-----Original Message----- From: NIPC Watch To: daily Sent: 10/23/01 9:30 AM Subject: NIPC Daily Report 23 October 01 NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI. Significant Changes and Assessment - No significant changes. Private Sector - Users of Microsoft's Hotmail service are vulnerable to a new twist on an old trick for hiding potentially malicious scripts in the HTML code of e-mail messages, a security enthusiast has discovered. Borrowing a technique published last year, a user could dodge Hotmail's filters by embedding Javascript code within specially crafted image tags. The technique could, for example, be used by attackers to redirect users to a fake Hotmail site and trick them into re-entering their password. A Microsoft representative said the company was studying the security report and had no immediate comment. (Source: Newsbytes, 23 October) CERT/CC warned network operators yesterday that windows users and Internet routing equipment are the latest pawns of malicious intruders intent on launching denial of service attacks online. Attackers have begun favoring particular chunks of Internet address space that are more likely to contain Windows machines than others, said Kevin Houle, a researcher with CERT/CC. "If I'm an intruder and I want to install my tools on Windows machines, it's very easy to find subsections of the network to search," said Houle. So-called distributed denial of service (DDoS) attacks rely on an attacker's ability to install malicious agents on a large number of computers, and use them to simultaneously flood a victim with overwhelming traffic. (Source: The Register, 23 October) Government - According to California Attorney General Bill Lockyer, the state is investigating well-coordinated cyberattacks that targeted computers in California and 21 countries and ended abruptly on 10 September. Speaking on 19 October at an anti-terrorism conference of law enforcement officials from Northern California, Lockyer said the attacks were systematic, extensive and appeared to be government sponsored. "There's a lot of hacking that goes on that's not this disruptive or expensive," Lockyer said. "This was notable in that it was sophisticated enough to be beyond the capacity of ordinary hackers. So it suggests that there's actual government involvement on the other end." Lockyer said the state Justice Department is working with the FBI to investigate 120 coordinated attacks that attempted to strike university, business and government agency computers in the three months leading up to the 11 September terrorist attacks. (Associated Press, 20 October) Iowa investigators are trying to figure out who hacked into the state's fiber-optics network and made $155,000 worth of phone calls to more than 90 countries. The illegal calls were made over a six-day period between 10-15 October, officials with the Iowa Communications Network said. The calls were made from other parts of the country, said Ron Koontz, an official with the network. The calls were made to countries such as Pakistan, Vietnam and Greece. Officials said the matter was reported to the Iowa Division of Criminal Investigation. (Source: Associated Press, 20 October) Pennsylvania officials have launched an initiative to strengthen security and privacy policies and practices by educating state employees, hiring an ombudsman to oversee compliance and amending criminal codes to better address cybercrime. Gov. Mark Schweiker unveiled the initiative, PA Secure Online, on 18 October. The governor's deputy press secretary, David La Torre, said it had been in the works for some time and was not precipitated by the 11 September terrorist attacks. By next spring, the state hopes to have an ombudsman in place, a position akin to a chief privacy officer, he said. The ombudsman, who would be under the auspices of the state Department of Information Technology, would reach out to agencies and coordinate the education effort as well as ensure compliance of state policies and federal restrictions on the use, storage and access to data, he said. The state will also create a "cyber academy" to better educate state employees on detecting threats to cybersecurity and train investigators techniques for apprehending hackers. (Source: Federal Computer Week, 22 October) President Bush has released his long-awaited presidential order creating a high-level board to protect the nation's critical information systems. Executive Order 13231 launches a huge administrative apparatus. While it gives somewhat more authority and staff to Richard A. Clarke, Bush's cybersecurity adviser, Office of Management and Budget director Mitchell E. Daniels, Jr., gets overall responsibility for government wide security policy and implementation. Clarke will chair the newly created President's Critical Infrastructure Protection Board which, under the order, has responsibility to "coordinate and have cognizance of federal efforts and