Items of possible interest...

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Some things below, received by the REN-ISAC, that could be of interest
to your campuses.  

(By the way, the information in the media summaries at the bottom are
from NIPC (now IAIP of DHS) information products that anyone can
subscribe to at nipc.gov.)

M.

-- 
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu

******

\UNCLASSIFIED\\FOR OFFICIAL USE ONLY

THIS INFORMATION IS FOR OFFICIAL USE ONLY.
PLEASE LIMIT DISTRIBUTION TO SYSTEMS/NETWORK ADMINISTRATORS AND 
SECTORS WHICH COULD BE ADVERSELY IMPACTED BY CYBER ATTACKS.

NSIRC-093-03
SUBJECT: NSIRC ALERT -- Chinese Hackers To Coordinate Plans on 29
         March 2003 for Cyber Attacks Against U.S. and UK Computer
         Systems 


SUMMARY

A group of Chinese hackers are making plans to launch cyber
attacks against U.S. and UK information systems in the near future. 
Although unclear, these cyber attacks may involve web defacements and
some sort of distributed denial of service (DDOS) attacks. This
report will provide available details concerning this activity and
two web sites where the discussions are occurring.

DETAILS

Chinese hackers are planning to launch cyber attacks against U.S.
and UK web sites and information systems on an unknown date.  A
coordination meeting is set for 29 March 2003 at probably 0730Z
between the organizers of these attacks and participants. (COMMENT:
The actual wording was 29 March at 1530.)

On 17 March 2003, an individual using the handle "LongMarch"
(NFI) posted a message to a bulletin board service located at URL
http://www.longker.com referencing a planning meeting for
participants of upcoming cyber attacks against the U.S. and the UK,
but not domestic entities. In this message, there were indications
that the participants of the cyber attacks were going to be split
into two separate groups: one group that will conduct scanning
activities and another group that will carry out the actual attacks. 
The groups were not to destroy information but to conduct web
defacements and post antiwar messages.  Additionally, the individuals
were "to follow the rules or be expelled."

A web site at URL http://www.rvibo.y365.com/index.htm, which may
be owned by a possible member of Honker Union of China and identified
as "tiger," outlined the time and date for the coordination meeting
to be held in the "conference room." (COMMENT:  Probably a reference
to a chat room.)  The coordination meeting was scheduled for 29 March
at probably 0730Z for individuals interested in participating in 
cyber attacks against the U.S. (COMMENT: The actual time for the
planning session was listed as 29 March at 3:30 P.M.) In addition,
this site listed a series of hacking tools that could be used during
these attacks; however, this site also noted that individuals could
use their own tools if they so desired.  The Windows and Unix tools
included scanners and denial of service tools, with some discussions
on buffer overflows and virus attacks.  Targeted ports may include
23, 69, 80, 111, 139, 1433, and 8080.

COMMENT:  In March and April 2002, Chinese hackers conducted cyber
bulletin board planning for a commemorative cyber attack against the
U.S.; however, this attack was cancelled.  During the planning stages
for this commemorative attack, the Chinese hackers decided to split
their collective resources into separate groups; one group was to
conduct vulnerability scanning and another group was to carry out
attacks.  This is very similar to the plans posted in the 17 March
2003 message and may indicate that the cyber attack currently being
planned will be similar to the attacks that were to occur in May
2002.

 ANALYST COMMENTS 

Since the U.S. and the UK have specifically been mentioned as
targets of these attacks, these cyber attacks may be related to the
war in Iraq and may target U.S. and UK government and DoD information
systems and may occur at any time. However, if these attacks are
commemorative in nature, then the attacks may take place during the
first week of May. 

Previously, it has been considered unlikely that Chinese hacker
groups would instigate or maintain major cyber attacks without the
knowledge and probable acquiescence of the Chinese government. 
Consequently, one of the main indicators used to monitor possible
Chinese hacker activity is the current state of relations between the
U.S. and Chinese governments, which is currently on an upward swing. 
However, recent information indicates dissatisfaction among the
Chinese hacker community over recent Chinese government regulations,
which may be leading to a change in the Chinese hacking landscape. 
Therefore, even though there appears to be an upward trend in U.S.-
China relations, it is possible that Chinese hackers will attack U.S.
government and commercial information systems in spite of the wishes
of the Chinese government.  

Furthermore, prior collaborative attacks planned by the Chinese
hacker community, such as the 1 May 2002 attack, have been proceeded
by multiple messages and discussions posted on bulletin boards at
various hacker web sites. The lack of information on other web sites
regarding this activity could be a sign of improved operations
security being practiced by Chinese hackers, as opposed to a lack of
validity for the current activity.

System administrators should be alert for unusual activity and
should make every effort to ensure that the latest security patches
and upgrades have been made to their systems.

The Systems and Network Attack Center, C4, has developed
Security Recommendation Guides for Windows XP, 2000, NT, Cisco
Routers, E-mail, Executable Content, and other supporting
documentation.  These guides describe the "best practices" for
securing systems.  These guides can be downloaded from
http://www.nsa.gov/snac/index.html on the Internet or
http://www.iad.nsa.smil.mil/library/html/sec-cfg-guides.cfm on
SIPRNet.  If properly implemented, recommendations in these guides
will help prevent the majority of compromises into government
systems.

FEEDBACK

The National Security Incident Response Center (NSIRC)
would like to know if the information in this report is of value
to your organization.  Your feedback will help us provide the best
information possible in the future, tailored to customer needs. 
Should you have any questions or other comments about this report,
please e-mail the Leadership Team at x72fb () vc di nsa on NSANet or
x72fb () nsa smil mil on SIPRNet or call our office on 968-7851 (NSTS),
244-4881 (DSN), or (410) 854-4881 (CMCL/STU-III).  Please direct 
your technical questions to Ronald Short or Joan Carrier, X72,
968-7851, or email the analyst on SIPRNet at rjshort () nsa smil mil or
jrcarri () nsa smil mil on NSANet at rjshort () vc di nsa or
jrcarri () vc di nsa. Our goal in producing these advisories/alerts is
to make you aware of incidents and vulnerabilities affecting systems
within the government and to help you secure your networks to the
fullest extent possible. Your feedback is a critical part of this
process.  

REPORTING ATTACKS:

Members of the Telecommunications/Information Systems communities,
please report information pertaining to any suspected or confirmed
attacks to ncs () ncs gov, (703)607-4951.

Members of the Federal Government, please report information pertaining
to any suspected or confirmed attacks to FedCIRC () fedcirc gov,
(888)282-0870.

Members of commercial and private sectors please report information
pertaining to any suspected or confirmed attacks to nipc.watch () fbi gov,
(202) 323-3205.







April 02, Associated Press - Thieves take computers containing details
on radioactive
material. Eight state-owned computers containing details on all of the
New Mexico
companies that use radioactive material have been stolen, officials said
Tuesday. The
names, addresses and phone numbers of more than 210 businesses are
contained in the
stolen computers, along with what radioactive materials each is licensed
to have, said Bill
Floyd, manager of the state Environment Department's Radiation Control
Bureau. Thieves took
the eight computer towers from the bureau's office in Santa Fe either
Thursday night or early
Friday. While the files are legally accessible to the public, anyone
seeking them would need
to do so under the Freedom of Information Act, Floyd said. He said he
believed the culprits
were seeking the machines themselves -- not the data in them.
Source: http://www.cnn.com/2003/US/Southwest/04/02/radiation.files.a
p/index.html

23. April 01, The Oregonian - Al Qaeda supporters hack into student's
Web site. The Web site
of a Portland State University graduate student was targeted in a wave
of Internet hackings
supporting al Qaeda. Files planted in Conrado Salas Cano's personal Web
site housed
threats against the United States, tributes to the September 11 attacks
and purported
messages from Osama bin Laden. The FBI reportedly launched an
investigation, and some
cyberterrorism followers said it resembled attacks by al Neda, the
online propaganda unit of al
Qaeda. Josh Devon, an analyst at the Search for International Terrorist
Entities Institute, said
some of the pages contain pictures of guns and bomb-making manuals in
Arabic. Specific
plans of future attacks aren't on the site, although Devon said it's
possible they use code
words to communicate attacks. Since losing their domain name last
summer, Devon said al
Neda has been hacking into various sites around the globe to spread its
message. Once the
sites are discovered and shut down, a new al Neda site pops up within 48
hours. News of the
Web sites, he said, spreads by word of mouth and in Arabic newspapers.
Source: http://www.oregonlive.com/business/oregonian/index.ssf?/base
/business/1049201902166680.xml

24. April 01, Reuters - Website hoax fans virus panic. A teenager's
website hoax about a
killer virus that is sweeping Hong Kong sparked panicked food buying and
hit financial
markets on Tuesday, forcing the government to deny it would isolate the
entire territory.
"We have no plan to declare Hong Kong an infected area," Director of
Health Margaret Chan
told reporters. "We have adequate supplies to provide (for) the needs of
Hong Kong citizens,
and there is no need for any panic run on food." In Hong Kong, 685
people are infected by
severe acute respiratory syndrome, also known as SARS, and 16 have died
from the virus. The
fake website scare fueled dismay in the territory adjoining China's
Guangdong province,
where the virus is believed to have originated four months ago. The
hoaxer copied the format
of the public Internet portal of the Mingpao, one of Hong Kong's leading
newspapers, and
posted a message saying the government would declare the city of seven
million "an
infected place."
Source: http://www.wired.com/news/medtech/0,1286,58311,00.html

25. March 31, salon.com - Iraq goes offline. U.S. Tomahawk cruise
missiles aimed at
destroying Saddam Hussein's propaganda machine reportedly destroyed
several satellite
dishes and an Internet server housed at Iraq's Ministry of Information
building Saturday.
Local phone service in the city was also reportedly disrupted by
separate missile strikes on
two telecommunications switching centers. Yet Babil Online, the home
page of an Iraqi
newspaper run by Saddam Hussein's son Uday, was still reachable
following the bombing.
Babil Online may have escaped the attacks because of its physical
location -- the site
appears to be hosted on a server not in Baghdad but in Beirut, Lebanon.
Some observers
have speculated that the United States left Iraq's Internet
infrastructure untouched for
the first week of the war in order to maintain communications with
potential defectors in
the high ranks of Iraq's government and military personnel. But Peter W.
Singer, a fellow at the
Brookings Institute, said he doubted that preserving Iraq's Internet
capabilities was high on the
priority lists of U.S. military planners. "Internet access is still
limited mostly to elites in the
country. The U.S. is mostly concerned about protecting things like water
and electricity
and bridges," said Singer. He said the mission of Iraq's Information
Ministry has been not
only to fire up nationalism but also to manipulate world opinion and to
raise international
protests against the war.
Source: http://www.salon.com/tech/feature/2003/03/31/iraq_offline/in
dex.html




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.