Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 4, 2008

Complete DHS Daily Report for August 4, 2008

Daily Report

• According to WCPO 9 Cincinnati, Federal Aviation Administration statistics show a significant jump in runway incursions nationwide this year over last. (See item 15)

• The Associated Press reports that the Indiana National Guard is notifying nearly 600 soldiers who served in Iraq that they may have drunk water tainted with a carcinogen at an Iraqi treatment plant. Sodium dichromate was used at the Basra facility as a corrosion inhibitor in water. (See item 23)

Banking and Finance Sector

11. August 1, Boston Globe – (National) State charges Merrill with investor fraud. Massachusetts regulators yesterday charged Merrill Lynch & Co. with fraud and unethical conduct in the sales of auction-rate securities, alleging that the Wall Street firm pressured research analysts to publish misleading reports on the investments and failed to warn customers about the risks in the market. The secretary of state says Merrill kept pushing auction-rate debt aggressively, even as executives knew the market could fail. The complaint, filed by the Secretary of State’s office, cites e-mails from Merrill Lynch management urging research staff to write positive reviews of the securities - which brokers at many firms were selling as safe alternatives to money market funds, right up until the auction-rate market collapsed in mid-February. The state said Merrill sold about $95 million in auction-rate securities to 165 Commonwealth investors in January and February, even as executives knew the market could fail. Merrill defended its research practices and denied wrongdoing. Merrill says its brokers did know the risks of auction-rate securities, saying “they believed they were good investments for clients willing to trade some liquidity for higher return.” Source:

Information Technology

28. August 1, Information Week – (National) Most security breaches go unreported. More than 89 percent of security incidents went unreported in 2007, according to survey of about 300 attendees at this year’s RSA Conference. Security incidents, as defined by the study, represent “an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address.” Some of the security incidents, such as the e-mail-borne malware and phishing that affected 69 percent of respondents’ companies, may not have led to serious consequences in every instance. But 29 percent of those answering the survey said their organizations experienced customer or employee data leakage. Twenty-eight percent reported insider threats or theft and 16 percent reported intellectual property theft. The findings echo a recent a study of over 500 data breach forensic investigations conducted by Verizon Business Security Solutions. According to Verizon’s vice president of investigative response, the publicly reported breaches are “just the tip of iceberg.” He said that less than five percent of the more than 500 cases covered in the Verizon study involved some form of disclosure. In short, companies appear to be far more insecure than they acknowledge. Source:

29. July 31, IDG News Service – (National) A photo that can steal your Facebook account. At the Black Hat computer security conference in Las Vegas next week researchers will demonstrate software they have developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google. The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites. They call this type of file a graphics interchange format java archive (GIFAR). At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack. The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Because GIFARs are opened by Java, they can be opened in many types of browsers. However, the victim would have to be logged into the Web site that is hosting the image for the attack to work. Source:

30. July 31, Computerworld – (National) Researcher reveals Twitter ‘follow’ bug. Attackers can exploit a bug in Twitter to force victims to follow the hacker’s account, a security researcher said Thursday. According to one researcher, the Twitter vulnerability could expose users to malware-hosting Web sites. “It can force people to follow you, which means all your twits will be showed in their Twitter home page -- including potentially malicious links,” he said. An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked Web site. From that point, the victim’s Twitter account is automatically set to follow the attacker’s. On Twitter, “following” another means receiving all updates, or “tweets,” sent by the other user. Those tweets are collected and displayed on the following user’s Twitter home page, or on their phone or in their instant messaging client. This Twitter bug is the newer of a pair that the researcher has found on the service. Last week, he reported another vulnerability that allowed spammers and phishers to send e-mails that included links to malicious sites to other Twitter users. Twitter patched that flaw today. Source:

Communications Sector

31. July 31, CNet News – (National) House committee moves to ban in-flight cell phone use. A House of Representatives committee voted to ban in-flight cell phone use permanently. By a voice vote, the House Transportation and Infrastructure Committee passed the Halting Airplane Noise to Give Us Peace (Hang Up) Act, which was introduced earlier this year. The legislation, which now moves to the full House for consideration, would prohibit “voice communications using communications devices on scheduled flights,” with exceptions for flight crew members and a federal law enforcement officer acting in an official capacity. In-flight texting, Wi-Fi, and e-mail on airplanes would not be affected. In the past few years, the federal government has not looked kindly at in-flight calling. The Federal Communications Commissions, with support from the Federal Aviation Administration, already bans in-flight cell phone use, but the agency has the power to revisit the issue at any time. The “Hang Up” act, however, would write the prohibition into federal law. Source: