OCIPEP DAILY BRIEF Number: DOB02-168 Date: 18 October 2002 http://www.ocipep.gc.ca/DOB/DOB02-168_e.html
NEWS OCIPEP issues Incident Analysis OCIPEP issued Incident Analysis IA02-001, on 17 October 2002, of the lessons learned following the 11 September 2001 terrorist attacks in New York and Washington. The Incident Analysis, titled "The September 11, 2001 Terrorist Attacks - Critical Infrastructure Protection Lessons Learned" is meant to assist Canadian critical infrastructure (CI) owners and operators with their business continuity planning and emergency management (EM) preparations by identifying critical infrastructure protection (CIP) and EM lessons that can be learned from these tragic events. The analysis is based on open source information and feedback provided by CIP and EM partners. Alberta emergency preparedness questioned - Auditor General of Alberta annual report According to the Auditor General of Alberta annual report, released 17 October 2002, Alberta is currently ill-equipped to cope with natural disasters or other emergencies. The report states that the Province's Government Emergency Operations Centre (GEOC) has poor security, is not big enough and is generally "unsuitable as a command centre." The report suggests that the task of making the province disaster-resistant is rendered more difficult by several factors, including: the devolution of responsibility for emergency preparedness to municipalities (creating greater potential for variation in plans); the difficulty of coordinating effective emergency preparedness amongst the large number of stakeholders, including provincial government departments, municipal governments, First Nations, industry and the federal government; and the increase in the risk of diseases, such as foot-and-mouth and mad cow disease, and threats of domestic terrorism. (Source: Auditor General of Alberta, 17 October 2002) To view the full Auditor General of Alberta report, got to http://www.oag.ab.ca/ and click on the Annual Reports link. The section of the document related to emergency preparedness is recommendation no. 46. OCIPEP Comment: Alberta's current legislation regarding emergency preparedness is generally regarded to be one of Canada's most comprehensive and far-reaching pieces of provincial emergency management (EM) legislation. (As acknowledged in the Auditor's report, Alberta's legislation compels municipalities to have an emergency response plan in place, to review it every two years and to exercise it every four years.) This most recent AG's report may have the benefit of bringing attention to any outstanding issues related to EM in Alberta. The requirement for a new Alberta Government Emergency Operations Centre has been identified for some time now and is part of on-going discussions on co-location with OCIPEP's Alberta Regional Office. Correctives actions have been initiated for some time by officials of ADS in regard to coordination of plans at both the municipal and provincial levels. A provincial template for emergency plans has been in place for some time now for use by provincial departments and District Officers of ADS work with municipal officials in reviewing their plans on a regular basis. Additionally these plans will be evaluated in accordance with an approved standardized exercise template, now being implemented. Since September 11, 2001, Alberta has worked with multiple stakeholders, including federal partners and the private sector in developing a counter-terrorism process for the province. Instant message programs are high security risks: Analysis Information Security e-zine provides an analysis of instant message (IM) services available on the Internet indicating that these services are potentially vulnerable to hacker attacks and that most users are not aware of the security risks associated with IM and other peer-to-peer applications. The article states that because IM is so widely available and because it has few security features, IT security managers need to find ways to curb its use in the workplace. Instant messaging vulnerabilities can be used by hackers to gain access to workstations, and from there to the internal network. The analysis describes features of the four most popular IM applications and their associated vulnerabilities. (Source: infosecuritymag.com, August 2002) Click here for the source article OCIPEP Comment: OCIPEP Daily Brief DOB02-070, released 29 May 2002, reported that IM services were particularly vulnerable to hacker exploit attempts. Interestingly, this latest analysis was published shortly after several financial services firms formed the Financial Services Instant Messaging Association (FIMA) earlier this summer. The committee has a stated goal of fostering technical harmony among IM providers Yahoo, AOL, MSN and others. For the finance industry, IM is vital for internal and client communications; a lack of IM interoperability has been a source of increasing frustration. (Source: news.com, 16 October 2002) http://news.com.com/2100-1023-962284.html?tag=dd.ne.dht.nl-sty.0 Port Simpson mudslides - Update As the weather over the community of Port Simpson B.C. cleared yesterday, repair crews attempted to re-establish power, but a pole fire was detected near the RCMP office, prompting hydro officials to shut down the power grid once again. Emergency generators will remain onsite until confidence in the power system and full restoration of the power grid is established. High health risk members were evacuated by water taxi on October 15. The health situation will continue to be evaluated by Health Canada. (Source: B.C. PEP, 17 October 2002) OCIPEP Comment: Federal assistance is currently being provided by Health Canada and Indian and Northern Affairs Canada. Previous situation updates on this incident can be viewed at http://www.pep.bc.ca/operations/operations.html. For more information on this incident, click on the Incident Mapping button at the top of the OCIPEP Daily Brief. Microsoft issues security warnings Microsoft issued three security warnings on October 16, including one rated "critical," affecting the SQL Server database. According to the warning, exploitation of the flaw would "allow a low-privileged user the ability to run, delete, insert or update web tasks." (Source: CNet news.com, 17 October 2002) Click here for the source article OCIPEP Comment: Details regarding the latest Microsoft security warnings can be viewed at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/default.asp IN BRIEF Strong winds suspend N.B. - PEI ferry services High winds and rain yesterday prompted officials to halt ferry services between Nova Scotia and Prince Edward Island. Verifications made with Confederation Bridge officials indicated that the bridge was still open but that the prevailing conditions were borderline. (Source: cbc.ca, 17 October 2002) Click here for the source article Air France jet makes emergency landing in Churchill An Air France Boeing 777 jet on a Paris-Los Angeles flight made an emergency landing in Churchill, Manitoba, after the crew noticed smoke in the cockpit. Local fire response units met the aircraft upon landing, but the situation was under control, according to a Transport Canada official. (Source: cbc.ca, 17 October 2002) Click here for the source article U.S. governors form homeland division The National Governors Association announced October 16 the formation of a Homeland Security and Emergency Management Division to help state governments design and implement defence, response and recovery plans. Critical infrastructure protection, development of interoperable communications systems, and attack preparedness and response to agricultural, biological, chemical, cyber, nuclear and radiological terrorism will be top priorities of the division over the next several months. (Source: fcw.com, 17 October 2002) Click here for the source article U.S. Department of Commerce agency releases principles The Department of Commerce's Bureau of Industry and Security has published its guiding principles. The Bureau's mission is to protect the security of the United States, which includes its national security, economic security, cybersecurity and homeland security. (Source: Bureau of Industry and Security, 11 October 2002) Click here for the source article Proposed changes to FEMA's multi-hazard mitigation program present challenges - GAO report A recent U.S. General Accounting Office report states that the U.S. Federal Emergency Management Agency (FEMA) proposed new mitigation program would fundamentally change FEMA's approach by eliminating the postdisaster Hazard Mitigation Grant Program (HMGP) and by funding mitigation activities on a nationally competitive basis. The heightened U.S. focus on homeland security has raised several issues related to the conduct of hazard mitigation activities. Foremost among these issues is whether the increased emphasis on preventing and preparing for terrorism events will result in less focus on natural hazard mitigation concerns as well as FEMA's traditional response and recovery functions. (Source: gao.gov, 16 October 2002) OCIPEP comment: To view the full GAO report, go to: http://www.gao.gov/cgi-bin/getrpt?GAO-02-1035 Symantec issues advisory Security firm Symantec issued a bulletin regarding a flaw in a common component of its firewall technology, which leaves its products vulnerable to denial-of-service attacks. The company has issued a patch to correct this vulnerability. (Source: computerweekly360.com, 17 October 2002) Click here for the source article CYBER UPDATES See: What's New for the latest Alerts, Advisories and Information Products See: News - Instant message programs are high security risks: Analysis See: News - Microsoft issues security warnings See: In Brief - Symantec issues advisory Threats Sophos reports on Troj/Netdex-A, which is a Trojan horse composed of several parts that could allow unauthorized access to an infected computer. When a user connects to an infected website the file BANNER.HTML may be run. http://sophos.com/virusinfo/analyses/trojnetdexa.html Symantec reports on Backdoor.Platrash, which is a Trojan horse written in Visual Basic 6 that could allow unauthorized access to an infected computer. By default, it opens ports 23005 and 23006 to listen for a connection. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.platras h.html Symantec reports on Backdoor.Sparta.C, which is a Trojan horse that opens a port on the computer, allowing a hacker to remotely access the computer. The Trojan also sends a message to the hacker with IP address information. Furthermore, it attempts to kill the processes and delete the files of several personal firewall and antivirus products. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sparta. c.html Vulnerabilities Microsoft reports on a remotely exploitable vulnerability in Windows XP Help and Support Center that could enable file deletion. Follow the link for patch information. http://www.microsoft.com/technet/security/bulletin/MS02-060.asp Microsoft reports on a remotely exploitable vulnerability in Word Fields and Excel External Updates that could lead to information disclosure. Follow the link for patch information. http://www.microsoft.com/technet/security/bulletin/MS02-059.asp Microsoft reports on a remotely exploitable privilege elevation vulnerability in SQL Server 7.0 and 2000 Web Tasks. Follow the link for patch information. http://www.microsoft.com/technet/security/bulletin/MS02-061.asp SecurityFocus reports on a remote and locally exploitable administrative alert vulnerability in MS Windows 2000/XP Full Event Log. View the "Solution" tab for patch information. http://online.securityfocus.com/bid/5972/discussion/ SecurityFocus reports on a remotely exploitable vulnerability in MS Internet Explorer (multiple versions) that could lead to unauthorized access to the Document Object Model. View the "Solution" tab for patch information. http://online.securityfocus.com/bid/5963/discussion/ Cisco reports on a remotely exploitable buffer overflow vulnerability in Cisco CatOS 5.4-7.3 Embedded HTTP Server. Follow the link for patch information. http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml Patches: New gv packages are now available for Debian GNU Linux. (SecurityFocus) http://online.securityfocus.com/advisories/4563 Additional vulnerabilities were reported in the following products: CoolForum 0.5 beta source disclosure vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/5973/discussion/ BEA WebLogic Server/Express/Integration 7.0 application migration security policy vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/5971/discussion/ Ingenium Learning Management System 5.1 and 6.1 reversible password hash and information disclosure vulnerabilities. (SecurityFocus) http://online.securityfocus.com/bid/5970/discussion/ http://online.securityfocus.com/bid/5969/discussion/ Avaya Cajun Firmware (multiple versions) undocumented default accounts vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/5965/discussion/ ghttpd Log() Function 1.4-1.4.3 buffer overflow vulnerability. (SecurityFocus) http://online.securityfocus.com/bid/5960/discussion/ Conectiva Linux fetchmail denial-of-service and buffer overflow vulnerabilities. (SecurityFocus) http://online.securityfocus.com/advisories/4562 Conectiva Linux sendmail 6.0, 7.0 and 8 vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4565 Conectiva Linux XFree86 vulnerabilities. (SecurityFocus) http://online.securityfocus.com/advisories/4568 Hewlett-Packard OnlineJFS 3.1 vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4569 Gentoo Linux app-text/ggv-1.99.90 and earlier buffer overflow vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4570 SkyStream EMR5000 1.16, 1.17 and 1.18 DVB Router denial-of-service vulnerability. (SecuriTeam) http://www.securiteam.com/securitynews/6N00I205QS.html Windows version of Pirch and RusPirch NICK AUX attack denial-of-service vulnerability. (SecuriTeam) http://www.securiteam.com/windowsntfocus/6F00A205QQ.html Tools Linux Security Protection System (LinSec) is a tool that introduces the Mandatory Access Control (MAC) mechanism into Linux (as opposed to existing Discretionary Access Control mechanism). (LinSEC) http://www.linsec.org/ PIKT 1.16.0 is a cross-platform, multi-functional toolkit for monitoring systems, reporting and fixing problems, security management, and updating system configurations. (PIKT) http://pikt.org/ Arp-sk 0.0.15 is an ARP packet generator for UNIX designed to illustrate ARP protocol flaws and applications such as ARP cache poisoning and MAC spoofing. (Arp-sk) http://www.arp-sk.org/ syslog-ng 1.4.16 is a multi-platform syslogd replacement, with lots of new functionality. (Bala Bit) http://www.balabit.hu/en/downloads/syslog-ng/ The Tiger Scripts 3.1 is a security tool designed to perform audits of UNIX systems. (Savannah) http://savannah.nongnu.org/projects/tiger RATS 2.1, the Rough Auditing Tool for Security, is a security auditing utility for C, C++, Python, Perl and PHP code. (SecureSoftware) http://www.securesoftware.com/rats.php Flawfinder 1.21 is a tool that searches through source code for potential security flaws and lists potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. (DWheeler) http://www.dwheeler.com/flawfinder/ CONTACT US To add or remove a name from the distribution list, or to modify existing contact information, e-mail: [EMAIL PROTECTED] For urgent matters or to report any incidents, please contact OCIPEP's Emergency Operations Centre at: Phone: (613) 991-7000 Fax: (613) 996-0995 Secure Fax: (613) 991-7094 Email: [EMAIL PROTECTED] For general information, please contact OCIPEP's Communications Division at: Phone: (613) 944-4875 or 1-800-830-3118 Fax: (613) 998-9589 Email: [EMAIL PROTECTED] Web Site: www.ocipep-bpiepc.gc.ca Disclaimer The information in the OCIPEP Daily Brief has been drawn from a variety of external sources. Although OCIPEP makes reasonable efforts to ensure the accuracy, currency and reliability of the content, OCIPEP does not offer any guarantee in that regard. The links provided are solely for the convenience of OCIPEP Daily Brief users. OCIPEP is not responsible for the information found through these links. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk