Department of Homeland Security Daily Open Source Infrastructure Report

Friday, September 12, 2008

Complete DHS Daily Report for September 12, 2008

Daily Report

Headlines

 Reuters reports that a U.S. senator has asked the Energy Department to revoke a recent order authorizing energy companies to continue exporting liquefied natural gas (LNG) from Kenai, Alaska, to Japan and other Pacific Rim markets. The senator said those Alaskan supplies need to stay in the U.S. market because of a forecast for higher winter prices for natural gas. (See item 2)

2. September 9, Reuters – (National) Senator wants to stop Alaskan gas exports to Japan. A U.S. senator has asked the Energy Department to revoke a recent order authorizing energy companies to continue exporting liquefied natural gas (LNG) from Kenai, Alaska, to Japan and other Pacific Rim markets. The department approved a request this summer from ConocoPhillips and Marathon Oil for authority to export up to 98.1 billion cubic feet of natural gas to Japan and other Pacific Rim countries through March 2011. The senator said that with Americans forecast to pay 22 percent more for natural gas to heat their homes this winter, those Alaskan supplies need to stay in the U.S. market. The senator said there are new LNG import terminals along the West Coast that could receive the LNG. The amount of Alaskan LNG that would be exported is enough to heat 1.4 million American homes a year, according to the senator. Under federal law, any company that wants to export LNG must first obtain Energy Department permission to ensure the export would not harm U.S. energy supplies. The department has said allowing the LNG exports to continue “will not be inconsistent with the public interest.” Source: http://www.reuters.com/article/rbssEnergyNews/idUSN0932191020080909?pageNumber=1&virtualBrandChannel=0

 According to the Washington Post, a panel of aviation safety experts said that the Federal Aviation Administration should audit information it receives from airlines on safety and maintenance issues to ensure its accuracy. The FAA relies heavily on self-reported data from airlines to spot trends that could lead to mechanical failures or plane crashes. (See item 14)

14. September 11, Washington Post – (National) FAA told to audit airline safety data for accuracy. The Federal Aviation Administration (FAA) should audit information it receives from airlines on safety and maintenance issues to ensure its accuracy, a panel of aviation safety experts said Wednesday. The U.S. Transportation Department secretary asked an outside panel earlier this year to review FAA safety policies in the wake of blistering criticism from Congress and the department’s inspector general that the FAA had grown too cozy with air carriers. The FAA relies heavily on self-reported data from airlines to spot trends that could lead to mechanical failures or plane crashes. Panel members said they supported the FAA’s strategy of working closely with airlines on maintenance and safety issues, citing the approach as integral to the nation’s aviation safety system. The panel made 13 recommendations for changes at the agency, including implementing the audits, more training of inspectors, and more consistency in inspection rules. The acting FAA administrator said the agency would work “full throttle” to implement the changes. Source: http://www.washingtonpost.com/wp-dyn/content/article/2008/09/10/AR2008091003499.html

Details

Banking and Finance Sector


11. September 11, Bloomberg – (National) Fed May expand funding aid to banks in a ‘Mother of Year-Ends.’ The Federal Reserve may have to increase the cash it provides to banks and brokers, already a record, to help them balance their books at the end of the year. Six bank failures in the past two months and rising concern about Lehman Brothers Holdings Inc.’s capital levels pushed lenders’ borrowing costs to near a four-month high Wednesday. They may climb further as companies rush for cash to settle trades and buttress their balance sheets at year-end. One option is for banks and brokers to increase the loans they take out directly with the Fed; the central bank reports on the figures Wednesday. Officials could also offer options on its biweekly loan auctions or introduce special repurchase agreements to straddle the end of the year, economists said. Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=aavHtPEY4aCc&refer=home


12. September 10, Connecticut Post – (Connecticut) Data theft scheme affects 28,000 in state. The personal information of more than 28,000 Connecticut residents was stolen from Countrywide Home Loan computers and sold. The theft of data about more than two million people who applied to Countrywide for mortgages between July 2006 and July 2008 is unlike other recent data losses, the Connecticut attorney general said Wednesday, because there is no doubt the information is not just missing. “It was sold, we know that. We don’t know precisely who bought it,” he said, calling the loss “extraordinarily frightening,” because it definitely came about through criminal activity. Last month, the Federal Bureau of Investigation in Los Angeles arrested two men – one a former Countrywide employee – on charges related to the illegal sale of the data. According to the official, a minimum of 28,123 Connecticut residents are among those whose data were allegedly downloaded. Source: http://www.connpost.com/ci_10431496