programs that relate to protection of information systems." The order does not abolish existing groups such as the Critical Infrastructure Assurance Office, the Federal Computer Incident Response Center, or the National Infrastructure Protection Center, but the board will assume general leadership of all of them. (Source: Government Security News, 23 October) International - Security services firms in the UK have warned that government emergency anti-terrorists could impose unbearable costs on some ISPs. The Home Office Secretary is readying legislation that may ask, or even require, ISPs to retain or keep records of which Web sites their customers visit, what news group articles they read and who they e-mail, for up to 12 months. One firm noted that "According to research . . . by 2003 there will be more than 20 billion e-mails circulating the Internet worldwide every day. If the average size of an e-mail is 2K, . . . and ISPs have to store e-mails for a year, then that equates to a global storage requirement of almost 7000 Terabytes needed in storage alone." Some ISPs have said that they would pass some of the extra costs to consumers if it had to keep Web log records for 12 months. The government has said it will consult with IT industry representatives over the issue. (Source: vnunet.com, 23 October) On 23 October, Japan's power utilities, airlines, railroad companies and other organizations that provide essential infrastructure services set up a committee to discuss measures to counter cyberterrorism. The committee comprises 30 companies and organizations with offices in Tokyo, including Nippon Telegraph and Telephone Corp., Tokyo Electric Power Co., and Tokyo Gas Co., as well as three major airlines. The Tokyo Metropolitan Government's Bureau of Waterworks also participates in the committee. Besides cyberterrorism, the committee will discuss measures to combat bioterrorism and other forms of terrorism, following the spread of anthrax scares in the US. (Source: Tokyo Jiji Press, 23 October) Military - NTR U.S. SECTOR INFORMATION: Water Supply - Sen. Pete Domenici, R-NM, announced his intention to amend a national dam and water infrastructure protection bill to increase resources to support counter-terrorism research on protecting critical infrastructures. Senate bill 1480, is aimed at improving security for Bureau of Reclamation dams, facilities and property. The legislation was introduced at the request of the Bush administration following the 11 September terrorist attacks and the ongoing national risk assessment of vulnerable infrastructures. Domenici's amendment would authorize $20 million to support the National Infrastructure Simulation and Analysis Center (NISAC), a joint Los Alamos and Sandia national laboratories effort to use their expertise to advance the war on terrorism by improving US threat assessment and risk mitigation capabilities for "critical infrastructures." The Domenici amendment would provide resources for modeling, simulation, and analysis of the systems comprising critical infrastructures, including cyber infrastructure, telecommunications infrastructure, and physical infrastructure, to enhance understanding of these interrelated, complex systems and to mitigate the threats to these systems. Such modeling would also entail developing responses to incidents or crises involving critical infrastructures, including the continuity of government and private sector activities through and after such crises. (Source: Water Technology Online, 22 October) Banking and Finance - The number of identity thefts reported by US financial institutions is on the upsurge again in 2001 after more than doubling last year. From January to April 2001, the US Treasury's Financial Crimes Enforcement Network received 332 reports of identity theft, compared with 637 cases over the whole of 2000 and 267 cases in 1999. "That amounts to a 50% increase from the same period a year ago," the agency noted in its semiannual review of trends in suspicious activity reports which banks must file with the government on transactions that appear to be linked to criminal activities. In its latest review, the agency also highlighted the addition last year of "computer intrusion" as a category of suspicious activity for banks to monitor and report on. The term is defined as gaining access to banks' computer systems to steal funds or data, or to try to damage the systems. Other schemes uncovered included: virus intrusions, attempted "spam" e-mail attacks, the creation of phony replicas of banks' Web sites to try to steal customer data, and the hacking and attempted extortion of at least four banks earlier this year by a Russian programmer. (Source: Reuters, 23 October) Electrical Power - NTR Telecommunications - NTR Transportation - NTR Gas and Oil Storage Distribution - NTR Government Services - NTR Emergency Services - NTR
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:28:40 PDT