National Infrastructure Protection Center NIPC Daily Open Source Report for 5 December 2002
Daily Overview . CERT announces Vulnerability Note VU#140977: SSH Secure Shell for Workstations contains a buffer overflow in URL handling feature that may allow an attacker to execute arbitrary code. (See item 9) . CERT announces Vulnerability Note VU#740169: Cyrus IMAP Server contains a buffer overflow vulnerability that may allow a remote attacker to execute arbitrary code on the mail server. (See item 10) . Business Wire reports that in a recent strategic simulation of a terror attack designed to assess America's vulnerability through its ports, business and government leaders found that such an attack could potentially cripple global trade and have a devastating impact on the nation's economy. (See item 2) . CBS reports a huge, fast-moving storm has spread ice and snow from the Texas Panhandle to Virginia, making highways slippery and knocking out power to thousands of customers, and is expected to dump heavy snow and ice tomorrow in Washington, D.C., Philadelphia, and New England. (See item 11) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 4, Associated Press - Governor extends National Guard security at nuclear plants until March. Pennsylvania Gov. Mark Schweiker said the National Guard and state police will patrol the state's five nuclear power plants at least until March 2003. In a November 2001 disaster emergency proclamation, Schweiker directed the National Guard to join state police at the plants. On Tuesday, Schweiker for the fifth time extended the proclamation, which had been set to expire this week. Source: http://pennlive.com/newsflash/pa/index.ssf?/newsflash/get_story.ssf?/cgi -free/getstory_ssf.cgi?d0741_BC_PA-BRF--NuclearSecuri&&news&newsflash-pe nnsylvania Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector Nothing to report. [return to top] Transportation Sector 2. December 4, Business Wire - Wargame reveals that threats to port security call for integrated public/private action. In a strategic simulation of a terror attack designed to thoroughly assess America's vulnerability through its ports, a group of business and government leaders found that such an attack could potentially cripple global trade and have a devastating impact on the nation's economy. The group focused on ways to improve detection before a weapon gets to a U.S. port, as well as help businesses to build resiliency into their operations. The two-day Port Security Wargame took place October 2-3, 2002 in Washington, D.C., with 85 leaders from a range of government and industry organizations, who have a critical stake in port security. The results of the wargame revealed that at current preparedness levels, a "dirty bomb" attack through the ports could cost U.S. businesses as much as $58 billion. Source: http://biz.yahoo.com/bw/021204/42263_1.html 3. December 2, Vancouver Sun - Canadian Coast Guard reports vast security gaps. The Canadian Coast Guard is unable to adequately protect Canada's coastlines from terrorists, says Coast Guard Commissioner John Adams. The CCG, which acts as the country's coastal eyes and ears through a series of radar stations and at-sea surveillance, relies largely on an honor system to obtain information on the whereabouts of incoming vessels. So the coast guard knows of vessels in Canadian waters only "if they want us to know," according to Adams. Adams' blunt assessment echoes the conclusions of a Senate report in September that said Canada's coastlines are vulnerable to terrorists and their weapons of mass destruction. While the coast guard has the ability to track suspicious boats near busy waterways, its hands are tied in areas such as the central and northern British Columbia coast where there is no radar capability. Until this year, the Prince Rupert, B.C. station tracked vessels using a Second World War-style table map over which little wooden boats were moved around manually. Adams painted a grim picture of the coast guard's state, saying the service still can do its job but needs a $400-million infusion in the next three to five years just to renew an aging fleet of vessels. Source: http://www.nationalpost.com/search/site/story.asp?id=44830E03-754B-47D8- 982F-8963219D538C [return to top] Gas and Oil Sector Nothing to report. [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector 4. December 4, CBC Saskatchewan (Canada) - Canadian farmers trying chronic wasting disease (CWD) test on elk. Dr. Tony Milici, of GeneThera Research in Colorado, says he has developed a new live test for CWD, which has devastated deer and elk farmers in Canada. CWD can cripple an animal's brain and nervous system within weeks, eventually killing it. When one infected animal is found, the entire herd is destroyed to prevent the disease from spreading. The problem is testing. Currently, animals that show symptoms can only be tested for CWD after they're dead. The new test is used on live animals. Veterinarians "probably need to just draw blood for these animals and look at the specific marker in the blood rather than killing the animals and looking in the brain," said Milici. If the test works, it would be a major advantage for ranchers, but regulators remain cautious. Milici's test "will have to undergo rigorous scrutiny by the scientific community as well as testing to ensure that it truly detects the true positive animals," said Dr. George Luterback of the Canadian Food Inspection Agency. Source: http://sask.cbc.ca/template/servlet/View?filename=cwd20021204 [return to top] Water Sector Nothing to report. [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector Nothing to report. [return to top] Government Operations Sector 5. December 4, Associated Press - Incinerating chemical weapons is safe, storage is not, new report says. America's arsenal of chemical weapons can be safely incinerated at a few sites around the country, despite chemical releases and violations at the only two operational incinerators, according to a report Tuesday. "The risk to the public and to the environment of continued storage overwhelms the potential risk of processing and destruction of stockpiled chemical agent," said the report by the National Research Council, a branch of the National Academies of Science. The council did not weigh in on whether incineration was preferable to other methods of neutralizing the chemical agents. The council report identified 40 cases where chemical agents leaked into areas where it was not supposed to have been and three where it escaped from an incinerator building. But it said amounts that escaped were too small to threaten the public. Critics who favor neutralization said the report ignored important incidents and glossed over the dangers of incineration. About a quarter of the stockpile has been destroyed at weapons incinerators in Tooele, Utah, and on Johnston Atoll in the Pacific Ocean. Incinerators in Anniston, Ala.; Pine Bluff, Ark.; and Umatilla, Ore., are scheduled to begin operations in the coming months. Chemical agents in Newport, Ind.; Aberdeen, Md.; Pueblo, Colo.; and Bluegrass, Ky., are to be neutralized using chemicals. The study was financed by the Defense Department and requested by former Rep. Bob Riley, R-Ala., the state's governor-elect. Source: http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2002/12/03/ national1746EST0717.DTL 6. December 3, Associated Press - Health and Human Services Secretary Tommy Thompson showed off his agency's new command center Tuesday, saying it will help the department better deal with bioterrorism and other emergencies. The center, located in a former conference room near Thompson's office, is outfitted with computers, satellite videoconferencing capabilities, telephones and computer mapping tools that allow officials to track the movement of medical supplies and emergency personnel. It has its own ventilation system, meaning officials could stay in the center even if the rest of the HHS headquarters were contaminated and had to be evacuated. The center is being staffed 24 hours a day, seven days a week, in case of an emergency. HHS said that the center was built on time and under budget - it was built in just 59 days and cost $3.5 million, $1 million less than Congress appropriated. The leftover money will be used to improve crisis communications in other parts of HHS, officials said. Source: http://www.washingtonpost.com/wp-dyn/articles/A4989-2002Dec3.html 7. December 2, Department of Defense - Personnel, war, readiness priorities of authorization act. President Bush signed the National Defense Authorization Act for 2003 into law Dec. 2 during a ceremony at the Pentagon. The act actually allows DoD to spend money released under the 2003 National Defense Appropriations Act, which Bush signed Oct. 23. The act authorizes $7.3 billion for counterterrorism programs throughout the services. Much of this is channeled into biological warfare defense and chemical and biological detection, protection and decontamination. The act directs DoD to set up National Guard civil support teams in all states and territories. Also included is authorization to create the new positions of under-secretary of defense for intelligence and assistant secretary of defense for homeland security. Source: http://www.defenselink.mil/news/Dec2002/n12022002_200212026.html [return to top] Information Technology Sector 8. December 4, Government Computer News - GIS interface will help agencies build out 'spatial Web' for simulated government emergency operations. Government and industry members of the OpenGIS Consortium Inc. have forged a fast-track interoperability consensus that culminated recently in live international Web mapping via the OGC Web Services 1.2 interface. Working from the OWS 1.2 interface on varied notebook PCs, representatives of federal, state and local agencies collaborated with vendors to show how a simulated government emergency operations center might scope out fast-breaking local events. The imaginary events included a tornado, a white truck being sought by police and a hazardous spill on an interstate bridge. The participants called up and merged maps, geographic information systems data, live webcam images, photographs, and demographic and tax parcel records to present a composite package of information to decision-makers and emergency responders. The composite could be used, for example, to define evacuation routes. Some of the data came from online sources in other nations. "This demonstration will have big implications for Geospatial One Stop," said Myra J. Bambacus, acting executive director of the geospatial portal that is one of the Office of Management and Budget's 25 e-government initiatives. Source. http://www.gcn.com/vol1_no1/daily-updates/20586-1.html [return to top] Cyber Threats and Vulnerabilities 9. December 4, CERT/CC - Vulnerability Note VU#140977: SSH Secure Shell for Workstations contains buffer overflow vulnerability. The Windows version of SSH Secure Shell for Workstations contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code. The SSH Secure Shell for Workstations client includes a URL handling feature that allows users to launch URLs that appear in the terminal window. When the user clicks on a URL, it will be launched using their default browser. Versions 3.1 to 3.2.0 of this application contain a buffer overflow vulnerability that is triggered when the launched URL is approximately 500 characters or greater in length. To exploit this vulnerability, an attacker must supply a malicious URL to a terminal session and convince the victim to launch it. Source. http://www.kb.cert.org/vuls/id/140977 10. December 3, CERT/CC - Vulnerability Note VU#740169: Cyrus IMAP Server contains a buffer overflow vulnerability. A buffer overflow vulnerability exists in versions of Cyrus IMAP Server up to and including 2.1.10. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server. Cyrus IMAP Server is an e-mail application that uses the Internet Message Access Protocol (lMAP). Version 2.1.10 and prior of the Cyrus IMAP Server contain a buffer overflow vulnerability that may be exploited prior to authentication to the IMAP server. Exploitation of this vulnerability may also rely on the implementation of malloc() being used on the system. This is not typically root, but may lead to the ability to read all mail on the system. Source. http://www.kb.cert.org/vuls/id/740169 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_ELKERN.D Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 25(smtp); 139(netbios-ssn); 445(microsoft-ds); 4665(edonkey); 1646(sa-msg-port); 4662 Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 11. December 4, CBS - Winter storm hits U.S. hard. A huge, fast-moving storm spread ice and up to a foot of snow from the Texas Panhandle to Virginia, making highways slippery and knocking out power to thousands of customers. From a "whiteout" in Missouri to blackouts in Arkansas and Tennessee, leaving thousands powerless, this fast-moving system that dumped up to 10 inches of flood water on Houston yesterday today put millions of people into the snow season's first significant storm. "Some places are getting heavy precipitation. and some are getting significant amounts of ice. Other places will get snow on the order of 2 to 4 to 6 inches or more," Dr. Jim Hoke, NOAA Meteorologist said. Schools were closed in nearly a dozen states, including Oklahoma, Kansas, Missouri, Arkansas, Kentucky, Tennessee, Illinois, the Carolinas and Virginia. Some 37,000 homes and businesses were blacked out in Oklahoma, utility officials said. Lt. Gov. Mary Fallin declared 42 of the state's 77 counties a disaster emergency area, allowing utilities to ask for help from out-of-state companies. About 56,000 homes and business had no electricity in northern Arkansas, and utilities said some people might have to wait until Saturday to get their lights back. This storm will reform over night and swing northeast. Heavy snow and ice is expected tomorrow in Washington and Philadelphia, and up into New England. Source: http://www.cbsnews.com/stories/2002/12/04/national/main531658.shtml 12. December 4, Edmonton Journal (Canada) - Canadian cities buy chemical detectors. Seven Alberta cities, including Edmonton, are the first in Canada to buy chemical detectors that are being used by UN weapons inspectors in Iraq. They are considered to be the first reliable, on-site detectors of the potentially deadly toxins anthrax, ricin and botulinum, and are expected to revolutionize how chemical threats are handled. Instead of waiting hours or days for lab tests to determine whether a threat is real, the Rapid Analyte Measurement Platform or RAMP system provides results within 15 minutes. When the machines arrive, likely by the end of February, Edmonton, Calgary, Red Deer, Fort McMurray, Grand Prairie, Lethbridge and Medicine Hat will each get one detector. "Without this kind of monitoring equipment, you have to treat every event as a real one," said Bob Black, Edmonton's emergency preparedness director. The device has been tested by the Canadian Department of National Defense, the Maryland State Department of Health, and Intertox Inc., a Seattle, WA based public and occupational health firm. Source: http://www.canada.com/edmonton/edmontonjournal/story.asp?id=%7BEEBED23C- 6734-4CA7-A969-C697170EFB87%7D 13. December 4, St. Petersburg Times (Florida) - Florida lab in smallpox program. A Dunedin, Florida lab is among several that will use volunteers to produce doses of antibodies for those who suffer reactions to the smallpox vaccine. Due to the nature of the smallpox vaccine, health officials need more than just the vaccine and a plan to distribute it. They, also, need an antivenin for people who suffer dangerous reactions to the vaccine. The only way to get that antivenin or VIG is from the blood of people recently inoculated. Now a small number of clinics across the country are beginning to recruit volunteers for a federal program designed to restore stocks of Vaccinia Immune Globulin or VIG. For this project, the smallpox vaccine is provided by the U.S. Centers for Disease Control and Prevention (CDC) under the auspices of a clinical trial. The CDC wants 30,000 doses of VIG by this time next year and roughly 100,000 doses within the next five years. It has contracted with a Canadian biologics company, Cangene Corp., to produce it. Cangene has hired about 16 U.S. biologics labs to recruit volunteers, administer the vaccine and harvest their plasma. Source: http://www.sptimes.com/2002/12/04/TampaBay/Pinellas_lab_in_small.shtml 14. December 4, New York Times - Researchers at Columbia University are embarking on a three-year study of the evacuation of the World Trade Center twin towers during the terrorist attack to help determine how individual behavior, the structure of the buildings and emergency management procedures affected who survived and why. Since the 9/11 attack, public health researchers have inquired into the array of conditions related to the disaster, including studies of the structural factors that led to the collapse of the towers, the response of emergency workers and the health-related effects of the collapse of the buildings and the cleanup afterward. But relatively few of those efforts have focused on the more than 12,000 people who were safely evacuated from the towers, said Robyn Gershon, an associate professor of sociomedical sciences at Columbia, who is one of the principal investigators in the study. Source: http://www.nytimes.com/2002/12/04/nyregion/04EVAC.html [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk