Department of Homeland Security Daily Open Source Infrastructure Report

Friday, December 19, 2008

Complete DHS Daily Report for December 19, 2008

Daily Report


 The U.S. Nuclear Regulatory Commission on Wednesday approved a rule that enhances security requirements for nuclear power reactors. (See item 4)

4. December 17, U.S. Nuclear Regulatory Commission – (National) NRC approves final rule expanding security requirements for nuclear power plants. The U.S. Nuclear Regulatory Commission (NRC) on Wednesday approved a rule that enhances security requirements for nuclear power reactors. Many of the requirements of this rule are similar to those previously imposed by orders issued after the September 11th attacks. Significant features in this rule include a safety/security interface section that requires plants to manage plant activities to avoid potential adverse interactions between security activities and other plant activities. Additionally, there are new sections requiring a comprehensive cyber security program at nuclear power plants, and a requirement that plants develop strategies and response procedures to address an aircraft threat or loss of large areas of the facility due to explosions and fire. New training and qualification requirements for security personnel are also included. The new rule incorporates portions of a petition for rulemaking to require licensees to evaluate whether proposed changes, tests, or experiments cause protection against radiological sabotage to be decreased and, if so, to conduct such actions only with NRC approval. A second petition asked the NRC to require licensees to post at least one armed guard at each entrance to “owner controlled areas.” The final physical security requirements in the new rule give licensees flexibility to determine if such personnel postings are necessary. Source:

 According to the Associated Press, a doctoral student at Lamar University in Texas was charged with making a terroristic threat after allegedly sending an e-mail threatening to violently disrupt Saturday’s commencement ceremony because he was upset about not graduating. (See item 24)

24. December 18, Associated Press (Texas) Lamar student accused of terror threat. A Lamar University doctoral student was charged with making a terroristic threat after allegedly sending an e-mail threatening to violently disrupt Saturday’s commencement ceremony because he was upset about not graduating. The student was arraigned Thursday on the third-degree felony charge, a Beaumont Police officer said. Investigators said the student denied any involvement in the anonymous e-mail sent to the school’s president and said secretaries in the graduate office were trying to victimize him. The e-mail threatened to place people “in fear of serious bodily injury,” according to the state’s probable cause affidavit. U.S. Marshals on Thursday took the student to a federal courthouse where he now faces arraignment on federal charges that the threat was made using a communication system that crossed state lines. The student was denied graduation because he missed a deadline on his dissertation, said Lamar’s senior associate provost for academic affairs. Source:


Banking and Finance Sector

8. December 18, WDTV 5 Bridgeport – (West Virginia) Bank scam targets texters. A new bank scam in West Virginia is targeting cell phone users. One customer of First Community Bank recently fell victim to the scam. The customer says she had recently activated a new debit card when she received a message on her cell phone that said the bank card had been deactivated and she would need to call a phone number to reactivate it. The customer called the number and entered personal information including the account number and debit card password as she was instructed. A few days later her bank account was wiped out. The customer says she is one of several customers of First Community Bank to be targeted by the scam. Calls made to several local banks indicate that the text messages are popping up all over the state. Belington-based Freedom Bank has also heard reports of a similar scam from its customers. Source:

9. December 17, New York Times – (International) Computer failure closes Toronto Exchange. Canada’s largest exchange, and one of the world’s leading mining exchanges, shut down 18 minutes after opening when it become apparent that only some customers were receiving data about trading. Both the main exchange and the venture exchange for junior listings were closed. While the effective loss of an entire trading session was extraordinary, it is one of series of technical problems that have plagued the exchange, which converted to all-electronic trading 11 years ago. Several analysts believe that the problems may benefit several alternative exchanges that have appeared over the last year to challenge the 147-year-old Toronto exchange. Late in the afternoon, the exchange, which is owned by the TMX Group, abandoned all hope of reopening. Later it issued a statement promising that the exchange would open on December 18 for regular trading. The exchange did not identify the cause of the problem, at least publicly. But in a series of brief statements, it made it clear that the computers that actually handle trading were not involved. Instead the problem was in a separate system that delivers data about trades to brokers and news organizations. Source:

10. December 16, The Register – (National) American Express web bug exposes card holders. A vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on allows attackers to steal users’ authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said a spokesman of the Holistic Security blog. The spokesman posted the information about American Express after spending more than two weeks trying in vain to get someone inside the company to fix the problem. Source:

Information Technology

27. December 18, SC Magazine – (International) Microsoft releases emergency patch for Internet Explorer. Microsoft has released the emergency security update MS08-078 to patch Internet Explorer. The director of the Microsoft Resource Centre claimed that they had verified that this update meets the quality, deployment, and application compatibility criteria. He described it as a high-quality update that is ready for broad release, and he encouraged customers to test and deploy it as quickly as possible. In a blog posting, he acknowledged claims that the update may be misleading, as it is over 300 distinct updates for over six versions of Internet Explorer that apply to over 50 different languages. He said that despite the huge number of distinct updates, they are all being offered to customers automatically, regardless of their specific Internet Explorer configuration. Source:

28. December 18, Computerworld – (International) Oops! Mozilla forgets Firefox 2 patch, must re-issue update. A “clerical error” by Mozilla omitted one of the security patches that was supposed to be included in the Windows version of December 16’s Firefox 2.0 .0.19 release, a company executive said. “We don’t believe users are at risk right now,” said the director of Firefox. He declined to pinpoint the missing patch — one of ten that were to be included in the update — to make it more difficult for attackers to take advantage of the snafu. “I can tell you that it’s not one of the severe vulnerabilities and there are no known exploits for it,” he said. Source:

29. December 16, Softpedia – (International) Four critical Facebook XSS flaws discovered. The XSSed project made public four different cross-site scripting vulnerabilities discovered by individual security researchers. The flaws affect the developers, applications, user registration, and iPhone login pages. One of the project’s founders describes these newly discovered Facebook bugs as being highly critical, because they can be exploited “to infect millions of Facebook members with malware, adware and spyware.” His estimation is warranted by the fact that, according to Alexa, Facebook currently has a global page traffic rank of five, and on average is reached daily by over 12.5 percent of the total number of Internet users. In addition, according to the researchers, three out of four different pages found to be vulnerable were already compromised. The page is the only one not listed as XSSed in the project’s archive. Even though at the time of writing this article the vulnerabilities were not tagged as fixed by the XSSed project, it is very likely that the Facebook staff will deal with them quickly. “Facebook staff usually fixes such flaws promptly,” the founder points out. Source:

Communications Sector

30. December 16, Ars Technica – (National) AT&T, T-Mobile settle over voicemail security advertising. AT&T and T-Mobile have agreed to pay fines to the Los Angeles District Attorney over claims they made that their voicemail systems were secure from hackers that turned out to be untrue. As part of a permanent injunction issued against the two companies last week, AT&T will pay $59,300 while T-Mobile will pay $25,000, and they have also agreed to stop advertising their systems as secure. “Our investigators found that cellular providers who claimed their systems were safe from such sabotage were wrong,” the district attorney said in a statement. “Cell phones purchased by undercover investigators were easily hacked into, enabling the voicemail to be changed at will by use of the spoofing system.” He said that, during a year-long investigation into AT&T and T-Mobile, investigators used TelTech Systems’ SpoofCard to spoof the numbers they were calling from in order to gain unauthorized access to various AT&T and T-Mobile accounts. “Hacking into voicemail allowed messages to be changed or erased,” he added. “Important information could be removed from the voicemail and phony information could be inserted.” Source:

31. December 16, CNN – (District of Columbia) Expect logjam of cell phone calls at Obama inauguration. Hundreds of thousands of Americans are planning to converge on the National Mall on January 20 for the Presidential inauguration. The cellular phone systems around the National Mall will be overloaded if the expected record crowds show up, according to a spokesman for CTIA — The Wireless Association, a nonprofit organization that represents wireless carriers. Sprint and Verizon are two wireless carriers in the D.C.-metro area spending millions of dollars to add capacity to their cell sites ahead of the inauguration. To handle the increased traffic, Sprint is planning to deploy resources usually reserved for hurricanes: COWs and COLTs. The acronyms stand for Cell On Wheels and Cell On Light Truck. The vehicles use satellite and microwave technology and act as mobile cell towers. They are typically deployed to disaster sites when towers get knocked out. For the inauguration, Sprint says it will increase calling capacity. A COLT will be able to handle about 1,500 extra callers, though only 60 calls can go through simultaneously. On Tuesday, Sprint technicians added 30 percent more capacity to one site on top of the World Health Organization building in downtown Washington. A major security concern for the event is the crush of first responders, dignitaries, and police who depend on their mobile phones. First responders will have a priority access code enabling them to get their calls through. Source: