Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, July 1, 2008

Daily Report

• Alltech opened a state-of-the-art Center for Animal Nutrigenomics and Applied Animal Nutrition at its corporate headquarters in Kentucky. Researchers will analyze the health and performance status of livestock and the best nutritional interventions for peak production potential. (See item 18)

• The Federal Emergency Management Agency reports that hundreds of levees must be certified as sound over the next few years in order to be registered on government flood maps that are being updated. (See item 40)

Banking and Finance Sector

10. June 29, ZDNet – (National) HSBC sites vulnerable to XSS flaws, could aid phishing attacks. HSBC Holdings plc-owned domains are vulnerable to XSS flaws which could easily aid in a phishing attack. Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users. If they want to own HSBC’s e-banking customers, all they have to do is to register a “suspicious” looking domain like hscsbc.com which is currently available and then serve a phishing page. Source: http://blogs.zdnet.com/security/?p=1365

11. June 28, 13 Orlando – (Florida) Online e-mail scams. Two new scams are creating lots of problems. The first scam says it comes from Bank of America, with official looking letterhead with links that connect you with actual Bank of America sites. There is an e-mail explaining why you received this e-mail though Bank of America, which says it does not send out unsolicited e-mails. It also has the privacy and secure message that assures your account information is safe. Again, there are copies from the real Bank of America site that are pasted in to look official. Neither Bank of America, nor other banks, ever asks for any personal information over the Internet. If you click on the reply link and fill in the blanks, your account information will be stolen. The latest scam says a person has money and wants to send it to you. This time the e-mail claims to come from a U.S. Army sergeant who has found $8 million of Saddam’s money in barrels outside Saddam’s old palace. His brother-in-law was killed by a roadside bomb, and a dying British medical doctor gave him the package of money. He has survived two suicide bomb attacks, shot, and wounded. He can get it home to the U.S. to split with you if you just contact him as soon as possible. Source: http://www.cfnews13.com/Technology/YourTechnology/2008/6/28/online_email_scams.html

Information Technology


33. June 30, The Baltic Times – (International) Hackers place Soviet symbols on hundreds of websites. Foreign hackers broke into more than 300 Lithuanian websites and covered them with former Soviet symbols. The majority of websites were hosted on the servers of Hostex (formerly known as Microlink), the chief expert with the networks and information security department with the Communications regulatory authority (RRT), told BNS. “It seems to be a planned attack. Yet we cannot tell as yet which country it comes from”, he said. The head of RRT networks and information security department told a public radio station that the attackers mostly targeted the websites of private companies. While Lithuanian head of the Cabinet assures that state institutions are prepared for potential cyber attacks, the hackers also broke into the webpage of ruling Social Democrat party, chaired by the prime minister himself. Swear word filled Russian text was displayed with the flag of former Soviet Union in the background in the official website of the Lithuanian Social Democrat party. An analogous break in with the same text and same symbols took place Saturday morning in the official website of the Chief Official Ethics Commission. The Communications Regulatory Authority said Saturday it has no information on who might have broken into the commission’s website and defiled it. Source: http://www.baltictimes.com/news/articles/20723/


34. June 27, Wired Blogs – (National) Hacker launches botnet attack via P2P software. A 19-year-old hacker is agreeing to plead guilty to masterminding a botnet to obtain thousands of victims’ personal data in an anonymous scheme a federal cybercrime official described Friday as the nation’s first such attack in which peer-to-peer software was the “infection point.” The defendant launched the assault last year from his Cheyenne, Wyoming residence, and anonymously controlled as many as 15,000 computers at a time, said the chief of the Cyber and Intellectual Property Crimes Section for federal prosecutors in Los Angeles. As part of the deal, in which a judge could hand him up to five years imprisonment, the defendant has agreed to pay $73,000 in restitution, the government said. “It’s the first time that we know of that peer-to-peer software was used as the infection point,” the cyber chief said in an interview with Threat Level. The malware infection became commonly known as the Nugache Worm, which embedded itself in the Windows OS. According to the plea agreement, the worm was installed in various ways. “All of the data stored on the compromised machines would be available to defendant, including, but not limited to, credit card information,” according to the plea agreement. The agreement also said that he took control of financial accounts of his victims. Source: http://blog.wired.com/27bstroke6/2008/06/hacker-launches.html


Communications Sector

35. June 30, Computerworld – (International) NEC, Tyco plan Japan-U.S. cable. NEC Corp., based in Tokyo and Tyco Telecommunications based in Morristown, New Jersey, announced last week they have begun joint planning work on the Unity undersea high-speed fiber-optic link between the U.S. and Japan. The $300 million effort is funded by Google Inc., Bharti Airtel in New Delhi, Global Transit Communications in Kuala Lampur, KDDI Corp. in Tokyo, Pacnet Internet in Singapore, and Singapore Telecommunications Ltd. The cable will initially contain dual optical-fiber cables for both primary service and backup. It will link Chikura, located off the Japanese coast near Tokyo, to Los Angeles and other sites on the West Coast. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=networking_and_internet&articleId=321299&taxonomyId=16


36. June 27, SC Magazine – (National) Researchers reveal VoIP vulnerabilities. VoIPshield Laboratories has alerted companies that market voice over internet protocol (VoIP) systems of new security vulnerabilities. VoIP vulnerabilities, if successfully exploited, could affect brand reputation, internal productivity, and competitive advantage, researchers said. VoIPshield does not reveal specifics about the vulnerabilities to the public, VoIPshield Laboratories’ chief technology officer, told SCMagazineUS.com on Friday. “We don’t want to give hackers information to work from,” he said. Instead, under its disclosure policy, VoIPshield works with VoIP vendors to assist them in reproducing the vulnerabilities in their labs. VoIPshield classifies the vulnerabilities into different categories -- remote code execution; unauthorized access; denial of service; and information harvesting – and rates them according to their severity. The company said that by passing the information of their vulnerability research, the company hopes that vendors will be able to take action to create patches for potential exploits. Avaya, Cisco, and Nortel have acknowledged the latest vulnerabilities on their websites, and are issuing their own security advisories. VoIP vulnerabilities appear to be increasing because more security researchers are focused on finding them, a Gartner representative told SCMagazineUS.com. “Three to four years ago, there was far less focus on IP telephony vulnerabilities because the IP telephony installed base was much smaller,” he said. “In 2008, most of the widely deployed telephony systems have vulnerabilities that permit DOS attacks, privilege escalation and code execution attacks.” Source: http://www.scmagazineus.com/VoIPshield-reveals-VoIP-vulnerabilities/article/111918/

Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 30, 2008

Daily Report

• According to the Wall Street Journal, the National Transportation Safety Board’s call for retrofitting planes with fuel-tank designs, like those that exploded in TWA Flight 800, has been bogged down for more than a decade inside the Federal Aviation Administration. (See item 17)

• KVAL 13 Eugene reports that Oregon authorities are tightening security in Eugene in preparation for the Olympic trials. Authorities are setting up metal detectors and using bomb-sniffing dogs to check vehicles and garbage receptacles, and 60 armed officers will be stationed inside the venue. (See item 41)

Banking and Finance Sector

14. June 27, Computerworld – (National) Web firewalls trumping other options as PCI deadline nears. Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts. The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS). Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications. The controls have been a recommended best practice for nearly two years now, but starting June 30, they will become a mandatory requirement under PCI – especially for so-called Level 1 companies that handle more than 6 million payment card transactions a year. Under the requirement (PCI Section 6.6), merchants can choose to implement a specialized firewall to protect their Web applications, or to perform an automated or manual application code review and fix any flaws found. Companies also have the option of performing either a manual or an automated vulnerability assessment scan of their Web application environment, fixing any problems that are discovered during that process. The 6.6 requirement is designed to address growing concerns about vulnerable Web applications being exploited by malicious attackers to compromise payment data. The controls are supposed to protect Web applications from common threats like SQL Injection attacks, buffer overflows and cross-site scripting vulnerabilities. As with almost every other major PCI deadline so far, though, few companies are expected to be fully compliant with the PCI 6.6 requirement come June 30. But analysts say the companies that are compliant or heading in that direction appear to be favoring the Web firewall option. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9104118&source=rss_news10

15. June 26, Dark Reading – (National) Hacking the call center. The contact center mostly has been forgotten as a potential point of breach – even though customer service representatives take credit card numbers and outsourced help desk workers have access to your databases. That all soon could change. The Payment Card Initiative (PCI), for instance, also applies to call centers that handle credit card data, so PCI is driving a new generation of security tools that encrypt voice call recordings of phone transactions. RSA’s encryption technology, for instance, is now used to encrypt audio recordings handled by call center software vendor Verint Witness Actionable Solutions’ call recording applications. Even so, not all call centers are tuned into PCI, especially the smaller organizations. “We still find a real lack of awareness in the contact center community about PCI,” says the director of solutions marketing for Verint, who says it is mostly the company’s largest call center customers that have been asking about PCI. Verint’s software records calls in the centers. “Because that data is in an unstructured format – a Wave file, for example – companies are just starting to realize that it becomes an area of potential liability for them,” she says. Other products are emerging that come with a “blackout button” feature that prevents the credit-card number from being recorded on the call and thus not stored at the call center, for example. But credit card information is not the only exposure risk at these sites. Outsourcing-based call centers for IT and help desk support pose even more security problems. “This is a bigger and often more overlooked area, where PCI is not an issue. Credit card numbers aren’t involved, but a major issue is they have access to or a copy of your customer database,” says the vice president and research fellow at Gartner. “And many call centers that are outsourced use shared services. The same IT infrastructure that supports you is supporting” other organizations. Source: http://www.darkreading.com/document.asp?doc_id=157627

16. June 26, Finextra.com – (International) Toronto police bust ATM skimming gang. Police in Toronto have busted a sophisticated ATM skimming ring that used a network of ‘debit card laboratories’ to defraud bank customers of hundreds of thousands of dollars. The swoop on the Toronto crime ring followed a six-week surveillance operation and resulted in the arrest of eight local people. The gang used portable card skimmers to capture customer data at the cash machine for later download and transfer to counterfeit cards. The police raid on “two sophisticated labs” netted $120,000 cash and led to the arrest of eight suspects. Computers, skimmers, card-readers, moulding machines, embossers, tippers, counterfeit cards, cameras, overlays and valances, tools, and two-way communications devices were also seized. Theft and counterfeit payment cards have been a growing problem for the Canadian banking industry, which is making a gradual transition to chip-based technology. Police say over $100 million was lost to this type of activity in 2007, which involved 159,000 card holders. Source: http://finextra.com/fullstory.asp?id=18650

Information Technology

36. June 27, Financial – (National) Press Release: Leading IT vendors establish forum to drive global security response excellence and innovation. On June 26, five leading information technology vendors announced the creation of the Industry Consortium for Advancement of Security on the Internet (ICASI), a nonprofit organization that will enhance global IT security by proactively driving excellence and innovation in security response. Founded by Cisco, International Business Machines, Intel Corporation, Juniper Networks, and Microsoft Corp., ICASI provides a unique forum for global companies committed to proactively addressing complex, multi-product security threats and to better protecting enterprises, governments, and citizens, as well as the critical IT infrastructures that support them. According to Intel, the increasing sophistication of attacks and the integration of applications, now common in IT environments, pose real challenges for IT vendors. Online attacks occur more frequently and in more rapid succession, while often spanning international boundaries. To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers’ behalf. ICASI aims to fill this void. ICASI does not seek to respond to every product security issue that emerges, but rather the consortium is designed to respond to and ideally reduce the potential customer impact of global, multi-vendor cyber threats.

Source: http://finchannel.com/index.php?option=com_content&task=view&id=15867&Itemid=10

37. June 26, ZDNet Blogs – (International) ICANN and IANA’s domains hijacked by Turkish hacking group. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on June 18. ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. NetDevilz left the following message on all of the domains: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group).” The following domains were hijacked, and some of them still return the defaced page – icann.net; icann.com; iana-servers.com; internetassignednumbersauthority.com; iana.com. The hackers are once again redirecting the visitors to Atspace.com, 82.197.131.106 in particular, the ISP that they used in the Photobucket’s DNS hijacking. The NetDevilz hacking group seems to be taking advantage of a very effective approach when hijacking domain names, and while they declined to respond to an email sent by Zone-H on how they did it, cross-site scripting or cross-site request forgery vulnerability speculations are already starting to take place. Source: http://blogs.zdnet.com/security/?p=1356

Communications Sector

38. June 27, ars technica – (National) NYPD, cities slam FCC Block D public safety network dream. The emergency managers of key city agencies are weighing in on that troublesome chunk of the 700MHz spectrum reserved for public safety – the D Block – telling the Federal Communications Commission that they can not wait for a lost cause. “The NYPD’s opinion, reinforced by conversations with commercial wireless carriers, is that there is simply no business case for a commercial wireless network operator to build a nationwide network that will meet public safety coverage and survivability standards,” the deputy chief and commanding officer of the New York City Police Department wrote to the FCC. The FCC received the statement on June 19. When the 700 MHz auction ended in mid March, no bidder offered the FCC’s minimal asking price for the block. An FCC audit of the D Block failure concluded that the plan had been loaded with too many expectations and uncertain variables. Now the FCC is running a new proceeding on how to redo the D Block auction, but NYPD says the plan just will not work. “Although public safety and commercial networks may share technology, they do not share the same mission,” the agency wrote. “Conflicts of interest arise that cannot be ignored. Public safety agencies require a robust network that will remain operational during virtually any circumstance; however, commercial network operators are motivated by commercial priorities to build networks that meet commercial requirements.” NYPD notes that the FCC’s first D Block scenario did not require the auction winner to build out a public safety band network in areas where it did not deploy its commercial system, thus making it “extremely unlikely that they would deploy their network in unprofitable rural or remote areas.” NYPD proposes that the FCC just assign portions of the D Block to local or regional public safety agencies. The department has already contracted with Northrop Grumman to build a broadband public safety data network on 2.5GHz leased spectrum, and expects to have the operation running by the end of the year. Source: http://arstechnica.com/news.ars/post/20080627-nypd-cities-slam-fcc-block-d-public-safety-network-dream.html


39. June 26, Associated Press – (National) Wireless hospital systems can disrupt med devices. Wireless systems used by many hospitals to keep track of medical equipment can cause potentially deadly breakdowns in lifesaving devices, such as breathing and dialysis machines, researchers reported Tuesday in a study that warned hospitals to conduct safety tests. Electromagnetic glitches occurred in almost 30 percent of the tests when microchip devices similar to those in many types of wireless medical equipment were placed within about one foot of the lifesaving machines. Nearly 20 percent of the cases involved hazardous malfunctions that would probably harm patients. Some of the microchip-based “smart” systems are touted as improving patient safety, but a Dutch study of equipment – without the patients – suggests the systems could actually cause harm. A U.S. patient-safety expert said the study “is of urgent significance” and said hospitals should respond immediately to the “disturbing” results. The wireless systems send out radio waves that can interfere with equipment such as respirators, external pacemakers, and kidney dialysis machines, according to the study. Researchers discovered the problem in 123 tests they performed in an intensive-care unit at an Amsterdam hospital. Patients were not using the equipment at the time. Source: http://www.mobile-tech-today.com/story.xhtml?story_id=60469