's PC, eEye Digital Security warned Monday. A specially formatted Flash file can cause a header overflow in the Flash software, potentially giving an attacker control over a PC, eEye said in a security advisory. Exploiting an overflow flaw generally allows attackers to load malicious code onto a victim's system and to run that code. The vulnerability is serious because Flash is widely used on various operating systems and because vulnerable versions of the software are delivered as part of many software packages, said eEye. Affected are all versions of the Macromedia Flash Player prior to Version 6.0.65.0, which was released late last week to fix the issue, Macromedia said. All users are advised to upgrade to the new version. The eEye advisory is available at http://www.eeye.com/html/Research/Advisories/AD20021216.html Source: http://www.infoworld.com/articles/hn/xml/02/12/17/021217hnmacromedia.xml ?1217tuam 17. December 16, Newsfactor Network - Microsoft changes its flaw severity rating system. Last month, when a gaping security hole was found in Internet Explorer that could allow a hacker to take control of a user's hard drive, Microsoft initially labeled the flaw's severity "moderate." Soon afterward, Microsoft's "moderate" rating decision came under attack by the tech community, led by postings to the Bugtraq mailing list. On December 6th, Microsoft issued a follow-up patch to the original fix, this time listing the flaw as "critical." Just last month, Microsoft altered the way it rates security threats by adding an "important" rating between "moderate" and "critical." According to this new system, the IE bugs in question initially rated lower on the severity scale than they would have a month earlier. Such ratings are often decisive factors in determining whether -- and when -- an organization chooses to implement a patch, according to Julie Giera of Giga Information Group. When making a severity rating, "the vendor usually looks at the severity of the problem and the size of the customer audience that it would affect," she said. For smaller organizations, the rating may be one of the only factors used to distinguish between patches that must be deployed and others that need not be. Although they consume an IT department's time and resources to test and deploy, patches are among the best responses to threats. A recent Gartner study shows that through 2005, 90 percent of all cyberattacks will involve known vulnerabilities for which a patch or solution already exists. Source. http://www.newsfactor.com/perl/story/20251.html Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 2 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 17 December 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 53 (domain); 139 (netbios-ssn) 445(microsoft-ds); 27374 (asp); 135; 4662; 21 (ftp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 18. December 17, NewYork Times - Ottawa, justifying Algerian's arrest, says al-Qaeda is operating in Canada. The assessment, by the Canadian Security and Intelligence Service, was contained in court documents released in connection with the detention of an Algerian immigrant suspected of ties to senior al-Qaeda members, including Abu Zubaydah, a lieutenant of Osama bin Laden, the group's leader. Zubaydah is being held at an undisclosed location by American authorities. The Algerian, Mohammed Harkat, 34, of Ottawa, was described in the documents as a member of al-Qaeda whose ties to Zubaydah date to the early 1990's. Harkat was taken into custody last week and faces deportation. In its brief to the federal court in Ottawa, the intelligence service said bin Laden's supporters and network "have the capability and conviction to provide support for terrorist activities in North America." Source: http://www.nytimes.com/2002/12/17/international/americas/17CANA.html 19. December 17, United Press International - France foils possible terror attack. Three men arrested in the Paris region may have been plotting a biological or chemical attack, France's Interior Minister said Tuesday. "This is not a small affair," Interior Minister Nicolas Sarkozy told the National Assembly. "This is serious. When one finds people who have this material we do well to arrest them." Police seized empty containers, vials of suspicious-looking fluids and powders and an outfit designed for protection against chemical and biological risks, Sarkozy said, adding that at least $5,000 in cash and false documents were also found during Monday's police raid in the Paris suburb of Seine-Saint-Denis. If the tests identify chemical or biological elements, the results would confirm European fears that attacks would take more deadly forms seen with biological or chemical weapons. Source: http://www.upi.com/view.cfm?StoryID=20021217-113407-7783r 20. December 17, New York Times - Universities destroy biological agents. As federal officials search for more powerful tools to investigate biological terrorism, universities across the country are destroying collections of laboratory agents crucial for understanding how biological weapons work and tracing their sources. New federal laws require only that such biological materials be registered, but many universities are pressing researchers to clean out their freezers and destroy materials they are not currently working on. While there is no official count of how many biological specimens have been destroyed, concern that laboratories have gone overboard prompted the White House to ask institutions, through the American Society of Microbiologists, to reconsider their haste in doing away with specimens that could prove "difficult or impossible to replace," said Rachel Levinson, of the White House Office on Science and Technology Policy. Source: http://www.nytimes.com/2002/12/17/health/17LAB.html 21. December 16, ABC News - Lab develops new ways to identify and fight terrorist attacks. The Oak Ridge National Laboratory in Tennessee is pursuing Sensor Net, a national defense system based on the existing network of some 30,000 cell-phone towers across the United States. The plan is to put biological, radiological and chemical weapons detectors at hundreds, maybe even thousands, of cell-phone towers. They would be linked by small computers that would not only send out a nationwide alarm to law enforcement, but would compute how a weapons-plume would spread and send that information out to local emergency crews. Both the U.S. Department of Energy and the National Oceanic and Atmospheric Administration are funding Sensor Net research, and are enthusiastic about its possibilities. Source: http://abcnews.go.com/sections/wnt/DailyNews/antiterror_technology021216 .html [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk