NIPC Daily Report 27 November 2001 NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI. Significant Changes and Assessment - There is a vulnerability in Microsoft Internet Explorer that allows a malicious Web site to spoof file extensions in the download dialog to make an executable program file look like a text, image, audio or other file. The user will see a dialog window open, asking if the user wants to OPEN or SAVE. Should the user decide to OPEN the file, the file will run without further prompting. If the code is executable, no matter what the extension, the program will run on the users system, allowing the program full use of the users system. This does not require any scripting turned on at all but can be called via javascript, inside an iframe, or even as a normal link. A second Microsoft vulnerability exists in Windows 95/98/NT/2000 with scripting turned on in Internet Explorer. Any e-mail or web page with scripting that includes GetObject() as well as an ActiveX htmlfile can view any file on the users hard drive. This includes the password files for the operating system, cookies file, and other files with personal or sensitive information contained within them. (Source: Multiple Sources, 26 November) Private Sector - Search-engine spiders crawling the Web are increasingly stumbling upon passwords, credit card numbers, classified documents and even computer vulnerabilities that can be exploited by hackers. The problem is not new: Ever since search robots began indexing the Web years ago, Web site administrators have found pages not meant for public consumption exposed in search results. A different twist on this has appeared with the advent of a new tool built into the Google search engine that finds a variety of file types in addition to traditional Web documents. With Google's new file-type search tool, a wide array of files formerly overlooked by basic search engine queries are now just a few clicks from the average surfer--or the novice hacker. Since Google's new tool launched earlier this month, Web site owners have been pulling down or securing sensitive pages that have turned up in Google results. (Source: CNET News 26 November 2001) Microsoft Corporations's new Web services software will allow developers to create secure applications more easily and screen out the kind of unauthorized commands that are commonly used by malicious hackers, according to a review commissioned by the company. A white paper released on 26 November and authored by Foundstone Incorporated and CORE Security Technologies concluded that Microsoft's .NET Framework reduces many major security risks. Microsoft's .NET Framework will be used by developers to write applications for Web services under which software will be available online as a service to anyone using any device. When it is released around the end of the year .NET software will automatically check the code and determine whether it should be allowed to perform the operation it is requesting, said Mike Kass, product manager for Microsoft's .NET Framework. “When you load a program, it gathers evidence of where it came from and who wrote it. If you are a system administrator you can fine-tune these permissions,” said Kass. “With the .NET Framework we're going to take the burden off the end user.” (Source: Reuters, 26 November) International - As part of the international fight against terrorism, the Hong Kong government wants new laws that could classify disruptions to computer systems as acts of terror. Terrorism has not been seen as a problem in Hong Kong, but the Security Bureau says in a paper being distributed to lawmakers that Hong Kong needs to pass new laws to keep up with UN Security Council resolutions. The Security Bureau paper, to be discussed by legislators on 30 November, said new laws must define terrorism and address “the threat to use force or violence and action designed to interfere with or disrupt an electronic system.” Financing terrorism is not now an offense under Hong Kong laws so legislation will also be required to provide for seizure of money intended for use by terrorists. (Source: Associated Press, 27 November) Richard Alston, reappointed as Australia's Communications and IT minister, has named some top brains to help recommend bidders to run a proposed new 129.5 million Australian dollars ($67.09 million) Information and Communications Technology Centre of Excellence. Establishment of the center was a major plank of government policies announced earlier this year, aimed at bolstering the information technology and communications industries in Australia. The aim is to create a world class research and training institute that can take Australia's ability to create and exploit information and communications technology to a new level, Alston said, and attract leading expatriate and overseas researchers. (Source: Newsbytes, 26 November) The Korea Information Security Agency (KISA) and the Consortium of Computer Emergency Response Teams (CONCERT) organized the fifth CONCERT Hacking Prevention Workshop under the theme of future hacking and virus trends, and protection strategies on 21 November with local and foreign security experts participating. A hacking prevention workshop addressed the entire range of topics about the latest hacking and virus trends, and effective countermeasures. The workshop was aimed at establishing a system of cooperation to prevent and contain intrusion attacks and to promote safe information communication networks through exchanges of information and technology on information security and strategies against intrusion attacks. The Cyber-Terrorism Response Center of the National Police Agency explained the importance of timely response to intrusion incidents, and intrusion prevention programs with a presentation on the types of crimes committed in the cyberspace and countermeasures available to fight cybercrime; and emergency procedures, legal measures, and relevant regulations that information security managers must follow in response to intrusion incidents involving their information security systems. (Source: Seoul Chonja Sinmun , 23 November) Government - NTR Military - NTR U.S. SECTOR INFORMATION: Transportation - Service on Amtrak trains was nearly back to normal on 26 November after crews repaired a power outage that delayed thousands of passengers traveling between Boston and Washington. The outage was caused by a CSX Corporation freight train that derailed and hit a power line pole about eight miles outside New York City early on 25 November. The pole carried a wire that supplied electricity to Amtrak's trains. A 19-mile stretch of track from New York City to New Rochelle was affected, and passengers traveling between Boston and New York were delayed at least two hours as Amtrak used diesel engines to tow electric trains to their destinations. Service along one affected track was restored early on 26 November and a second track was expected to be back in service later in the day. (Source: AP, 26 November) Gas and Oil Storage Distribution - NTR Telecommunications - NTR Electrical Power - NTR Emergency Services - NTR Water Supply - NTR Banking and Finance - NTR Government Services - NTR
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:35:10 PDT