13. September 10, Phoenix Business Journal – (National) Countrywide Financial alerts customers to security breach. Countrywide Financial Corp. is notifying mortgage holders in Arizona and other states regarding a possible security breach. The Federal Bureau of Investigation (FBI) arrested a former Countrywide employee in August for the alleged sale of personal and financial data belonging to the California-based company’s customers. The FBI contends the culprit sold consumer data for as much as $70,000. Source: http://www.bizjournals.com/phoenix/stories/2008/09/08/daily34.html


Information Technology


39. September 11, Register – (National) CookieMonster nabs user creds from secure sites. Websites used for email, banking, e-commerce, and other sensitive applications just got even less secure with the release of a new tool that siphons users’ authentication credentials – even when they are sent through supposedly secure channels. Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim’s browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user’s browsing session is encrypted from start to finish using the secure sockets layer protocol. The vulnerability stems from website developers’ failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that is exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and the browser sends the authentication cookie. For now, CookieMonster is in the hands of only about 225 security professionals. In the next couple weeks, the creator of CookieMonster plans to make it generally available. He has listed some two-dozen sites that are vulnerable. Source: http://www.theregister.co.uk/2008/09/11/cookiemonstor_rampage/


40. September 10, Dark Reading – (National) ‘Password recovery’ services may be hackers for hire. Services that promise to help find lost passwords may make their living by cracking the passwords of others, says the chief security strategist at IBM’s Internet Security Systems unit. Webmail services such as Gmail and Hotmail are widely used as a quick, low-cost alternative to more sophisticated email services offered by ISPs or corporations. But Webmail accounts are not particularly secure, he warns. For between $300 to $600, a hacker can find a full suite of Webmail cracking tools on the Internet, complete with the ability to do brute-force “guessing” of simple passwords and enhanced tools for penetrating the CAPTCHA authentication methods used on Webmail services, he notes. CAPTCHA-breaking methods have become so effective that for about $100, the service provider can not only promise to give you the password to a specific Webmail account, but it can also promise to give you subsequent passwords if the legitimate owner should change passwords. There is not much that users can do to protect themselves from these hack-for-hire services, he says. “The best thing you can do is to use strong passwords,” he says. It would be difficult for any company to set a policy against using Webmail services, he says. “Your best bet is to educate your users about the vulnerabilities of these services, and discourage them from using their Webmail accounts for transmitting company information or other sensitive data,” he says. Users also should stay away from the services themselves, many of which are based in Russia or southeast Asia and can be recognized by the stilted English grammar in their service descriptions, he notes. Source: http://www.darkreading.com/document.asp?doc_id=163471&WT.svl=news1_1


Communications Sector

41. September 11, Computerworld – (National) Wireless operators seek faster review of cell tower proposals. Wireless network operators are pushing for faster consideration of cell tower construction applications in the U.S., urging that reviews be finished in 75 days. The CTIA, which represents the major carriers, wants state and local regulatory bodies to make more timely cell tower decisions because of a sizable backlog of construction applications and a clear desire by many customers to have more cellular network coverage and reliability, said the vice president of regulatory affairs at the CTIA. He said a survey of carriers showed that 760 applications have taken more than a year to review, with half that number of applications under review bodies for more than three years. The commissioner of the Federal Communications Commission (FCC) said the federal government and the FCC have no right to tell states and local communities whether to build a tower in a certain location, but the FCC has a directive from Congress to provide cellular access to Americans in a timely manner. He said the FCC can regulate the amount of power generated by a cell tower, adding, “but as for health problems, there’s no proof of this.” Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114458&intsrc=hm_list

42. September 10, Computerworld – (National) Yahoo expands Blueprint for mobile apps. Yahoo Inc. announced Wednesday at the CTIA trade show that it has expanded Blueprint, a mobile development platform, to allow developers to build applications for mobile devices running Java, Windows Mobile, and Symbian operating systems. Blueprint was previously available to create mobile widgets for Yahoo Go, a mobile application that first appeared two years ago. The executive vice president of Yahoo Connected Life said Blueprint, which is available for free, allows a developer to write once and have an application run across many devices and operating systems to reach billions of users. As such, Yahoo is expecting its services and advertising system to be available for all kinds of devices globally, he added. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=11&articleId=9114440&intsrc=hm_topic

Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, September 11, 2008

Complete DHS Daily Report for September 11, 2008

Daily Report

Headlines

 The Associated Press reports that a GAO report has found that many of the nation’s largest and most seriously deficient bridges are not getting fixed because the federal Highway Bridge Program is unfocused and lacks sufficient standards. (See item 12)

12. September 9, Associated Press – (National) Bridge repair program unfocused, says GAO. Many of the nation’s largest and most seriously deficient bridges are not getting fixed because a federal program funding bridge repairs is unfocused and lacks sufficient standards, congressional investigators say. The Highway Bridge Program that provided more than $4 billion to states last year has become so broad that “nearly any bridge” is potentially eligible for federal aid, according to a draft of a Government Accountability Office report being released Wednesday. The number of structurally deficient bridges in the U.S. decreased 22 percent between 1998 and 2007 — from 93,118 to 73,519. But most improvements have been to locally owned and rural bridges rather than the largest bridges in urban areas that carry the most people and goods, the report said. The Federal Highway Administration, which administers the program, said in a statement that the agency has “long cautioned that Congress’ insistence on establishing over 100 federal transportation programs presents states with needless overlaps, conflicting guidance and cumbersome process requirements. That is why we have called on Congress to significantly reduce the number of federal programs so states can be provided with clearer direction on how to ensure that crucial infrastructure needs are fully met.” GAO’s managing director for infrastructure issues and author of the report said in testimony prepared for a hearing Wednesday by the Senate Environment and Public Works Committee that often “the largest and most critical bridges ... are too expensive to be funded.” Source: http://ap.google.com/article/ALeqM5jnoQyupGB7NfNAh3chG95lNEUqVQD933HMVO0

 According to the Associated Press, New York officials announced Tuesday that city hot lines are now able to receive photos and video from computers and cell phones. While hundreds of cities accept text messages to emergency hot lines, New York is believed to be the first with the capability to accept images. (See item 29)

29. September 9, Associated Press – (New York) NYC hot lines accept videos, cell phone pictures. New York officials announced Tuesday that city hot lines are now able to receive photos and video from computers and cell phones. Callers to the city’s 911 and non-emergency 311 lines will now be able to send in photos and video to report crimes and complain about quality-of-life problems like uncollected garbage. While hundreds of cities accept text messages to emergency hot lines, New York is believed to be the first with the capability to accept images, officials said. By next year, photos sent by bystanders will be made available to patrol cars, and pictures could even be used as evidence in prosecutions, officials said. More than 12,000 new computers have been installed in precincts around the city; technology in radio cars has been improved; and the department is better able to share information. It took about 18 months to develop the image software, which cost about $250,000, city officials said. Source: http://ap.google.com/article/ALeqM5iXFr7QairkKlM8LvPKoLJOn2t3eQD933EMJG0

Details

Banking and Finance Sector


9. September 10, Israel News – (International) Police shut down giant con operation. The Tel Aviv, Isreal, District Police Fraud Unit arrested 10 people on Tuesday, on suspicion of conning American citizens out of $2 million. The suspects were charged with fraud, forgery, conspiracy to commit a crime and false representation. The Tel Aviv District Police Fraud Unit has been conducting a widespread investigation into the alleged sting. During the course of the investigation, police officers have been able to trace the suspects’ activities back to a Ramat Gan office, believed to be the base of operation. The suspects allegedly called thousands of US citizens, most of them elderly, presented themselves as lawyers and said they were calling to inform them that they had won the lottery. In order to collect the prize money, they told victims, they would be required to pay $10,000 in taxes. The victims in most cases agreed to wire the money to a bank account set up by the con artist. The con was discovered after several of the victims pressed charges with their local police departments. Those local investigations eventually led to the discovery of the Israeli connection, at which point, the Tel Aviv District Police became involved. Source: http://www.ynetnews.com/articles/0,7340,L-3594632,00.html


10. September 9, WALA 10 Mobile – (Florida) Attorney General urges credit and debit activity monitoring. Florida’s attorney general issued a consumer alert Tuesday following a significant loss of data from the Bank of New York Mellon Shareholder Services. More than 742,000 Florida residents may have had their personal data disclosed as a result, out of a total of 12.5 million consumers nationwide whose data was involved in the breach. The attorney general cautioned consumers who are or have been clients of BNY Mellon to closely review their accounts for unauthorized charges and monitor their bank and credit card statements. All consumers who have received a notification from BNY Mellon should promptly review bank statements and transactions to check for unusual activity and report fraudulent charges to banks or credit card issuers for investigation, reversal, or card re-issuance. Source: http://www.myfoxgulfcoast.com/myfox/pages/News/Detail?contentId=7393750&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.1.1


11. September 9, Associated Press – (National) Billions to be shared by Enron shareholders. Enron Corp. shareholders and investors will split about $7 billion from financial institutions accused of participating in the fraud that caused the once-mighty energy company to collapse. The settlement amount was listed at $7.2 billion, a sum that has been accruing interest since 2002 and includes $688 million plus interest in attorneys fees. The deal, approved late Monday by a U.S. District Judge, and the attorneys fees are the largest in history in a U.S. securities fraud case. About 1.5 million individuals and entities will be eligible to share in the distribution under the settlement plan. Besides the University of California, other plaintiffs who will share in the proceeds include pension plans from New York City and Hawaii, various investment firms and the Archdiocese of Milwaukee. The distribution plan was part of a $40 billion lawsuit filed by shareholders and investors, who claim Bank of America, JPMorgan Chase & Co., Citigroup and others participated in the accounting fraud that led to Enron’s downfall. Source: http://ap.google.com/article/ALeqM5hdE7khcb30E48EoMCNifVBa9-hngD933GEUG0


Information Technology


30. September 9, Computerworld – (International) Microsoft patches 8 critical bugs in Windows, Office. Microsoft Corp. Tuesday patched eight vulnerabilities all rated critical, in four security updates for Windows, Office, Windows Media Player, Internet Explorer 6, SQL Server, and other programs. Unlike last month, when Microsoft issued 12 bulletins that fixed 26 flaws, Tuesday’s patched vulnerabilities did not include any that have already been exploited in the wild. The update in that bulletin, highlighted by Storms and other experts as the one most crucial to apply immediately, fixes a total of five vulnerabilities in the Graphics Device Interface (GDI+) component of Windows. GDI+ debuted in Windows XP and is a core part of Windows Vista and the current server-side operating systems, Windows Server 2003, and Windows Server 2008. Hackers could exploit the GDI+ bugs by sending specially-crafted image files in a variety of formats, including EMF, GIF, WMF, and BMG, to a user via e-mail or by convincing users to visit sites that contain malicious image files. By triggering the vulnerabilities, attackers could then follow up with additional malware to hijack a system or steal data. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114368&intsrc=hm_list


Communications Sector


31. September 9, KING 5 Seattle – (Washington) Verizon adds cable, internet service to Puget Sound. Verizon is planning to add cable and internet service in the Puget Sound area in Washington. Verizon workers are laying fiber optic cables directly into people’s homes for its new service FiOS. The company claims it is creating a better experience for internet and cable customers and creating competition with Comcast. The move is a blow to Comcast’s dominance in the local market. Verizon said it has laid fiber optic lines to 75,000 homes in northern King County and most of Snohomish County and plans to add 50,000 more in those areas by the end of the year. There are no plans to bring the network to Seattle because of the city’s contract with Qwest. Source: http://www.nwcn.com/business/stories/NW_090908WAB_verizon_fios_TP.5e33eee9.html


32. September 9, Forbes – (International) Google, HSBC offer cheap Internet. Google and HSBC launched a plan Tuesday to provide a cheap and fast Internet connection to three billion people in an area from Spain to South Africa, a move to bridge the digital divide between developed and emerging markets. Google has joined forces with the bank and cable operator Liberty Global to back a group called O3b Networks, which stands for the “other 3 billion” people who do not have access. It will provide high-speed backhaul for telecoms operators and Internet providers, which can then sell services to businesses and consumers. The project, which is expected to cost $650 million until the launch, intends to offer fiber-optic performance over at least 16 satellites to parts of the world where Internet access is limited or not commercially viable. Source: http://www.forbes.com/markets/2008/09/09/hsbc-google-internet-markets-equity-cx_je_0909markets18.html