FW: NIPC Daily Report, 10 August

From: George Heuston (georgeh@private)
Date: Fri Aug 10 2001 - 11:05:12 PDT

  • Next message: James T. Boylan: "Code Red III?"

    -----Original Message-----
    From: NIPC Watch [mailto:nipc.watch@private] 
    Sent: Friday, August 10, 2001 8:45 AM
    To: daily@private
    Subject: NIPC Daily Report, 10 August
    Importance: High
    
    Significant Changes and Assessment  - Possible new Code Red II
    vulnerability: NIPC has received information from FAA sources that
    suggest the existence of  two potential vulnerabilities of otherwise
    secured networks to the Code Red II worm which should be addressed
    immediately by network administrators.:
    
    1) Even if gateway systems and Internet-connected IIS servers have been
    successfully patched, the possibility of infection remains for
    intranet/LAN-only servers running IIS 4.0 or 5.0 when users physically
    connect infected laptops to the LAN, or access the LAN through VPN/RAS
    services.
    Network administrators and security personnel should ensure that all
    laptops are examined and certified to be clean prior to allowing direct
    access to the LAN.  Similarly, laptops with VPN or RAS access should be
    regularly inspected and procedures set in place to prevent infection.
    Any intranet/LAN-only servers running IIS 4.0 or 5.0 should also
    immediately be patched to prevent the possibility of infection.
    
    2) Since machines which have been infected by the CodeRed II worm
    contain a "back door" possibly allowing remote access and control by
    external users/hackers, any infected machine brought onto the LAN,
    either physically or through VPN/RAS service, potentially opens the
    network to intrusion from outside individuals.
    
    Private Sector - Security at three Web sites operated by AOL Time
    Warner's Road Runner service was compromised on 9 August. An attacker
    replaced the sites' usual home pages with a message about saving
    whales.  Defaced were the home pages of the cable-based Internet
    service's sites for users in Austin, Texas, and in Kansas City, as well
    as a site serving subscribers in Maine. Officials from Road Runner,
    which serves more than 2 million subscribers in markets across the
    United States, are investigating the incident and had no immediate
    comment.  The attacker, who uses the nickname "TonikGin," posted a
    message at the Maine Road Runner site, which accused Exxon Mobil Corp.
    of endangering gray whales through seismic testing in Russian waters.
    (Source: Newsbytes, 9 August)
    
    International - According to South Korea's Information and Communication
    Ministry, the Code Red computer worm has mutated into a third more
    dangerous variant.  "About 10 damage reports have come in which were
    believed to have been the result of the latest Code Red III," states Ko
    Kwang-sup, an official at the ministry.  He said the Code Red III worm
    spreads even faster than earlier versions and leaves a wider "back door"
    on infected machines, making them more vulnerable to future hacking.
    (Source: Reuters, 10 August) (NIPC Comment: NIPC has no indication that
    there is yet another Code Red version/variant emerging.  Known
    incarnations include the original Code Red, Code Red v2, and Code Red
    II, sometimes referred to as Code Red III.  This report does, however,
    indicate an uneven naming convention applied to a dynamic Internet
    threat.  NIPC, with industry and government partners will continue to
    closely monitor new Code Red developments and advise as warranted.)
    
    An alert has been issued to Japanese police forces nationwide over the
    latest outbreak of a fast-spreading computer virus, at least 200 places
    in Japan may have been infected, the National Police Agency (NPA) said
    on 8 August.  According to the NPA, the new worm Code Red II being
    spread via the Internet only affects the Windows 2000 operating system.
    The NPA said there have been signs of Code Red 2 in its own server
    computer, and it estimated the number of infected spots in the country
    based mainly on the number of such signs. The NPA said it is calling for
    the installation of an anti-virus program to prevent such infections.
    (Source: Tokyo Kyodo News, 8 August)
    
    Japan's National Police Agency said on 9 August that 959 cases of
    unauthorized computer access were reported in January-June, with 15
    suspects arrested for violating the nation's Unauthorized Computer
    Access Law.  The number of reported unauthorized access cases shot up
    from 35 cases in the six months from February last year, when the law
    was enacted.  Of the 959 cases, illegal access from overseas accounted
    for 418 cases, while domestic access totaled 165 cases.  About 80
    percent of the overall cases was related to last May's hacking program
    which altered homepages worldwide with a message attacking the U.S.
    government.  Companies were the hardest hit by unauthorized access,
    reporting 330 cases, followed by 81 cases at universities and research
    institutions, and 75 cases at Internet access providers.  (Source: Tokyo
    Jiji Press, 9 August)
    
    A new unit is being established to protect New Zealand against cyber
    threats.  State Services Minister Trevor Mallard said the unit would be
    called the Center for Critical Infrastructure Protection (CCIP), located
    within the Government Communications Security Bureau.  It will begin
    operating next April, at a cost of about $850,000 per year. A capital
    injection of $269,000 will also be needed to set it up.  ''The new
    center will be the nexus of cooperation between the state sector and the
    private sector in protecting New Zealand against cyber-threats and it
    will be the route by which we are connected to the world in protecting
    systems, Mr. Mallard said in a statement.  The center will provide
    24-hour "watch and warn" advice about threats from viruses and hacking
    attempts, analysis, and investigation of threats and assistance in
    helping owners of critical infrastructure to identify and understand and
    protect their vulnerabilities.  (Source:  New Zealand Press Association,
    7 August)
    
    Government - In a report dated 1 August which cites the increasingly
    sophisticated attacks on the federal government's technology
    infrastructure, the Government Electronics and Information Technology
    Association (GEIA) said the government needs to provide additional
    funding to secure its networks.  Most federal network operators lack the
    resources and technical expertise to defend against attacks and minimize
    damage.  GEIA, a trade association of high-tech companies, says a
    stronger federal security infrastructure can be built by identifying,
    supporting and rewarding internal and cross-agency security
    initiatives.  (Source: Security Wire Digest, 9 August)
    
    On 7 Aug, U.S. District Court Judge Nicholas Politan ruled that the FBI
    must explain to him how a monitoring device called a "key logger system"
    works.  Depending on how the device collects data, its use may have been
    illegal.  The key logger was used against Nicodemo Scarfo, Jr., who is
    accused of running loan shark and gambling operations in New Jersey.
    The FBI used the key logger to deduce the password that Scarfo used to
    encrypt his files containing data on his illegal activities.  But
    Scarfo's lawyers have pressed Politan to throw out the records,
    contending they were collected illegally.  The FBI had a search warrant,
    which permitted them to seize specific, limited evidence.  But to plant
    a device able to make sweeping electronic interceptions, such as
    keyboard keystrokes, the lawyers argue, the FBI needed a wiretap order,
    which is much harder to obtain than a search warrant.  The FBI insisted
    the keystroke data was collected legally, but agents steadfastly refused
    to disclose how the key logger system works.  Politan overruled the law
    enforcement and National security arguments and ordered the FBI to tell
    him by 31 August how the key logger works.  In deference to Justice
    security concerns, Politan said the explanation may be delivered to him
    in a sealed report.  (Source: Federal Computer Week, 9 August)
    
    Military - NTR
    
    U.S. SECTOR INFORMATION:
    
    Telecommunications  - A cellular telephone outage in the Washington area
    interrupted service for thousands of customers for more than eight hours
    on 9 August.  The problem began after a power failure at a Cingular
    Wireless Inc. switching station in Greenbelt, Maryland.  Cingular
    officials said the initial outage was heat related. Bob Dobkin,
    spokesman for the Potomac Electric Power Co., said there was an
    undetermined problem with a cable connector on a transformer.  Beginning
    around 4a.m. on 9 August, Cingular customers who tried to make outgoing
    calls met fast busy signals. Incoming calls to cellular telephones were
    answered with a recording informing callers that all circuits were busy.
    (Source: Associated Press, 9 August)
    
    Electrical Power - NTR
    Banking and Finance - NTR
    Water Supply - NTR
    Gas and Oil Storage Distribution -NTR
    Government Services - NTR
    Transportation - NTR
    Emergency Services - NTR
    
    NOTE:  Please understand that this is for informational purposes only
    and does not constitute any verification of the information contained in
    the report nor does this constitute endorsement by the NIPC or the FBI.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:13 PDT