National Infrastructure Protection Center NIPC Daily Open Source Report for 27 November 2002
Daily Overview . Internet Security Systems has lowered its AlertCon Internet threat indicator to Level 1, which warrants routine security. (See Internet Alert Dashboard) . CERT announces Advisory CA-2002-34: Buffer Overflow in Solaris X Window Font Service, which could allow an attacker to execute arbitrary code or cause a denial of service. (See item 11) . According to ZDNet News, an Internet attack flooded domain name manager UltraDNS with a deluge of data late last week, causing administrators to scramble to keep up and running the servers that host .info and other domains. (See item 12) . According to the Toronto Star, the outbreak of a highly infectious virus, believed to be the Norwalk virus, has shut down a Toronto hospital's emergency room. (See item 14) . Reuters reports the Philippine government said Tuesday it has banned imports of ammonium nitrate, and will phase out its use by farmers within six months, since the widely available fertilizer is being used by militants to make bombs. (See item 13) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. November 26, Associated Press - Electric cable damage worse than thought. Utility officials say damage done to underwater power cables in Long Island Sound is worse than first thought. Divers working over the weekend discovered that two more underwater power cables had been severed when a drifting barge dragged its anchor across them. Utility and environmental officials also said an oil-like sheen has been sighted on the water near the site where the cables have been leaking insulating fluid. The Long Island Power Authority shares ownership of the cable with Northeast Utilities (NU). NU spokesman Frank Poirot said all seven cables had been severed during a similar December 1996 incident in which a barge dragged its anchor across the conduits. The repairs in that incident, which Poirot said cost millions of dollars, took almost a year to complete. Source: http://www.newsday.com/news/local/longisland/ny-cable1126,0,7793125.stor y?coll=ny-linews-headlines Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector Nothing to report [return to top] Transportation Sector 2. November 26, U. S. Department of State - President Bush signs port security bill into law. President Bush signed into law November 25 a bill aimed at improving security at U.S. seaports and preventing terrorists from using the maritime transportation system to mount attacks on the United States. The "Maritime Transportation Security Act" will strengthen security through the required development of security plans for ports and an improved identification and screening system of port personnel, President Bush said in a prepared statement. Source: http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile /latest&f=02112601.clt&t=/products/washfile/newsitem.shtml 3. November 25, Port of Los Angeles - Los Angeles mayor signs landmark port security agreement. On Tuesday, the last day of his Asian tourism and trade mission, Los Angeles Mayor Jim Hahn signed a major agreement to initiate a Port of Los Angeles international container security program. "This agreement will elevate security standards for containers moving between Hong Kong and Los Angeles," said Mayor Hahn. Mayor Hahn signed a Memorandum of Understanding (MOU) with Modern Terminals Limited Managing Director Erik Bogh Christensen to test new security enhancements - including tamper-proof locks and other security systems - for Port of Los Angeles-bound cargo before leaving for the United States. The agreement with Modern Terminals is significant because Hong Kong is the largest port in the world and is the largest point of embarkation for goods being shipped to Los Angeles, the busiest port in the U.S. Approximately one-third of the Hong Kong cargo bound for Los Angeles is processed by Modern Terminals. The pilot project will be partially funded by a congressional appropriation through the U.S. Department of Transportation under the "Operation Safe Commerce" program. Source: http://biz.yahoo.com/bw/021125/250481_1.html 4. November 23, Scripps Howard News Service - DOT says 'hazmat' cargo label may draw terrorists. Concerned that terrorists might use hazardous-materials warning signs as readily as emergency workers, federal officials are looking for more secure ways of identifying what's on trucks and trains. But firefighters and other rescue workers are sharply opposed to removing the brightly colored diamond-shaped placards required for containers hauling everything from explosives and radioactive materials to corrosives and poisons. Ever since 9/11, federal officials have urged companies transporting hazardous materials to be more vigilant, most recently focusing on threats to railroads. Railroad officials were among the first to suggest last year that terrorists might use the signs and widely available guidebooks that go with them to assist in target selection. "We understand the security concerns, but we're very wary of taking this established tool away from emergency responders for something new that everyone in the field may not fully understand or have the equipment to use," said Craig Sharmin, director of government relations for the National Volunteer Fire Council. The U.S. Transportation Department, after meeting with industry officials about placards and other "hazmat" rules that might affect security, requested that its research center in Cambridge, Mass., study alternatives to placards. Source: http://seattlepi.nwsource.com/national/96970_warning23.shtml 5. November 22, General Accounting Office - Aviation security: registered traveler program policy and implementation issues. On Friday, November 22, the General Accounting Office (GAO) released a report on the policy and implementation issues related to the registered traveler program. The aviation industry and business traveler groups have proposed the registered traveler concept as a way to reduce long waits in airport security lines caused by heightened security screening measures implemented after the September 11 attacks. Under a variety of approaches related to the registered traveler program concept, individuals who voluntarily provide personal background information and who clear background checks would be enrolled as registered travelers. Because these individuals would have been pre-screened through the program enrollment process, they would be entitled to expedited security screening procedures at the airport. Through a detailed literature review and interviews with stakeholders, GAO found support for this program, but also found concerns that such a program could create new aviation security vulnerabilities. Source: http://www.gao.gov/cgi-bin/getrpt?GAO-03-253 [return to top] Gas and Oil Sector 6. November 26, Dow Jones Newswires - Venezuela's Fedecamaras: 80% of oil workers will strike. The president of Venezuela's business chamber umbrella organization, Fedecamaras, said on Tuesday that 80% of workers in the country's critical oil sector will heed the call to strike beginning Dec. 2. Workers at the country's state-run oil company, Petroleos de Venezuela SA, or PdVSA, will be allowed to make individual decisions about striking, local daily El Universal reported Tuesday. Meanwhile, also speaking on television, Oil Minister Rafael Ramirez said the strike will not affect operations because the strike "doesn't represent the will of the majority of oil workers who are committed to maintaining and strengthening the industry." Venezuela depends on oil for about 75% of exports, half of government income and a third of gross domestic product. Oil workers bringing production and shipping to a standstill was seen as the main catalyst for President Hugo Chavez's brief ouster in April. Source: http://story.news.yahoo.com/news?tmpl=story&u=/dowjones/20021126/bs_dowj ones/200211260834000395 [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector Nothing to report. [return to top] Water Sector 7. November 26, NBC4 (Amarillo, TX) - Texline water tests positive for E. coli. Texline, TX officials have warned residents of a possible E. coli outbreak that threatens their water supply. City officials learned about the possible outbreak Monday when workers building a new water tank found that a water sample was contaminated with E. coli. Officials then did random sample tests throughout the city and nearly half of those tested positive for the bacteria. City officials do not know if the entire city is contaminated, but they have been flushing out the water system with chlorine just to be sure. Texas state health inspectors will conduct their own tests in the city. If state samples come back positive, drinking supplies will be put on an "unsafe" status indefinitely until the bacteria is completely flushed out. Source: http://www.kamr.com/Global/story.asp?S=1027018&nav=1PuLCau4 [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 8. November 26, Federal Computer Week - FEMA launches DisasterHelp.gov. The Federal Emergency Management Agency on Nov. 25 launched a pilot version of its new web portal - www.DisasterHelp.gov, a one-stop portal for emergency preparedness and response information. The portal will support more than 4 million members of the first responder community - firefighters, police officers and emergency medical technicians - pulling together several systems, simplifying services and eliminating duplication in the process. Source: http://www.fcw.com/fcw/articles/2002/1125/web-fema-11-26-02.asp [return to top] Government Operations Sector Nothing to report. [return to top] Information Technology Sector 9. November 26, Federal Computer Week - AKO offers secure portal lessons. In developing its own secure portal, the Air Force might be able to take some lessons learned from the Army Knowledge Online (AKO) portal, which has more than 1 million accounts, including about 6,000 with Secret Internet Protocol Router Network (SIPRNET) access, said Robert Coxe, the Army's former chief technology officer who managed AKO. The Air Force is in the initial phases of developing a secure portal that will provide air operations centers with access to the data they need to make critical warfighting decisions. Such information currently is maintained in disparate systems. The system will provide the air operations centers with point-and-click access to an integrated set of secure information and will run on the Defense Department's Secret Internet Protocol Router Network. Lt. Gen. Leslie Kenne, deputy chief of staff for warfighting integration at Air Force headquarters, said the Air Force SIPRNET Portal is being tested as a way to eliminate the "disconnect between the force and the unit level" and will enable users to simply access the information they want and need to conduct air operations. Source. http://www.fcw.com/fcw/articles/2002/1125/web-ako-11-26-02.asp 10. November 25, ComputerWorld - DARPA establishes new information gathering and analysis office. The Defense Advanced Research Projects Agency (DARPA) has established a new Information Awareness Office (IAO) to develop technology for information gathering and analysis on a huge scale. The IAO aims to foster the development of information systems to "counter asymmetric threats by achieving total information awareness useful for preemption, national security warning and national security decision-making," according to the DARPA Web site. The threat "is characterized by collections of people loosely organized in shadowy networks that are difficult to identify and define," DARPA says. The IAO plans to develop technology that will allow understanding of the intent of these networks, their plans and potentially define opportunities for disrupting or eliminating the threats. The program has already demonstrated the feasibility of extracting relationships from text. In the coming year, DARPA plans to expand that capability to include Web pages, financial transactions, communications, travel records and the like. DARPA Web site: http://www.darpa.mil/iao/ Source. http://www.computerworld.com/securitytopics/security/privacy/story/0,108 01,76117,00.html [return to top] Cyber Threats and Vulnerabilities 11. November 25, CERT/CC - Advisory CA-2002-34: buffer overflow in Solaris X window font service. The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service. Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was discovered by ISS X-Force. A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service. Source. http://www.cert.org/advisories/CA-2002-34.html 12. November 25, ZDNet News - Attack targets .info domain system - UltraDNS. An Internet attack flooded domain name manager UltraDNS with a deluge of data late last week, causing administrators to scramble to keep up and running the servers that host .info and other domains. The assault sent nearly 2 million requests per second to each device connecting the network to the Internet--many times greater than normal--during the four hours of peak activity that hit the company early Thursday morning, said Ben Petro, CEO of UltraDNS. "This is the largest attack that we've seen," Petro said. He stressed that it didn't affect the company's core domain name system (DNS) services, but administrators had to work fast to get the attack blocked by the backbone Internet companies from which UltraDNS gets its connectivity. The attack came almost exactly a month after a similar attack targeted the DNS root servers, the databases that hold the critical information computers need to maintain top-level domains. Such domains act as the white pages of the Internet, matching domain names - such as www.cnet.com - with numerical Internet addresses. Source. http://zdnet.com.com/2100-1105-971178.html Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 21(ftp); 1433(ms-sql-s); 139(netbios-ssn); 4662; 25(smtp); 445(microsoft-ds); 53(domain); 8080(webcache) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 13. November 26, Reuters - Philippine government bans fertilizer that can be used for making bombs. The Philippine government said Tuesday it has banned imports of ammonium nitrate, and will phase out its use by farmers within six months, since the widely available fertilizer is being used by militants to make bombs. Police reports indicate that bombs that killed about a dozen people in the Philippine city of Zamboanga last month were partly made of ammonium nitrate. The fertilizer may have been used in last month's bombing that killed more than 180 people on the Indonesian resort island of Bali, and was an ingredient in the 1995 Oklahoma City bombing that killed 168 people. "We have decided to impose an import ban on this chemical for the sake of national security," Agriculture Secretary Leonardo Montemayor told reporters. Ammonium nitrate is often used by farmers as a soil nutrient and an inducer of mango flowers. The Philippines is a major exporter of mangoes and related products. Source: http://www.reuters.com/newsArticle.jhtml;jsessionid=B3VZFLW53RYHQCRBAE0C FEY?type=topNews&storyID=1807047 14. November 26, Toronto Star (Canada) - Virus closes Sunnybrook emergency room in Toronto, Canada. The outbreak of a highly infectious virus has shut down Toronto's Sunnybrook hospital's emergency room. So far, 41 people - 28 hospital staff and 13 patients - have contracted what is believed to be the Norwalk virus. Ambulances are being redirected to other hospitals and patients wanting to walk in to the ER are being asked to head to another care center. While the virus and its origin have yet to be identified, Dr. Mary Vearncombe, the hospital epidemiologist who is leading the containment of the outbreak, says all signs are pointing to Norwalk. Results confirming the diagnosis are expected today. This is not the only Norwalk-like virus outbreak in Toronto, said Dr. Allison McGeer, director of infection control for Mount Sinai Hospital. "There are a number of other outbreaks around the city, in long-term-care facilities," she said. Sunnybrook is managing to keep its trauma-care centre open, said hospital spokesperson Craig DuHamel. Patients in high need, such as those who've been in a car accident or suffered serious personal injury, are being admitted directly to the critical-care ward. Source: http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/A rticle_Type1&c=Article&cid=1035774799547&call_pageid=968332188492&col=96 8705899037 15. November 26, Associated Press - France arrests six in shoe bomb probe. The six suspects, Algerians and Pakistanis, were taken into custody in a suburban Paris roundup of alleged associates of "shoe bomber" Richard Reid, officials said, speaking on condition of anonymity. The officials did not say what role the militants, who were not identified by name, allegedly played in the bomb plot. The move against Reid's alleged associates is part of a string of terrorism-related arrests in recent days in France, as fears are rising of a potential terrorist strike in Europe. Source: http://www.washingtonpost.com/wp-dyn/articles/A40641-2002Nov26.html 16. November 26, Associated Press - Report: al-Qaeda operative in Africa killed by Algerian military. An Islamic militant killed by Algerian security forces in a raid more than two months ago has been identified as a man Washington considers to be a top al-Qaeda operative in Africa, Algeria's official news agency reported Monday. Emad Abdelwahid Ahmed Alwan, sometimes known as Abu Mohammed, was shot and killed in a Sept. 12 raid in the eastern Batna region, about 270 miles east of the capital, Algiers, the official APS news agency reported. Ahmed Alwan, a 37-year-old native of Yemen, was identified after a two-month investigation by government experts, the report said. He was a leader of Osama bin Laden's al-Qaeda terrorist network for northern and western Africa, it said. Source: http://www.usatoday.com/news/world/2002-11-25-alqaeda-algeria_x.htm [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
