-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Friday, December 21, 2001 6:32 AM To: Daily Distribution Subject: NIPC Daily Report 21 December 2001 Importance: High NIPC Daily Report, 21 December 2001 NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI. Significant Changes and Assessment - The National Infrastructure Protection Center (NIPC) issued Advisory 01-030, "Universal Plug and Play Vulnerabilities." The NIPC is tracking what Microsoft refers to as a critical vulnerability in the universal plug and play (UPnP) service in Windows XP, Millennium Edition (ME), and Windows 98 or 98SE systems. UPnP is a service that identifies and uses network-based devices. This vulnerability could lead to denial of service attacks and system compromise. Microsoft has released a patch for this vulnerability at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-059.asp. <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS01-059.asp. > There are two known vulnerabilities in the UPnP service. Further information and the advisory can be found by visiting http://www.nipc.gov/warnings/advisories/2001/01-030.htm <http://www.nipc.gov/warnings/advisories/2001/01-030.htm> . General - Microsoft and Oracle, acknowledged flaws in major products that could leave users vulnerable to hackers. Both Windows XP and Oracle's 9i application server had been heavily marketed for their security features. Microsoft and Oracle each offered online patches to fix the problems. Microsoft admitted that the newly released Windows XP operating system, touted as the most secure version of Windows ever, suffered from a critical vulnerability that exposed any user who connected the Internet to a possible hijacking of their computer. Meanwhile, Oracle's 9i application server was afflicted by a similar vulnerability, known as a buffer overflow, that would have let an attacker execute remote commands. (Mercury News, 20 December) RSA Security and Hifn produced a patch for the Wireless Equivalent Privacy (WEP) protocol. This patch, called "Fast Packet Keying," a new technology based on the RC4 algorithm, is designed to secure the WEP encryption standard by generating a unique key for each data packet sent over the wireless LAN. It is designed to avoid the similarities in the packet keys by providing a rapid way to derive unrelated RC4 keys from a shared secret. The Institute of Electrical and Electronics Engineers 802.11 committee has approved the Fast Packet Keying technology. It will be distributed as a software or firmware patch by vendors. Device makers are upgrading their software. (Security Wire Digest, 20 December) Electrical Power - According to a panel, the Texas telecommunications industry and electric grid are vulnerable to terrorist attack unless communication, threat assessment, and intelligence are improved. "Nobody plans for the kinds of circumstances we now must anticipate," said the chief executive officer of TXU Corp, a Dallas-based electric company. "We are now vulnerable to well-financed, what I would call fanatical, attacks." TXU Corp. was among a group of businesses from the electric, airline, telecommunications, and petroleum industries meeting at Rice University's Baker Institute for Public Policy. They were discussing how to protect infrastructure such as computer systems that oversee transportation, telecommunications, energy, and water sources throughout Texas. (Associated Press, 20 December) An estimated 118,000 customers in parts of four northern Utah counties were without power for two hours on 19 December due to a problem at the Ben Lomond substation. The power went out about 5:30 p.m. and was restored by 7:45 p.m., spokesman Kimball Hansen said. He said the exact cause had not been determined but it involved the substation, which is near Great Salt Lake's Willard Bay and Interstate 15. (Associated Press, 20 December) Transportation - Mary Schiavo, former inspector general for the Department of Transportation, said the federal government and private industry still do not seem to understand that strengthening and enforcing transportation security measures would boost public confidence and business. "Security is commerce and without it, there isn't any," Schiavo, an aviation disaster attorney, told attendees at a homeland defense conference in Washington, D.C. The security problems, a disregard for laws, the existence of disparate enforcement throughout the country and a reliance on technology, have contributed to a lax system not just in the aviation industry, but in all forms of transportation, she said, including trucking, trains and oil pipelines, which fall under the DoT's control. (Federal Computer Weekly, 20 December)
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:37:51 PDT