National Infrastructure Protection Center NIPC Daily Open Source Report for 16 December 2002
Daily Overview . CNN reports President Bush announced Friday that he is ordering 500,000 military personnel and others in high-risk parts of the world receive the smallpox vaccine. (See item 14) . CERT has released Vulnerability Note VU#958321 - "Samba contains a remotely exploitable stack buffer overflow." (See item 17) . CERT has released Vulnerability Note VU#162097 - "Microsoft Internet Explorer does not adequately validate references to cached objects and methods." (See item 18) . CNN reports the Pentagon has ordered another 27,000 Reserve and National Guard troops to prepare for active duty; this includes cargo specialists, port workers, military police, engineers, and supply specialists. (See item 20) NIPC Daily Report Fast Jump [click to jump to section of interest] Power Banking & Finance Transportation Gas & Oil Telecommunications Food Water Chemical Emergency Law Enforcement Government Operations Information Technology Cyber Threats and Vulnerabilities Internet Alert Dashboard General NIPC Information Power Sector 1. December 14, The Mercury (Australia) - Open the reactor, N. Korea tells UN. North Korea has demanded the United Nations' nuclear watchdog remove surveillance cameras and seals from a nuclear power plant it has vowed to reopen. The reactor is in the same plant suspected of developing nuclear arms before it was shut down eight years ago. North Korea yesterday called on the International Atomic Energy Agency (IAEA) to remove its security seals from the Yongbyon plant, saying its power generation capacity was needed after a decision by the U.S., Japan and South Korea to suspend regular oil shipments. "(Pyongyang) requests that the IAEA remove seals and monitoring cameras on all of its nuclear facilities," North Korea's Atomic Energy Department director-general Ri Je-son said in a letter to the agency. IAEA director-general Mohamed El Baradei immediately warned Pyongyang any unilateral move to remove the security seals or monitoring cameras would contravene agreements between North Korea and the UN. Pyongyang did not clarify whether it would expel the international monitors at its nuclear facilities or if it would unseal plutonium in a cooling pond at Yongbyon -- a step that would give it nuclear capability. Reactivating the controversial nuclear plant and demanding it operate in secrecy threatens to escalate security tensions on the Korean peninsula. Source: http://www.themercury.news.com.au/common/story_page/0,5936,5675192%255E4 01,00.html 2. December 13, The Wichita Eagle (Kansas) - Ensuring nuclear safety: Wolf Creek shows off elevated security at first tour in 15 months. The owners of the Wolf Creek nuclear power plant in Kansas have spent about $2 million to increase security since the terrorist attacks 15 months ago. More armed guards and concrete barriers around the plant are just a few of the signs of tightened security. The company will continue to spend about $1 million a year on increased security measures, Otto Maynard, head of the Wolf Creek Nuclear Operating Corp., said Thursday, during a media tour of the plant. Next week, Maynard said, the nuclear power industry plans to release a report saying Wolf Creek and the nation's other 102 power plants could withstand a direct hit from a Boeing jet, similar to those that crashed into the World Trade Center and the Pentagon last year. The engineering analysis, paid for by the industry, was conducted in response to public anxiety and statements made by the Nuclear Regulatory Commission earlier this year that some critical parts of the plants may be vulnerable to an airplane attack. A plane crashing into the containment building, where the nuclear reactor is housed, would damage the plant and cause it to shut down for a long time, Maynard said. But no radiation would be released, and the nuclear fuel rods would not be damaged, Maynard said. The building that houses spent nuclear fuel, he said, could also withstand the impact of a jet. Source: http://www.kansas.com/mld/eagle/4729196.htm 3. December 12, Tribune Reporter - Big buy revs N.M. electric giant. Summit Electric Supply, the 10th-largest privately held company in New Mexico, will nearly double in size with the acquisition announced today of a Texas electrical distributor. Summit President Victor Jury Jr. said the company bought for $10.5 million most of the assets of Warren Electric Group, a Houston-based supplier to the Gulf Coast petrochemical industry. Summit, headquartered in Albuquerque, is the 34th-largest electrical supply business in the nation. The company, founded 25 years ago by Jury, his father and another partner, employs 310 and had sales last year of $135 million. It has centers in 10 other cities in New Mexico, Texas and Arizona. Source: http://www.abqtrib.com/archives/news02/121202_news_summit.shtm Current Electricity Sector Threat Alert Levels: Physical: ELEVATED, Cyber: ELEVATED Scale: Low, Guarded, Elevated, High, Severe [Source: ISAC for the Electricity Sector (ES-ISAC) - http://esisac.com] [return to top] Banking and Finance Sector 4. December 13, Associated Press - Tracking terror funds in Southeast Asia tougher than fighting money laundering, ADB official says. "Some recent incidents show that funds for terrorist financing are not necessarily very huge," said Motoo