-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Friday, August 10, 2001 8:45 AM To: daily@private Subject: NIPC Daily Report, 10 August Importance: High Significant Changes and Assessment - Possible new Code Red II vulnerability: NIPC has received information from FAA sources that suggest the existence of two potential vulnerabilities of otherwise secured networks to the Code Red II worm which should be addressed immediately by network administrators.: 1) Even if gateway systems and Internet-connected IIS servers have been successfully patched, the possibility of infection remains for intranet/LAN-only servers running IIS 4.0 or 5.0 when users physically connect infected laptops to the LAN, or access the LAN through VPN/RAS services. Network administrators and security personnel should ensure that all laptops are examined and certified to be clean prior to allowing direct access to the LAN. Similarly, laptops with VPN or RAS access should be regularly inspected and procedures set in place to prevent infection. Any intranet/LAN-only servers running IIS 4.0 or 5.0 should also immediately be patched to prevent the possibility of infection. 2) Since machines which have been infected by the CodeRed II worm contain a "back door" possibly allowing remote access and control by external users/hackers, any infected machine brought onto the LAN, either physically or through VPN/RAS service, potentially opens the network to intrusion from outside individuals. Private Sector - Security at three Web sites operated by AOL Time Warner's Road Runner service was compromised on 9 August. An attacker replaced the sites' usual home pages with a message about saving whales. Defaced were the home pages of the cable-based Internet service's sites for users in Austin, Texas, and in Kansas City, as well as a site serving subscribers in Maine. Officials from Road Runner, which serves more than 2 million subscribers in markets across the United States, are investigating the incident and had no immediate comment. The attacker, who uses the nickname "TonikGin," posted a message at the Maine Road Runner site, which accused Exxon Mobil Corp. of endangering gray whales through seismic testing in Russian waters. (Source: Newsbytes, 9 August) International - According to South Korea's Information and Communication Ministry, the Code Red computer worm has mutated into a third more dangerous variant. "About 10 damage reports have come in which were believed to have been the result of the latest Code Red III," states Ko Kwang-sup, an official at the ministry. He said the Code Red III worm spreads even faster than earlier versions and leaves a wider "back door" on infected machines, making them more vulnerable to future hacking. (Source: Reuters, 10 August) (NIPC Comment: NIPC has no indication that there is yet another Code Red version/variant emerging. Known incarnations include the original Code Red, Code Red v2, and Code Red II, sometimes referred to as Code Red III. This report does, however, indicate an uneven naming convention applied to a dynamic Internet threat. NIPC, with industry and government partners will continue to closely monitor new Code Red developments and advise as warranted.) An alert has been issued to Japanese police forces nationwide over the latest outbreak of a fast-spreading computer virus, at least 200 places in Japan may have been infected, the National Police Agency (NPA) said on 8 August. According to the NPA, the new worm Code Red II being spread via the Internet only affects the Windows 2000 operating system. The NPA said there have been signs of Code Red 2 in its own server computer, and it estimated the number of infected spots in the country based mainly on the number of such signs. The NPA said it is calling for the installation of an anti-virus program to prevent such infections. (Source: Tokyo Kyodo News, 8 August) Japan's National Police Agency said on 9 August that 959 cases of unauthorized computer access were reported in January-June, with 15 suspects arrested for violating the nation's Unauthorized Computer Access Law. The number of reported unauthorized access cases shot up from 35 cases in the six months from February last year, when the law was enacted. Of the 959 cases, illegal access from overseas accounted for 418 cases, while domestic access totaled 165 cases. About 80 percent of the overall cases was related to last May's hacking program which altered homepages worldwide with a message attacking the U.S. government. Companies were the hardest hit by unauthorized access, reporting 330 cases, followed by 81 cases at universities and research institutions, and 75 cases at Internet access providers. (Source: Tokyo Jiji Press, 9 August) A new unit is being established to protect New Zealand against cyber threats. State Services Minister Trevor Mallard said the unit would be called the Center for Critical Infrastructure Protection (CCIP), located within the Government Communications Security Bureau. It will begin operating next April, at a cost of about $850,000 per year. A capital injection of $269,000 will also be needed to set it up. ''The new center will be the nexus of cooperation between the state sector and the private sector in protecting New Zealand against cyber-threats and it will be the route by which we are connected to the world in protecting systems, Mr. Mallard said in a statement. The center will provide 24-hour "watch and warn" advice about threats from viruses and hacking attempts, analysis, and investigation of threats and assistance in helping owners of critical infrastructure to identify and understand and protect their vulnerabilities. (Source: New Zealand Press Association, 7 August) Government - In a report dated 1 August which cites the increasingly sophisticated attacks on the federal government's technology infrastructure, the Government Electronics and Information Technology Association (GEIA) said the government needs to provide additional funding to secure its networks. Most federal network operators lack the resources and technical expertise to defend against attacks and minimize damage. GEIA, a trade association of high-tech companies, says a stronger federal security infrastructure can be built by identifying, supporting and rewarding internal and cross-agency security initiatives. (Source: Security Wire Digest, 9 August) On 7 Aug, U.S. District Court Judge Nicholas Politan ruled that the FBI must explain to him how a monitoring device called a "key logger system" works. Depending on how the device collects data, its use may have been illegal. The key logger was used against Nicodemo Scarfo, Jr., who is accused of running loan shark and gambling operations in New Jersey. The FBI used the key logger to deduce the password that Scarfo used to encrypt his files containing data on his illegal activities. But Scarfo's lawyers have pressed Politan to throw out the records, contending they were collected illegally. The FBI had a search warrant, which permitted them to seize specific, limited evidence. But to plant a device able to make sweeping electronic interceptions, such as keyboard keystrokes, the lawyers argue, the FBI needed a wiretap order, which is much harder to obtain than a search warrant. The FBI insisted the keystroke data was collected legally, but agents steadfastly refused to disclose how the key logger system works. Politan overruled the law enforcement and National security arguments and ordered the FBI to tell him by 31 August how the key logger works. In deference to Justice security concerns, Politan said the explanation may be delivered to him in a sealed report. (Source: Federal Computer Week, 9 August) Military - NTR U.S. SECTOR INFORMATION: Telecommunications - A cellular telephone outage in the Washington area interrupted service for thousands of customers for more than eight hours on 9 August. The problem began after a power failure at a Cingular Wireless Inc. switching station in Greenbelt, Maryland. Cingular officials said the initial outage was heat related. Bob Dobkin, spokesman for the Potomac Electric Power Co., said there was an undetermined problem with a cable connector on a transformer. Beginning around 4a.m. on 9 August, Cingular customers who tried to make outgoing calls met fast busy signals. Incoming calls to cellular telephones were answered with a recording informing callers that all circuits were busy. (Source: Associated Press, 9 August) Electrical Power - NTR Banking and Finance - NTR Water Supply - NTR Gas and Oil Storage Distribution -NTR Government Services - NTR Transportation - NTR Emergency Services - NTR NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:13 PDT