National Infrastructure Protection Center NIPC Daily Open Source Report for 9 Dec 2002
Daily Overview . The National Infrastructure Protection Center has released Information Bulletin 01-011: "Software Firm Investigation Serves as a General Information Security Reminder." (See item 2) . CERT has released Vulnerability Note VU#865833 - "Microsoft Windows Remote Desktop Protocol (RDP) Uses Weak Algorithm for Encrypting Packets." (see item 17) . The Sun-Sentinel reports that in response to the recent aircraft near-disaster in Kenya, the Fort Lauderdale airport, like many other airports nationwide, has restricted public viewing areas near taxiways and runways. (See item 4) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 8, Associated Press - Report: nuclear plant owner finds flaws. Security guards at the Indian Point nuclear plant outside of New York City do not believe they could protect the plant from an attack, and said there was no encouragement to raise security concerns, a published report said Sunday. Only 19 percent of the security officers stated that they could adequately defend the plant after the terrorist event of Sept. 11," said a report conducted for the plant's owner and obtained by The New York Times. The 33-page report also said 59 percent of the guards described a "chilled environment" for raising security concerns, and that 12 percent said they had suffered retaliation for doing so. Entergy Nuclear Northeast, the company that owns Indian Point's two active reactors, commissioned the report in November 2001 in response to complaints by guards made both before and after the Sept. 11 terrorists attacks. An Entergy spokesman told The Times many of the security concerns had been resolved since the report was completed last January. Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021208/ap_on_re_us/i ndian_point_1 Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 2. December 6, NIPC - NIPC Information Bulletin 01-011. The National Infrastructure Protection Center has released Information Bulletin 01-011: "Software Firm Investigation Serves as a General Information Security Reminder." The U.S. Attorney's Office announced today that it searched the Massachusetts offices of Ptech Inc. in connection with allegations relating to an ongoing financial crime investigation. Ptech software is used by a customer base that includes financial services and government market segments. In this specific regard, two things are worth noting. First, the U.S. Attorney's announcement in no way alleges that Ptech's products present any security threat. Second, based upon information available to it, the NIPC is not aware of any information or indication that Ptech software contains viruses, malicious codes, or otherwise performs in an anomalous fashion. The NIPC is taking this opportunity to remind the public that sophisticated cyberattack capabilities can be extremely difficult to detect and that nothing can guarantee the complete safety of any software. Source: http://www.nipc.gov/publications/infobulletins/2002/ib02-011.htm 3. December 3, Department of the Treasury - Treasury Department Announces Interim Guidance On Terrorism Insurance for Insurance Industry. The interim guidance covers several mandates of the new terrorism insurance law, including policyholder disclosure requirements and the requirement that insurance companies make coverage for terrorism risk, as defined by the Act, available to their policyholders. The interim guidance released today follows the National Association of Insurance Commissioners' (NAIC) release of model disclosure forms last week. Treasury interim guidance states that use of the NAIC's model disclosures constitutes compliance with the Act's disclosure requirements while noting that the model disclosures are not the exclusive means by which insurers may comply with the Act. Source: http://www.treas.gov/press/releases/po3663.htm Interim Guidance: http://www.treas.gov/press/releases/reports/interimguide.pdf [return to top] Transportation Sector 4. December 6, Sun-Sentinel - Terrorism alert closes viewing park at Lauderdale airport. A small park on the west side of Fort Lauderdale-Hollywood, Florida International Airport formerly frequented by aviation buffs, photographers, and people who enjoy watching airplanes has been closed after the terrorists' attempt to shoot down an Israeli airliner with shoulder-launched missiles in Kenya. In direct response to that near disaster on Thanksgiving Day, the Fort Lauderdale airport closed its popular aircraft viewing area, which is a located very near the main runway. Fort Lauderdale's is one of many airports nationwide to restrict areas near taxiways and runways, either temporarily or permanently, because of the coordinated two-pronged terrorist attacks in Kenya. Source: http://www.sun-sentinel.com/news/local/southflorida/sfl-sclosed06dec06,0 ,1761737.story?coll=sfla-home-headlines 5. December 6, Associated Press - Vehicle inspections at entry gates proposed by DFW. A plan at Dallas-Fort Worth, Texas International Airport to reclaim parking spaces lost amid tightened security would involve vehicle inspections at entry gates. Under the proposal, a non-intrusive