Noguchi, an Asian Development Bank adviser on anti-money laundering activities. "Even US$10,000 can trigger a tragic incident. Size of the money doesn't matter." Southeast Asia's developing nations, the ADB's main clients, suffer from weak financial sectors and the existence of legal and illegal informal financial transaction systems - sometimes known as "underground banking" - which make the countries vulnerable to terrorists, Noguchi said. Such systems rarely provide transaction records or the identity of the customer, he said. Trading in cash or gold makes it harder to trace the source of the money. Source: http://story.news.yahoo.com/news?tmpl=story&u=/ap/20021213/ap_wo_en_po/a s_gen_asia_terror_money_1 [return to top] Transportation Sector 5. December 11, Bernama (Malaysia) - Malaysia ready for the CSI. Malaysia will give the United States its fullest cooperation in implementing the Customs Security Initiative (CSI) at its ports, which would involve the screening of containers with "high risk" goods, Malaysian Transport Minister Datuk Seri Dr Ling Liong Sek said Wednesday. Dr Ling said Malaysia would cooperate with the U.S. Customs to screen the boxes from its ports before shipment to the U.S. to ensure that Malaysian ports are categorized as clean ports and trade flows to the U.S. remain unimpeded. He told a press conference at his office Wednesday that several U.S. officials including its assistant secretary for Market Access and Compliance, U.S. Department of Commerce, William Lash III had visited him to discuss the CSI. Dr Ling said that the U.S. officials were also happy with security equipment, like scanning machines, bought by the Malaysian government. Using these scanners would mean that very few boxes would need to be opened and trade would not be delayed. Source: http://www.bernama.com.my/B2002/arch_news.shtml?2002_12_11/business/bu11 12_11 6. December 10, Toronto Star - Canada's former Prime Minister pushes security accord. Canada should negotiate a NAFTA-style accord with the United States and Mexico in order to forge a North American security perimeter, former prime minister Brian Mulroney said Monday. "Our internal borders will only be smart if our external perimeter is secure," Mulroney said at a conference to celebrate the 10th anniversary of the North American Free Trade Agreement, where he was flanked by former U.S. president George H.W. Bush and former Mexican president Carlos Salinas. Mulroney said that instead of giving in to the temptation to tighten scrutiny at the Canada-U.S. border, the focus should be on creating a perimeter. Source: http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/A rticle_Type1&c=Article&cid=1035775387406&call_page=TS_News&call_pageid=9 68332188492&call_pagepath=News/News [return to top] Gas and Oil Sector 7. December 13, New York Times - Iraq cancels oil contract with three Russian companies. Iraq abruptly canceled a contract with Russia's largest oil company and two other Russian companies to develop a major Iraqi oil field. The Russian firm Lukoil signed a $3.8 billion contract to develop Iraq's West Qurna oil field in 1997 as part of a consortium of Russian companies that includes Zarubezhneft and Machinoimport. Under the contract, Lukoil controlled 68.5 percent of the stakes in the deal, with the rest divided between the two other companies. The deal, however, has remained largely symbolic since significant work on the field - with an estimated potential of producing half a million barrels of oil a day - has been stymied by the United Nations sanctions imposed on Iraq following its invasion of Kuwait in 1990. Source: http://www.nytimes.com/2002/12/13/international/middleeast/13RUSS.html 8. December 13, New York Times - OPEC raises quotas but calls for a drop in actual output. Facing a credibility problem and rampant overproduction by members at a time when oil prices are expected to slide, OPEC countries moved today to increase official export quotas while demanding that members rein in their cheating. OPEC said that it would raise official export quotas to 23 million barrels a day from the current 21.7 million barrels, while asking members to cut actual production by 7 percent, or 1.7 million barrels a day. OPEC's credibility has eroded over the last few months because its members have been pumping about three million barrels more a day than they agreed to. Source: http://www.nytimes.com/2002/12/13/business/worldbusiness/13OIL.html 9. December 16, Boston Globe - Chavez troops storm oil tanker. CARACAS - Venezuela. Army commandos stormed aboard an oil tanker yesterday and arrested its striking crew, as President Hugo Chavez vowed to break a two-week-old opposition strike that has crippled shipments by the world's fifth-largest oil exporter. Rejecting intense pressure from home and abroad to call early elections, the embattled left-wing president told foreign nations not to meddle in his country's crisis. Chavez, who survived a brief coup in April, remained defiant despite a huge opposition march in Caracas Saturday in which more than a half-million people clamored for his resignation. Yesterday's military takeover of the strike-bound Pilin Leon tanker in western Lake Maracaibo was the latest attempt by the government to regain control of ships and refineries halted by the opposition shutdown that has paralyzed the oil industry. Source: http://www.boston.com/dailyglobe2/350/nation/Chavez_troops_storm_oil_tan kerP.shtml 10. December 13, Associated Press - Venezuela's president fires four dissident executives. Using a tactic that has previously backfired, President Hugo Chavez fired four dissident executives from Venezuela's state oil monopoly yesterday, setting off a rowdy protest by oil workers on the 11th day of a damaging general strike. Chavez had fired the same four executives and three others in April, triggering a general strike that helped provoke a short-lived coup. A conciliatory Chavez reinstated the executives after he was restored to power. But yesterday's firings showed the president was determined to break a strike that has shut down Venezuela's vital oil industry. Source: http://www.boston.com/dailyglobe2/347/nation/Venezuela_s_president_fires _4_dissident_executives+.shtml [return to top] Telecommunications Sector Nothing to report. [return to top] Food Sector Nothing to report. [return to top] Water Sector 11. December 13, Associated Press - Arsenic spilled into river in South China. A truck spilled arsenic into a southern Chinese river. The problem began Wednesday afternoon when police in the Guangxi region stopped a truck they believed was carrying an illegal substance, according to the official China News Service. Police determined the material was arsenic and were escorting the truck to a nearby police station when it slipped from a hillside road into the Jinxiu River, the agency said. Thirty-three barrels of arsenic spilled into the river, China News Service said in online reports. Hazardous materials teams were called in, the barrels were removed and some 100 tons of lime were used to purify the river water. Source: http://www.washingtonpost.com/wp-dyn/articles/A49441 [return to top] Chemical Sector Nothing to report. [return to top] Emergency Law Enforcement Sector 12. December 13, Associated Press - FEMA grants N.Y. $7.6M for emergencies. The Federal Emergency Management Agency said it would grant $7.6 million to improve New York's procedures for responding to acts of terrorism and other emergencies. FEMA said $6.6 million of the funds would be used to update state and local procedures for responding to all hazards, including attacks with weapons of mass destruction. Source: http://www.washingtonpost.com/wp-dyn/articles/A49698-2002Dec13.html [return to top] Government Operations Sector 13. December 13, Umatilla Chemical Depot News - Sarin vials spill at depot. Thirteen vials of diluted sarin nerve agent broke open and spilled Dec. 2 when a lab worker dropped a tray at the Umatilla Chemical Depot. The Army confirmed the incident Thursday after being asked about rumors of the spill. The tray contained 18 vials of sarin highly diluted with a concentrate of rubbing alcohol. The Army and Oregon state regulators said there never was any risk to the public. The incident occurred in a highly secure laboratory in K Block, the storage area that contains 3,717 tons of nerve agent. The chemical depot is just outside of Hermiston, Oregon. Sue Oliver, interim project director for the Oregon Department of Environmental Quality, said the state has not received the Army's report on the incident, so she was not sure what happened. She said the Army followed proper procedures, and regulators will not be issuing a notice of noncompliance. There were no measurable readings of chemical agent following the event, said Jim Hackett, Army spokesman. Carbon filters on the laboratory building would have prevented any outside dispersion of nerve agent, he said. But the event raised concerns for environmentalists. "The recent incident at Umatilla involving sarin gas is one more example of a facility that is not safe for workers or the public health," said Mari Margil, Sierra Club spokeswoman. Source: http://www.umatilladepotnews.com/2002/1213.html 14. December 13, CNN - Bush outlines smallpox vaccination plan. President Bush announced Friday that he is ordering 500,000 military personnel and others in high-risk parts of the world receive the smallpox vaccine. He said he will also receive the vaccine, which carries the risk of severe side effects, including death. "As commander-in-chief, I do not believe I can ask others to accept this risk unless I am willing to do the same," Bush said. Medical professionals, emergency personnel and emergency-response teams will be able to get the vaccine on a voluntary basis, Bush said. "Our government has no information that a smallpox attack is imminent," Bush said, "yet it is prudent to prepare for the possibility." The president said he has decided not to initiate a broader vaccination program for all Americans. Many officials fear terrorists might have obtained samples of the virus for use as a biological weapon. Because about half of U.S. residents have never been vaccinated, and those who were vaccinated are believed to now have limited immunity if any, the country is an especially vulnerable target. "We have a substantially non-immune population, and that's a very risky situation if we face a malicious bioterrorism dissemination of smallpox," said Dr. Bill Bicknell, with the Boston University School of Public Health in Massachusetts. Source: http://www.cnn.com/2002/HEALTH/12/13/bush.smallpox/index.html 15. December 13, New York Times - Nuclear commission chairman to resign. The Nuclear Regulatory Commission chairman, Richard