InfoGram

December 14, 2000

NOTE: This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical information systems. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at usfacipc@fema.gov.

Important Reminder

• The Federal Bureau of Investigation has set up the National Infrastructure Protection Center (NIPC). The purpose of this Center is to provide a central point of focus for the Federal Government to deal with Critical Infrastructure protection issues. They have requested that emergency services organizations report disruptions and intrusions involving their systems. Their goal is to track the affects of these attacks on a national scale and to determine trends that may effect other organizations. There are three ways to report attacks:
  1. NIPC
     Voice: 202-323-3205
     Fax: 202-323-2079
     Web: http://www.nipc.gov/incident/cirr.htm
  2. Your local F.B.I. office; or
  3. U. S. Fire Administration
     Voice: 301-447-1325
     Email: usfacipc@fema.gov
• The (NIPC) also issues alerts involving attacks or suspected attacks to information systems. Emergency services personnel are encouraged to visit this site frequently and download these important alerts http://www.nipc.gov.

Recent Alert

The latest NIPC Alert is included. This alert describes a virus/worm that is still "in the wild".

"W32/ProLin@MM" Internet Worm (Shockwave), NIPC 00-61 Assessment

The W32/ProLin@MM Internet worm (Shockwave) currently represents a medium threat in the United States. This virus has the potential to clog email networks due to it mass mailing capabilities. The Shockwave worm arrives as an attachment to an email message with the subject "A great Shockwave flash movie". The body of the message contains the text "Check out this new flash movie that I downloaded just now...It's Great, Bye". If the file is activated the worm copies itself on the C drive, startup directory and sends itself as an attachment to all contacts from the victim's Outlook address book. It also sends an email with the subject "Job complete" and the text "Got yet another idiot." to a Yahoo email address. The worm then searches for any files with the extension MP3, JPG and ZIP and moves them into the C:\directory. The moved files remain unchanged but the worm renames them so that the extension is concatenated with the string "change at least now to Linux", e.g. from "Flowers.jpg" to "Flowers.jpgchange at least now to Linux". The files can be restored by moving them to their default location and renaming them so that the concatenated string is removed from the filename. The worm also creates a text file C:\Messageforu.txt that lists all the files that were altered. The anti-virus software industry has created and released a Dat file that will detect and remove the malicious code from the infected system. Full descriptions and removal instructions can be found at various anti-virus software firms websites, including the following:

• http://www.symantec.com
• http://www.nai.com
• http://www.antivirus.com
• http://www.fsecure.com
• http://www.sophos.com

Additional information on the NIPC and NIPC Advisories is available at www.nipc.gov.

Recipients are asked to report, actual or suspected, criminal activity to their local FBI office or to NIPC, and to your military or civilian computer response group and other law enforcement agencies as appropriate. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. This FBI Awareness of National Security Issues and Response (ANSIR) communication is intended for corporate security professionals and others who have requested to receive unclassified national security advisories.

Individuals who wish to become direct recipients of FBI ANSIR communications should provide business card information, i.e. company name, address, phone, fax, etc., to ansir@leo.gov for processing, with a brief description of the product and/or service provided by your organization.

Factual Event and Lessens Learned

• A teenage hacker gained access to two public telephone company computer controlled loop carrier systems in the New England area of the country. These devices serve as an interface between copper wires and fiber-optic cable. They can be controlled and accessed by remote computers. This access is provided by telephone dial-up modems. The hacker obtained the telephone numbers that are used to call the modems that access the onsite loop carrier computers. First the hacker disabled the system that controlled communications to an airport. The FAA tower, the airport fire department, and security services were denied telephone service. Then the hacker accessed the system that disrupted telephone service to most of the town including emergency traffic. The public telephone company has addressed this vulnerability. The hacker was apprehended and was the first juvenile convicted of a computer crime.

The above incident is an example of how an emergency services communication system can be attacked from the outside. The system was temporarily disabled and the ability to respond to emergency incidents was impeded. The teenage hacker could be replaced by a terrorist or a criminal who would benefit by a delayed or impeded emergency services response.

Does your organization have a plan in place to deal with a shut down of telephone service to your community? How well do you interface with the local provider of 911 telephone service in your area? Does your computer controlled radio and dispatch equipment have remote access by telephone modems?

These are questions that need to asked by the managers and supervisors who are in charge of emergency services communications equipment. Plans and procedures similar to those documents developed and used for Y2K can be utilized to deal with these possible incidents.