vehicle inspection of every vehicle entering the airport would be conducted at the plazas, said Jim Crites, the airport's executive vice president of operations. It's part of a plan to boost revenues and put nearly 3,000 near-terminal parking spaces back in service while keeping security intact in the wake of last year's terrorist attacks. Airport officials want to reopen 2,900 short-term parking spaces that were closed to limit potential threats to terminal buildings. The spaces are on top of terminal parking garages. Keeping the spaces off limits is costing the airport about $9 million a year in parking revenue, contributing to an expected $6.7 million shortfall in budgeted parking revenues in fiscal 2003, Mr. Crites said. The Transportation Security Administration has given some airports waivers allowing them to reopen terminal spaces once airport officials proved that any terminal within 300 feet of parking could sustain an explosion of an undisclosed magnitude. Source: http://www.reporter-news.com/1998/2002/texas/texas_Vehicle_i126.html 6. December 6, Associated Press - One dies as plane hits Miami bank. A small plane crashed into the Federal Reserve Bank Building in Miami, Florida during a holiday party Thursday night, killing the pilot, the authorities said. No one inside the building was injured. A Federal Aviation Administration spokeswoman said it appeared to be an accident. More than 100 people, including the bank's current and former directors, were in the one-story building when the aircraft slammed into the northeast side, exploded and burst into flames. The bank building is just north of the United States Southern Command, which oversees American military activities in 32 nations and 12 dependencies in Latin America and the Caribbean. Source: http://www.nytimes.com/2002/12/06/national/06PLAN.html 7. December 6, Daily Press - Truck-lockup plan in the works. The federal government plans to adopt a rule requiring the locking of all trucks on the road, a requirement that could have a far-reaching effect on the trucking and freight-delivery industry. The Transportation Security Administration said it wanted the rule because it was worried about terrorists secretly accessing unlocked trucks to hide remote-controlled bombs or other weapons aimed at cities or strategically sensitive locations. "Every truck that's on the road in the United States should be kept locked, and I'm steadfast in my commitment to getting that to happen," said George Rodriguez, director of cargo security for the maritime- and land-security division of the TSA. Federal officials said that now, only 20 percent to 30 percent of truck trailers and cargo areas were locked consistently. Under the proposed change, trucking and shipping companies would be required to install locks on their trailers and storage areas. Drivers and trucking companies would be ticketed and face federal fines for not having or using the locks, Rodriguez said Thursday. Source: http://www.dailypress.com/business/local/dp-10291sy0dec06,0,21692.story? coll=dp-business-localheads [return to top] Gas and Oil Sector 8. December 6, Associated Press - Venezuela's oil exports stopped and protesters faced off in the streets Friday. As political violence loomed, President Hugo Chavez's government said it was ready to restart talks with the opposition on new elections. Captains anchored tankers offshore, tugs stopped guiding ships from Venezuela's oil-rich Lake Maracaibo and dock crews stopped loading oil and natural gas. Operations at several refineries were shutting down in a process that takes several days. Since it no longer could fill orders, Venezuela's state oil monopoly freed buyers and sellers from fulfilling their contracts, said Jorge Kamkoff, a company vice president. Crude oil futures at the New York Mercantile Exchange rose as Venezuela's crisis deepened. Source: http://www.washingtonpost.com/wp-dyn/articles/A18195-2002Dec6.html 9. December 5, Reuters - Canada's energy regulator said on Thursday it had approved a C$190 million ($122 million) expansion of the pipeline that ships natural gas to the U.S. Northeast from Nova Scotia, but suspended the go-ahead date because the new gas volumes are still uncertain. Maritimes & Northeast Pipeline applied to the National Energy Board for a 400 million cubic feet a day expansion after striking a deal with EnCana Corp. to accommodate volumes from its proposed Deep Panuke development off the Nova Scotia coast. EnCana, North America's top independent oil explorer and producer, said last month it no longer believed the C$1.1 billion project will start up by the 2005 target date, blaming regulatory delays. The NEB said it did not give an immediate green light because EnCana, in its deal with the pipeline, has the right to cut the expected contract volume by as much as 200 million cubic feet a day until July. Source: http://story.news.yahoo.com/news?tmpl=story&u=/nm/20021205/wl_canada_nm/ canada_energy_pipeline_col_1 [return to top] Telecommunications Sector 10. December 6, AT&T - Advisory: bogus email message sent to AT&T customers. AT&T released a notice stating that it has become aware of a fraudulent email scam involving a bogus email message sent to AT&T customers. The notice states that "the email address includes "att-global.com," and the email message itself states that AT&T needs certain information from customers in order to verify billing records. This message is unauthorized and should be disregarded. The requested information includes items such as social security number, credit card numbers, birth dates, mother's maiden name (a key password verification question) and "driver's licence" (spelled incorrectly). AT&T Security has traced the fraudulent messages to an international email address known for this type of fraud, and has shut it down. However, customers should be aware that the bogus operation could resurface elsewhere. If any AT&T customer receives an email message that has "att-global.com" in the address and requests verification of billing data, they should not respond with any information whatsoever. Instead, they should forward the fraudulent email message to AT&T Security at [EMAIL PROTECTED] AT&T has notified the proper authorities and they are in the process of investigating." Source: http://www.att.com/news/item/0,1847,11147,00.html 11. December 5, ZDNet News - Wireless digs hole in homeland security. Security needs to become a priority for users and makers of wireless networking equipment in order to stop insecure connections from being used to attack federal and corporate systems, network experts said Wednesday. Speaking at the 802.11 Planet Conference, security professionals pointed to a lack of focus on hardening the wireless infrastructure as a flaw in government discussions about protecting the nation's critical infrastructure. In July, President's Bush's special adviser on cybersecurity, Richard Clarke, told security experts that users and makers of wireless equipment were among the five top groups responsible for the Internet's insecurity. Source. http://zdnet.com.com/2100-1105-976114.html [return to top] Food Sector 12. December 5, United Press International - Pork sausage recalled. Crofton & Sons Inc. of Tampa, Fla., on Thursday, recalled 8,600 pounds of ready-to-eat, fresh and frozen pork sausage products because of possible contamination with Listeria monocytogenes. The recall was initiated after a sample taken by the Florida Department of Agriculture & Consumer Services tested positive for listeria. The USDA's Food Safety and Inspection Service said they have received no reports of illness associated with the product. Source: http://www.upi.com/view.cfm?StoryID=20021205-035231-1920r 13. December 4, Amarillo Globe-News (Amarillo, Texas) - Preparation for terror strikes under way. Konrad Eugster, retired executive director of the Texas Veterinary Medical Diagnostic Laboratory System, said at the Amarillo Farm & Ranch Show that the threat is real from rogue nations and terrorist groups for the possible introduction of diseases such as foot and mouth. "Terrorists won't place the virus on one farm. Within a 24-hour period, we could have outbreaks all over the country," Eugster said. Texas A&M University' s Institute for Countermeasures Against Agricultural Bioterrorism will be used to organize all current anti-bioterrorism activities in agriculture and better position total resources for addressing the problems. The Institute's researchers are working on plant and animal breeding programs for genetic resistance, working toward a better understanding of the diseases and creating better vaccines, and creating a systems approach to prevention and management of disease, Eugster said. Eugster, also, discussed a number of counter measures that are coming online, including air testing ports that measure air from individuals for foreign animal diseases; hand-held rapid disease detection devices; hand-held computer devices to assess risk on individual farms; and new foot and mouth vaccines. Source: http://www.amarillonet.com/stories/120402/bus_prepfor.shtml [return to top] Water Sector Nothing to report. [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 14. December 4, Federal Emergency Management Agency - Multi-hazard mapping site a big success, FEMA Says. Little more than six months after it was introduced, a website designed to give the public access to a nationwide coverage of digitally available multi-hazard maps and supporting data from federal, state and local sources is operating at an annual rate of more than 800,000 hits and 225,000 unique visitors, according to officials of FEMA. The maps can be viewed with a typical web browser. The user can view maps by hazard theme or create a custom view showing areas of hazard overlap. In addition, FEMA says, more sophisticated users such as state or local government technicians can download Geographic Information Systems (GIS) files--an important tool in land-use planning, hazard mitigation, and disaster preparedness and response--and upload their own hazard map data. Source: http://www.fema.gov/nwz02/nwz02_237.shtm Map Site: http://www.HazardMaps.gov [Return to top] Government Operations Sector 15. December 5, Government Executive - Law allows contractors to help guard military bases. The Defense Department can use contractors to guard military bases in limited cases under the 2003 Defense Authorization Act signed Monday by President Bush. Section 332 of the law allows military installations to hire contract security guards to meet new base security requirements prompted by the Sept. 11 terrorist attacks. The provision amends an existing statute (Section 2465 of Title 10 of the U.S. Code), which prohibits Defense from using contractors as security guards or firefighters. Source: http://www.govexec.com/dailyfed/1202/120502p1.htm 16. December 4, National League of Cities - Homeland Security duties will mean service cuts. More than half of large cities say providing homeland security has made it harder to perform their normal public safety responsibilities, according to a new survey of 221 cities by the National League of Cities (NLC). Among all cities, 24 percent said re-deploying public safety personnel or shifting funds for homeland security has made it harder to meet normal public safety responsibilities. Among larger cities (100,000-plus in population), 51 percent reported the shifts had hurt their ability to perform normal public safety duties. Thirty-six percent of all cities and 65 percent of larger cities reported re-deploying personnel or shifting funds. Source: http://www.usnewswire.com/topnews/prime/1204-124.html [return to top] Information Technology Sector Nothing to report. [return to top] Cyber Threats and Vulnerabilities 17. December 6, CERT/CC - Vulnerability Note VU#865833 - Microsoft Windows remote desktop protocol (RDP) uses weak algorithm for encrypting packets. RDP is based on, and is an extension of, the T.120 protocol family standards. It is a multichannel-capable protocol that allows for separate virtual channels for carrying device communication and presentation data from the server, as well as encrypted client mouse and keyboard data. Microsoft's implementation of RDP does not encrypt the checksums of the session data. Therefore, a determined attacker could apply cryptanalytic techniques to recover encrypted session traffic. Note that Microsoft has listed the following mitigating factors: An attacker would need the ability to capture an RDP session in order to exploit this vulnerability. In most cases, this would require that the attacker have physical access to the network media. Because encryption keys are negotiated on a per-session basis, a successful attack would allow an attacker to decrypt only a single session and not multiple sessions. Thus, the attacker would need to conduct a separate cryptanalytic attack against each session he or she wished to compromise. Source. http://www.kb.cert.org/vuls/id/865833 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 21(ftp); 25(smtp); 4662; 139(netbios-ssn); 445(microsoft-ds); 53(domain); 27374 (asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 18. December 6, Associated Press - Guidelines Aim to Tighten Lab Security. Scientific labs now have detailed guidelines about how to protect dangerous pathogens as federal officials work to pump up regulation. Recommendations issued Thursday are the most detailed ever produced by the Centers for Disease Control and Prevention. Among them: monitor areas where pathogens are stored, keep specimens locked up, and confine access to those authorized to work with these agents. Next week, the CDC will publish regulations requiring tighter security at labs that handle select agents, 42 pathogens and toxins that pose the greatest dangers to the public's health. The new rules will require every lab that possesses a select agent to register with the CDC or the Agriculture Department and undergo an inspection. The rules will also require background checks for people who work with select agents and require all labs to develop a biosecurity plan. Source: http://abcnews.go.com/wire/Politics/ap20021206_190.html 19. December 5, Popular Science - Radioactive patients set off subway alarms. Americans undergoing radioactive medical treatments risk setting off anti-terrorism sensors in public places, and subsequent strip searches by police, warn doctors at the Albert Einstein College of Medicine in New York. A 34-year-old patient who had been treated with radioactive iodine for Graves disease, a thyroid disorder, returned to their clinic three weeks later complaining he had been strip-searched twice in Manhattan subway stations. Christopher Buettner and Martin Surks report the case in a letter to the Journal of the American Medical Association. "Police had identified him as emitting radiation and had detained him for further questioning." Buettner and Surks contacted the Terrorism Task Force of the New York City Police Department to determine how to prevent other patients being detained. A letter describing the isotope used and its dose, its biological half-life and the date and time of treatment, plus a 24-hour contact telephone number for the patient's physician should help, the police said. But even in the best-case scenario, a patient will have to wait while the contents of the letter are verified, say the doctors. "They may choose not to use public transportation to avoid this inconvenience," they write. Source: http://www.newscientist.com/news/news.jsp?id=ns99993150 [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
