National Infrastructure Protection Center NIPC Daily Open Source Report for 26 November 2002
Daily Overview . Internet Security Systems has raised its AlertCon Internet threat indicator to Level 2, due to the large increase of scanning across the Internet, primarily from Asia, and a number of incident reports regarding security breaches against commercial entities. (See Internet Alert Dashboard) . CERT announces Vulnerability Note VU#740619: Secure Shell for Servers, developed by SSH Communications Security, does not properly remove the child process from the master process group after non-interactive command execution. (See item 16) . The Associated Press reports that President Bush signed legislation Monday creating a new Department of Homeland Security devoted to preventing domestic terror attacks. (See item 10) . The Associated Press reports Federal authorities have charged three men with orchestrating a huge identity-theft scheme in which credit information was allegedly stolen from more than 30,000 victims. (See item 1) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. November 25, Reuters - Opposition parties said on Monday they had lodged no-confidence motions against the Bulgarian government for bowing to European Union pressure and agreeing to close down two nuclear reactors. The ruling coalition of Prime Minister Simeon Saxe-Coburg is likely to defeat the two motions in the 240-strong parliament, where it has a sound majority, local commentators said. EU candidate Bulgaria agreed last week to close reactors three and four of its Soviet-era Kozloduy nuclear plant by 2006. The plant generates more than 40 percent of the country's electricity and any shutdown is likely to raise power prices for impoverished Bulgarians. The Balkan state's previously ruling centre-right Union of Democratic Forces (UDF) and Socialist parties accused the reformist government of betrayal. "The government has acted against national interests and has violated the Constitution," the Socialists said. The ruling National Movement for Simeon II -- led by Saxe-Coburg, the former king who took over the premiership in July 2001 -- holds 115 seats in parliament, while its junior coalition partner, the ethnic Turkish MRF party, has 20 seats. Opposition parties had previously signalled they would not make waves before last week's NATO summit in Prague to avoid damaging Bulgaria's chances of becoming a NATO member. Source: http://hsweb01.screamingmedia.com/PMA/pma_newsarticle1_reuters.ht m?SMDOCID=reuters_pma_2002_11_25_eng-reuters_pma_NUCLEAR-SHUTDOWN -ROCKS-BULGARIAN-GOVERNMENT&SMContentSet=0 Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 2. November 25, Associated Press - U.S. charges 3 in massive ID fraud. Federal authorities charged three men with orchestrating a huge identity-theft scheme in which credit information was allegedly stolen from more than 30,000 victims. Manhattan U.S. Attorney James Comey said the arrests announced Monday mark the largest identity theft case in U.S. history, with initial losses pegged at $2.7 million and growing. More than 15,000 credit reports were stolen using passwords belonging to Ford Motor Credit Corp. to access information from Experian, a commercial credit history bureau, officials said. Authorities say the scheme began about three years ago when Philip Cummings, a help-desk worker at a computer software company, agreed to give an unidentified co-conspirator the passwords and codes for downloading consumer credit reports. Source: http://story.news.yahoo.com/news?tmpl=story2&cid=519&e=3&u=/ap/20021125/ ap_on_re_us/identity_theft 3. November 24, Milwaukee Journal Sentinel - Insurance co-op created for cities, villages. The threat of terrorism has persuaded an insurance carrier to drop liability coverage for about 200 cities and villages in Wisconsin, leading to the formation of a new statewide self-insurance cooperative. As part of a corporate retrenching attributed to terrorist threats, Kemper Insurance Cos. has decided not to renew coverage under a nearly 20-year-old program operated by the League of Wisconsin Municipalities. With Kemper dropping out at the end of the year, league officials have invested $5 million to establish a new self-insurance pool of the sort that became popular during an insurance industry crunch in the 1980s. Source: http://www.jsonline.com/news/state/nov02/98544.asp 4. November 22, Financial Crimes Enforcement Network, U.S. Department of the Treasury - The FinCHEN issued today its report on Informal Value Transfer Systems (IVTS), including hawala, in its ongoing effort to gain a more complete understanding of the nature of these systems. Hawala, an IVTS, is a method of monetary value transmission that is used in some parts of the world to conduct remittances, most often by individuals who seek legitimately to send money to family members in their country of origin. The report addresses the complexity of IVTS, provides information for the law enforcement and financial communities, and offers several recommendations to further the learning curb about IVTS to help stem their use as potential avenues for money laundering and other financial crimes. Source: http://www.fincen.gov/ivtsnewsrelease11222002.pdf Report: http://www.fincen.gov/hawalarptfinal11222002.pdf [return to top] Transportation Sector 5. November 24, Orange County Register - Port security lagging. The Orange County Register reported on Sunday that the Los Angeles and Long Beach, CA ports remain largely exposed to terrorist attacks that could lead to mass casualties or "an ecological disaster," citing a report to the federal government. The vulnerabilities are detailed publicly for the first time in a grant request submitted this year by the nation's largest cargo port complex. In the March 29 grant request - which was obtained under the California Public Records Act - Port of Long Beach officials described the state of security at the complex, which handles 43 percent of the nation's container cargo traffic. Among the problems cited in the report were a shortage of patrol boats, law enforcement officials, and surveillance cameras to monitor port facilities, exposed above-ground tanks storing hazardous chemicals, lack of an efficient cargo screening system, and lack of a system for disseminating evacuation information. As with most grant requests, Long Beach city officials conceded, they relied on worst-case scenarios. But all the vulnerabilities described were identified through a risk assessment by numerous public-safety agencies, including the city's Fire Department, the U.S. Coast Guard, and Long Beach and Los Angeles police. Source: http://www2.ocregister.com/ocrweb/ocr/article.do?id=13103&year=2002&mont h=11&day=24 6. November 24, USA Today - Armed pilots are months away. President Bush signed legislation on Monday that allows airline pilots to carry guns in cockpits, but it will be months before any take their weapons aboard. It is expected that fewer than half of the roughly 75,000 pilots will choose or qualify to carry a weapon while on board. Before pilots will be allowed to arm themselves, the government must set up a training program to make pilots proficient at shooting inside the confined quarters of a cockpit. The government also must write rules on what weapons should be allowed, how pilots carry the guns to and from the aircraft and whether they can carry them off duty. The legislation says the Transportation Security Administration (TSA) should begin arming pilots within 90 days but gives the agency wide latitude to write rules. TSA spokesman Robert Johnson says it's too early to say what the program will look like or how many pilots will eventually qualify. But one federal official said pilots should expect rigorous training and standards that limit the number of pilots who participate. Source: http://www.usatoday.com/news/washington/2002-11-24-armed-pilots_x.htm [return to top] Gas and Oil Sector 7. November 25, Associated Press - Tanker catches fire in Chinese waters. High winds and rough seas hampered attempts Monday to put out a fire aboard a tanker carrying 20,000 tons of liquefied petroleum gas, but officials said there was only a slight risk of explosion. The fire broke out late Saturday in the engine room of the Panamanian-registered Gaz Poem, away from the ship's highly volatile cargo, said a spokesman for the southern Chinese city of Shenzhen, who gave only his surname, Zhu. No one was injured and nearby vessels picked up the 34 crew members from lifeboats, said a Hong Kong government spokeswoman who identified herself as Tang. She said the cause of the fire was not known. Strong winds and high waves prevented fire fighting vessels from even approaching the Gaz Poem on Monday as the fire blazed for a second day. Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021125/ap_on_re_as/h ong_kong_ship_fire_6 8. November 25, TheStraitsTimes - A collision with a wayward container caused the problems on board the oil tanker Prestige which led it to sink off Spain's coast last week, a Sunday newspaper reported the ship's captain as saying. After 'a very loud sound' at the moment of impact, the Prestige began to list badly and took on water, forcing him to fill the port ballast tanks to stabilise the tanker, he said. The captain - who has been in Spanish custody since his vessel sank last Tuesday - denied allegations that he had refused to cooperate with the Spanish authorities by directing the tanker towards the coast. He also confirmed his final destination was Singapore, but contradicted Spain's claim that he wanted to call at Gibraltar. Source: http://straitstimes.asia1.com.sg/world/story/0,4386,157035,00.htm l? [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector 9. November 23, Reuters - USDA announces ground beef recall. Fairbank Farms, a New York meat processing company, is voluntarily recalling 320,000 pounds of fresh ground beef products that may be contaminated with the E. coli bacteria, the U.S. Department of Agriculture announced on Saturday. The beef products were distributed to retail stores nationwide. E. coli 0157:H7 is a potentially deadly bacteria that can cause bloody diarrhea and dehydration. The USDA's Food Safety and Inspection Service said it had received no reports of illness. The problem was discovered through microbiological sampling that traced the bacteria back to the product. Source: http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=1794241 [return to top] Water Sector 10. November 25, Independent Online (South Africa) - Plot to poison water foiled. A group of far right-wing whites planned to kill millions of black South Africans by poisoning water supplies to the inhabitants of townships near Johannesburg, South Africa, the National Intelligence Agency (NIA) has revealed. A group calling itself the Boere Vryheids Aksie (BVA) planned to poison the water supplied to at least three large townships, according to the NIA. In the plan to contaminate water supplies, tetranium, an agricultural poison, would have been poured into reservoirs serving Soweto, Atteridgeville, Soshanguve and Laudium - townships inhabited by at least 10-million people. Karl Lubonot, a chemistry specialist, said the plot to poison water supplies would have failed because of the large amount of chemicals needed. Source: http://www.iol.co.za/index.php?click_id=6&art_id=ct20021125111353852R235 535&set_id=1 [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 11. November 23, New York Times - Justice Dept. seeks to use new power in terror inquiries. The Justice Department plans to assign federal lawyers in counterintelligence to terrorism task forces in New York and Washington to help secure secret warrants against suspects, officials say. The deployments, along with other changes under discussion by top Justice Department officials, are seen as a crucial first step in breaking down the wall between intelligence gathering and law enforcement, officials said. A senior official said two lawyers from the department's Office of Intelligence Policy and Review in Washington had already been chosen to work in field offices with FBI investigators and local prosecutors. Officials said that the lawyers were expected to be transferred within weeks to joint terrorism task forces in New York and Washington and that lawyers should soon be assigned to other large field offices. Source: http://www.nytimes.com/2002/11/24/politics/24JUST.html [return to top] Government Operations Sector 12. November 25, Associated Press - Bush signs homeland security bill. President Bush signed legislation Monday creating a new Department of Homeland Security devoted to preventing domestic terror attacks. The president picked Tom Ridge as the department's first secretary. Bush said he will nominate Navy Secretary Gordon England to be Ridge's deputy, and Asa Hutchinson, the head of the Drug Enforcement Administration, to be undersecretary of border and transportation security. Source: http://www.washingtonpost.com/wp-dyn/articles/A36066-2002Nov25.html 13. November 25, Government Computer News - Experts advocate standard public warning system. The nation needs a sophisticated national warning system that relies on IT to spread warning messages far and wide, government and industry public-safety experts said today. The Partnership for Public Warning-which includes representatives of IT companies and agencies such as the Federal Emergency Management Agency, FBI and Nuclear Regulatory Commission-conducted a workshop to generate its report entitled "Developing a Unified All-Hazard Public Warning System." In its report, the panel called for a single standard protocol for issuing alerts, notifications and warnings for all types of hazards so that authorities can communicate emergency-related information broadly and quickly. Source: http://www.gcn.com/vol1_no1/daily-updates/20569-1.html 14. November 25, Wall Street Journal - War on terrorism provokes massive Federal R&D move. Congress recently approved an 18% increase in military R&D, to $58.8 billion for the current fiscal year - more money, after accounting for inflation, than the Pentagon ever spent on research during the Cold War. Early next year, the National Institutes of Health is in line for a similar-size boost to around $26 billion, partly to examine biological-warfare defenses. In all, the federal government will likely spend about $115 billion on R&D in the year ending Sept. 30, far more than Japan and the 15 European Union governments will spend collectively. Source: http://online.wsj.com/article/0,,SB1038177170693645788,00.html 15. November 25, St. Louis Post-Dispatch - 13 nations are added to immigrant registration program. The Justice Department will require male visitors from 13 additional nations to show up for fingerprinting and questioning at immigration offices nationwide starting Dec. 2. The new registration rules were published Friday in the Federal Register. They will apply to males 16 and older from a number of nations: Afghanistan, Algeria, Bahrain, Eritrea, Lebanon, Morocco, North Korea, Oman, Qatar, Somalia, Tunisia, United Arab Emirates and Yemen. The rules apply to those who entered the United States on visitor visas before Sept. 30 and who plan to stay at least through Jan. 10. Source: http://www.stltoday.com/stltoday/news/stories.nsf/News/BCCAA31F9F9C97848 6256C7A001E32EB?OpenDocument&Headline=13+nations+are+added+to+immigrant+ registration+program 16. November 22, Government Executive - White House science team outlines anti-terrorism focus. The Bush administration's science and technology policy team has identified five areas related to fighting terrorism that likely will receive additional investment as the fiscal 2004 budget is developed for release early next year, according to White House science adviser John Marburger. The research areas are information infrastructure development, behavioral and risk management, terrorist-related crime and networks, public health and crisis response intervention and socioeconomic intervention, and international policy, Marburger said in a speech to the Consortium of Social Science Associations on Monday. Source: http://www.govexec.com/dailyfed/1102/112202td1.htm [return to top] Information Technology Sector 17. November 25, The Washington Post - Homeland Security Bill heralds IT changes. Some new language in the homeland security bill increases penalties for a range of computer crimes. The bill also establishes law enforcement and corrections technology centers to develop investigative technologies to fight cybercrime. These cybersecurity components were added the same week that Congress approved legislation that would triple federal funding for computer security research. In addition, the legislation includes a proposal passed by the Senate this year to establish an information technology equivalent of the National Guard: the Net Guard. This measure organizes a volunteer force of federal, state local and private programmers and engineers that could be called upon in an emergency to help restore communications networks and other vital systems. Source : http://www.washingtonpost.com/wp-dyn/articles/A54872-2002Nov14.html [return to top] Cyber Threats and Vulnerabilities 18. November 25, CERT/CC - Vulnerability Note VU#740619: SSH Secure Shell for Servers fails to remove child process from master process group. A locally exploitable privilege escalation vulnerability exists in SSH Secure Shell versions 2.0.13 - 3.2.1. Secure Shell for Servers, developed by SSH Communications Security, does not properly remove the child process from the master process group after non-interactive command execution. Quoting from the SSH Communications Security Advisory: when used in non-interactive connections, a defect in process grouping of SSH Secure Shell processes may allow malicious activity. If executing a command without a pty (including running commands and subsystems) the child process remains in the process group of the master process. On platforms relying on getlogin() (mainly the different BSD variants) malicious users can at least send misleading messages to syslog and others applications (getlogin() call will return "root"). Source: http://www.kb.cert.org/vuls/id/740619 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 2 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 25 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 21(ftp); 1433(ms-sql-s); 139(netbios-ssn); 4662; 25(smtp); 445(microsoft-ds); 53(domain); 8080(webcache) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 19. November 24, North County Times (San Diego) - Officials find more fruit flies. San Diego, CA agriculture investigators found more Mexican fruit flies Saturday, and may have found more larvae about a half-mile from the grove where the insects were found Thursday, county officials said. The Mexican fruit fly wreaks havoc on fruit by using it as a place to reproduce. Thirty San Diego county agriculture investigators began placing 500 traps Saturday in a 9-by-9-mile square area to try to identify the epicenter of the infestations. "I'm fairly certain that a quarantine will be coming, but we won't know for several days where the core area is and we can't draw the quarantine lines until we know where the center of the infestation is," said San Diego Agriculture Commissioner Kathleen Thuner. The Farm Bureau of San Diego County estimates that up to $75 million in crops are at risk in an area where as many as 1,000 growers have ranches. In 1999, a similar outbreak in Fallbrook, California resulted in a 72-square-mile quarantine area that lasted eight months and cost avocado and citrus growers an estimated $3.5 million. Source: http://www.nctimes.net/news/2002/20021124/11111.html 20. November 23, New York Times - U.S. says capture of an al-Qaeda leader may provide clues to thwarting terror attacks. The officials said that as the United States continued to interrogate the terrorist leader, Abd al-Rahim al-Nashiri, electronics specialists were studying a cellphone's electronic memory and the hard drive of a computer for information about possible imminent attacks by the terror network in the Persian Gulf and elsewhere. Both the cellphone and computer were in Nashiri's possession when he was captured. They would not say what information had been found so far, although they continued to express optimism that Nashiri would eventually disclose vital information about al-Qaeda's plans and the whereabouts of the rest of its leaders, including Osama bin Laden. Source: http://www.nytimes.com/2002/11/23/international/23QAED.html 21. November 22, General Accounting Office - Homeland security: CDC's oversight of the select agent program. The General Accounting Office (GAO) publicly released its November 22 letter to Secretary of Health and Human Services, Tommy G. Thompson regarding the Center for Disease Control and Prevention's (CDC) Select Agent Program. The Select Agent Program is responsible for regulating the transfer of 42 biological agents and toxins to limit their distribution to only those laboratories that have the appropriate safety and security controls for handling biologic agents. The GAO has found that the CDC can improve its management of the Select Agent Program to reduce the likelihood of unauthorized access to biological agents. Improvements include inspection and approval of facilities registering to transfer select agents, monitoring of the transfer of and shipment of select agents, accuracy of CDC databases of registered facilities and select agent transfers, and CDC organizational structure to improve oversight. Source: http://www.gao.gov/new.items/d03315r.pdf [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
