CRIME NIPC Daily Report 24 June 2002

From: George Heuston (GeorgeH@private)
Date: Mon Jun 24 2002 - 09:55:14 PDT

  • Next message: George Heuston: "FW: CRIME EarthLink Password Security Story"

    NIPC Advisory 02-005.1: Remote Vulnerabilities in Apache Web Server
    Software. The NIPC issued an updated advisory to highlight the significance
    of a vulnerability that could affect a majority of active Web sites. The
    advisory can be viewed at
    http://www.nipc.gov/warnings/advisories/2002/02-005.1.htm
    <http://www.nipc.gov/warnings/advisories/2002/02-005.1.htm> 
    
    Amtrak shutdown could paralyze rail commuter service.   An Amtrak shutdown
    would ripple far beyond inter-city passenger train service, and could halt
    or severely curtail rail commuter service along the East Coast and
    California.  An inter-city and commuter rail shutdown could create havoc
    along the East Coast where hundreds of thousands of people would be forced
    onto highways, subways and airports. Amtrak, for instance now hauls more
    passengers between Washington and New York than the airline shuttles
    combined.  In addition to the Washington area shutdowns, Philadelphia's
    Southeastern Pennsylvania Transportation Authority would be largely shut
    down, as would New Jersey Transit. The Long Island Rail Road could operate
    as usual with one major exception - it couldn't get into Manhattan because
    it uses Penn Station. Boston's commuter system would be mostly shut down
    because its trains are operated by Amtrak and use many stretches of Amtrak
    track and stations.  In California, all commuter service would apparently be
    shut down, including major systems in Los Angeles and San Francisco, because
    they are either operated by Amtrak or use Amtrak facilities. The effect on
    freight service would be minimal, although the large Chrysler plant at
    Newark, Del., and the Ford plant at Metuchen, NJ, would be isolated from
    rail services because they are served by Norfolk Southern trains that use
    Amtrak tracks. (The Washington Post, 21 June)
    
    FEMA taking charge of wireless.  The Office of Management and Budget will
    soon direct the wireless communication initiative to be placed under the
    Federal Emergency Management Agency (FEMA).  FEMA will organize the
    government's communications capabilities under Project SafeCom to ensure
    emergency workers are outfitted with functional equipment.  The Department
    of Treasury is passing the project to FEMA because of their emphasis on
    emergency preparedness and first responders.  To fund this wireless
    initiative, the Bush administration's budget request identified $3.5 billion
    for new equipment and training to enhance state and local readiness for
    attacks.  As part of the proposal, FEMA would allocate $7 million for grants
    to states, with at least 75 percent for local governments.  (Federal
    Computer Week, 21 June)
    
    House panel approves bill permitting pilots to be armed. A House measure to
    create an experimental program under which 250 pilots would initially be
    armed faces tough opposition in the Senate and from key groups such as
    flight attendants and airlines.   A Senate bill that would arm far more
    pilots has run into difficulties in committee. At the end of two years, the
    TSA could expand or eliminate the program for pilots.  The Air Transport
    Association, which represents major airlines, called the House bill "an
    improvement" on an earlier measure that provided for more widespread arming
    of pilots. The airline association said the bill still fails to answer
    questions about who would be liable if a bullet accidentally wounds or kills
    a passenger or crewmember.  (Washington Post, 20 June)
    
    Transportation agency steps up campaign to recruit baggage screeners . On 21
    June the Transportation Security Administration (TSA) announced a major
    acceleration of its hiring campaign to recruit federal baggage screeners at
    30 airports across the country.  Under the 2001 Aviation and Transportation
    Security Act, the TSA has until 19 November to hire and train federal
    screeners at the nation's 429 airports.  In order to meet its deadline, TSA
    needs to hire 7,000 to 8,000 screeners every month from July through the end
    of October.  (Government Executive, 21 June)
    
    Microsoft Security Bulletin MS02-031. Microsoft Corporation has released
    Microsoft Security Bulletin MS02-031, " Cumulative Patches for Excel and
    Word for Windows."  According to a 19 June Microsoft Security Bulletin, four
    newly discovered vulnerabilities each could enable an attacker to run macro
    code on a user's machine.  The attacker's macro code could take any actions
    on the system that the user was able to.  Microsoft has made a patch
    available to close the vulnerabilities. The vulnerabilities include the
    following: An Excel macro execution vulnerability related to how inline
    macros that are associated with objects are handled could enable macros to
    execute and bypass the Macro Security Model.  An Excel macro execution
    vulnerability relates to how macros are handled in workbooks are opened via
    a hyperlink on a drawing shape.  It is possible for macros in a workbook so
    invoked to run automatically. An HTML script execution vulnerability that
    can occur when an Excel workbook with an XSL Stylesheet that contains HTML
    scripting is opened.  The script within the XSL stylesheet could be run in
    the local computer zone. A new variant of the "Word Mail Merge"
    vulnerability previously addressed by a Microsoft alert, could enable an
    attacker's macro code to run automatically if the user had Microsoft Access
    present on the system and chose to open a mail merge document that had been
    saved in HTML format.  Additional information on this bulletin and a patch
    to fix vulnerability can be viewed at:
    http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bull
    etin/MS02-031.asp
    <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
    letin/MS02-031.asp>  (Microsoft, 19 June)
    
    Yaha Worm, apparently from India, spreading globally.  Yaha worm, in its
    various forms, has allegedly been launched by Indian hackers in retaliation
    for extensive anti-Indian hacking carried out be Pakistani hacker groups.
    Yaha.E is designed to use infected machines to flood the Web address
    http://www.pak.gov.pk/ <http://www.pak.gov.pk/>  a Web site owned by a group
    in Pakistan registered as the Commission for Science and Technology for
    Sustainable Development in the South.  A text file within the worm
    specifically mentions the Pakistani hacker group GForce.  Yaha is similar to
    the highly successful Klez worm in a number of respects, according to the
    report.  Yaha.E, for example, aggressively attempts to terminate anti-virus
    and related security software from memory, searching for and killing over 40
    related processes.  (iDefense, 21 Jun ) 
    
    WWU Comment: The NIPC is closely monitoring this worm and will advise of
    changes in its status as necessary.  Major US anti-virus vendors are rating
    this worm as Low and have removal instructions posted to their Web sites. 
    
    Secret Service probes school hacking.  Online criminals have compromised
    computers at the universities in Arizona, Texas, Florida, and California,
    and the Secret Service is investigating the incidents. These criminals may
    have placed spyware that captures passwords and credit card numbers on the
    computers. Someone actually sitting at the keyboard may have loaded such
    software onto the system. University systems have long been a haven for
    hackers and online vandals, given the loosely secured computer labs most of
    them have. In the past, compromised university systems contributed to the
    DoS attacks that struck at well-know e-commerce sites more than two years
    ago. (CNET, 21 June) 
    
    ~dmh
    



    This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 11:03:01 PDT