A. Meserve, said today that he would resign at the end of March, more than a year before his term expires. President Bush will nominate his replacement on the five-member commission and name a new chairman. The nomination requires Senate confirmation. Meserve, selected for the post and made chairman by President Bill Clinton in 1999, said he would become president of the Carnegie Institution, a prominent research center in Washington. Source: http://www.nytimes.com/2002/12/13/politics/13NRC.html 16. December 11, Government Executive - Defense officials advocate new classification system for information. Homeland security officials may have to develop a new classification system to let military and civilian agencies at all levels of government share counterterrorism information, several Pentagon officials said Tuesday during an E-Gov conference. Maj. Gen. Dale Meyerrose, chief information officer of the U.S. Northern Command (NORTHCOM), noted that the Defense Department classifies information on a "need to know" basis, while many law enforcement agencies classify on a "need to prosecute." "Neither a need-to-know nor a need-to-prosecute [standard] serves our information-exchange requirements," Meyerrose said, adding that NORTHCOM will need to handle most homeland security information on a "need-to-share" basis. Source: http://www.govexec.com/dailyfed/1202/121102td1.htm [return to top] Information Technology Sector Nothing to report. [return to top] Cyber Threats and Vulnerabilities 17. December 13, CERT/CC - Vulnerability Note VU#958321 -- Samba contains a remotely exploitable stack buffer overflow. Versions 2.2.2 through 2.2.6 of Samba contain a remotely exploitable stack buffer overflow. The Samba Team describes Samba as follows: The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol. The Samba Team describes the vulnerability as follows: There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. The solution involves the application of a vendor provided patch. Source. http://www.kb.cert.org/vuls/id/958321 18. December 12, CERT/CC - Vulnerability Note VU#162097 -- Microsoft Internet Explorer does not adequately validate references to cached objects and methods. Microsoft Internet Explorer features the ability to process scripts contained in HTML documents. This feature is known as Active scripting, and Internet Explorer supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape's JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that "when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame." Internet Explorer implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones. As reported by GreyMagic Software, Internet Explorer does not adequately validate references to certain cached objects and methods across different domains and security zones. A script from a potentially malicious site executing in one domain and security zone is able to access resources in another domain and zone, including the Local Computer zone, via the Document Object Model (DOM) interface. Source. http://www.kb.cert.org/vuls/id/162097 Internet Alert Dashboard Current Alert Levels Internet Security Systems AlertCon: 1 out of 4 https://gtoc.iss.net/ Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com Last Changed: 26 November 2002 Last Changed: 23 November 2002 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 137(netbios-ns); 80(http); 1433(ms-sql-s); 445(microsoft-ds); 21(ftp); 4662; 68(bootpc); 1080(socks); 113(auth); 27374(asp) Source: http://isc.incidents.org/top10.html; Internet Storm Center [return to top] General Information 19. December 15, CNN - Three held in Pakistan terror hunt. Police in Pakistan have arrested three men alleged to have been preparing a suicide attack against two senior U.S. diplomats. Police Inspector-General Kamal Shah said the men, arrested in Karachi on Saturday, were members of the radical Islamic group Harkat-e-Jihad Islami. He said they had trained in Afghanistan, although the ongoing investigation had not linked them directly to Osama bin Laden's al-Qaeda terror network. Shah identified the men as Asif Zaheer, Sohail Noor and Mohammad Yusuf. During the Saturday arrests, police said they recovered 250 bags of ammonium nitrate and a Volkswagen packed with 10 kilograms of the explosive material. Shah said Zaheer planned to ram the Volkswagen into the diplomats' car on Karachi's main road, according to Reuters news service. The trio is been questioned in connection with several other attacks, including a May 8 car bombing outside a Karachi hotel that killed 11 French engineers and three Pakistanis. Source: http://www.cnn.com/2002/WORLD/asiapcf/south/12/15/pakistan.arrests/index .html 20. December 14, CNN - U.S. calls up 27,000 reserve troops. In a fresh sign of preparation for possible war with Iraq, the United States has ordered another 27,000 Reserve and National Guard troops to prepare for active duty, defense officials said Saturday. They said the alert was issued by the Pentagon Friday night and that the services were identifying units ranging from Navy port workers to Army engineers to be prepared for a likely call to active duty early in the new year. "Defense Secretary (Donald) Rumsfeld has not given a final call-up order, but the troops are being alerted to get ready," one of the officials, who asked not to be identified, told Reuters. They said the new call-up could go as high as 30,000 troops. The New York Times reported Saturday that Army units would include military police, engineers and supply specialists and that the Navy was planning to notify at least 1,000 ship cargo specialists and other port workers. There are already more than 50,000 part-time U.S. reservists on active duty from all U.S. services, part of a call-up sparked by the September 11, 2001, attacks on the United States. Source: http://www.cnn.com/2002/US/12/14/usa.reserves.reut/index.html 21. December 14, CNN - Jordan: al-Qaeda killed diplomat. The Jordanian government said Saturday it had arrested two men in the assassination of a U.S. diplomat in Amman six weeks ago and said the operation "was planned and carried out by al-Qaeda." Laurence Foley was gunned down in front of his house in Amman on the morning of October 28 as he was walking to his car. He was a senior administrative officer with the U.S. Agency for International Development in Jordan. U.S. State Department spokesman Louis Fintor welcomed the Jordanian announcement. "We deeply appreciate the excellent support and cooperation the Jordanian government has provided throughout this investigation and we continue to consult closely with them regarding these arrests," he said. A statement from the Jordanian government said the two men, identified as Salem Sa'ed Salem bin Suweid, a Libyan national, and Yasser Fathi Ibraheem, a Jordanian, confessed to their membership in al-Qaeda and that they received their orders from a senior al Qaeda leader who has been accused of being an expert in chemical and biological weapons. According to the statement, "bin Suweid and Ibraheem confessed that they are members of Osama bin Laden's al-Qaeda Organization, and are affiliated with bin Laden's lieutenant, Ahmad Fadeel Nazal Al-Khalayleh, known as Abu Musa'ab Al-Zarqawi." Source: http://www.cnn.com/2002/WORLD/meast/12/14/jordan.arrest/index.html 22. December 13, BBC (United Kingdom) - Sharp rise in superbug deaths. The hospital superbug MRSA, methicillin-resistant staphylococcus aureus, is responsible for an increasing number of deaths, researchers have found. The number of death certificates which mentioned MRSA as the cause of death, increased from 13 in 1993 to 114 in 1998. Researchers from the Public Health Laboratory Service (PHLS) who examined the certificates say although the numbers are relatively small, these were deaths which could have been prevented. In the study, public health researchers examined over 6,700 death certificates which mentioned any form of the Staphylococcus aureus bug. The proportion of death certificates which mentioned as the underlying cause of death the drug-resistant version, MRSA, which can cause fatal blood poisoning or pneumonia, rose from 8% (13) in 1993 to 44% (114) in 1998. The proportion of certificates which mentioned MRSA at all rose from 7.5% (47) in 1993 to 25% in 1998 (398). Source: http://news.bbc.co.uk/1/hi/health/2568957.stm 23. December 13, Canadian News Wire - Pharmaceutical group awarded defense department contract for enhancement of vaccines. Coley Pharmaceutical Group today announced that the U.S. Defense Advanced Research Projects Agency (DARPA) has awarded $6 million to Coley to support the development of Coley's CpG immunostimulatory oligonucleotides (oligos) to enhance anthrax vaccines. The current anthrax vaccine requires six doses and 18 months to produce immunity. Coley's CpG oligos, used together with vaccines, have the potential to reduce the number of vaccine doses, induce protective antibody levels more quickly, produce higher affinity antibodies directed against a broader range of anthrax antigens, and to improve duration of protection. Source: http://www.newswire.ca/releases/December2002/13/c3214.html [return to top] NIPC Products & Contact Information The National Infrastructure Protection Center (NIPC) serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity. The NIPC provides timely warnings of international threats, comprehensive analysis and law enforcement investigation and response. The NIPC provides a range of bulletins and advisories of interest to information system security and professionals and those involved in protecting public and private infrastructures. By visiting the NIPC web-site (http://www.nipc.gov), one can quickly access any of the following NIPC products: 2002 NIPC Advisories - Advisories address significant threat or incident information that suggests a change in readiness posture, protective options and/or response. 2002 NIPC Alerts - Alerts address major threat or incident information addressing imminent or in-progress attacks targeting specific national networks or critical infrastructures. 2002 NIPC Information Bulletins - Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. 2002 NIPC CyberNotes - CyberNotes is published to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices. 2002 NIPC Highlights - The NIPC Highlights are published on a monthly basis to inform policy and/or decision makers of current events, incidents, developments, and trends related to Critical Infrastructure Protection (CIP). Highlights seeks to provide policy and/or decision makers with value-added insight by synthesizing all source information to provide the most detailed, accurate, and timely reporting on potentially actionable CIP matters. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk