Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 16, 2009

Complete DHS Daily Report for September 16, 2009

Daily Report

Top Stories

 According to Computerworld, the U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. (See item 3)

3. September 14, Computerworld – (National) DHS to review report on vulnerability in West Coast power grid. The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. A network analyst at China’s Dalian University of Technology used publicly available information to model how the West Coast power grid and its component subnetworks are connected. He and another colleague then investigated how a major outage in one subnetwork would affect adjacent subnetworks, according to an article in New Scientist. The aim of the research was to study potential weak spots on the West Coast grid, where an outage on one subnetwork would result in a cascading failure across the entire network. A cascading failure occurs when an outage on one network results in an adjacent network becoming overloaded, triggering a similar set of failures across the entire network. The massive blackouts in the Northeast in August 2003, which affected about 50 million people, were the result of such a cascading failure. His research was expected to show that an outage in a heavily loaded network would result in smaller surrounding networks becoming overwhelmed and causing cascading blackouts. Instead, what the research showed was that under certain conditions, an attacker targeting a lightly loaded subnetwork would be able to cause far more of the grid to trip and fail, New Scientist reported, quoting the researcher. The article does not describe his research (paid subscription required) or any further details of the attack. His report, which appears to have been largely overlooked until the publication of the New Scientist article last week, was completed last November and has been available online since March. A spokesman for DHS’s science and technology directorate said DHS has not reviewed the research but is “very interested in the findings.” In an e-mailed comment, the spokesman said DHS is working on a “self-limiting, high-temperature superconductor” technology that is designed to prevent power surges in one network from affecting surrounding networks. The so-called inherently fault current limiting superconductor technology is part of the DHS’s Resilient Electric Grid project. Source:

 An investigation by the New York Times has found that an estimated one in 10 Americans have been exposed to drinking water that contains dangerous chemicals or fails to meet a federal health benchmark in other ways. (See item 18)

18. September 14, Water Technology Online – (National) Contaminated water drunk by 1 in 10 Americans: NY Times. An estimated one in 10 Americans have been exposed to drinking water that contains dangerous chemicals or fails to meet a federal health benchmark in other ways, an investigation by The New York Times has found. “Those exposures include carcinogens in the tap water of major American cities and unsafe chemicals in drinking-water wells. Wells, which are not typically regulated by the Safe Drinking Water Act, are more likely to contain contaminants than municipal water systems,” the report said. It notes that many who consume dangerous chemicals through their drinking water do not realize it because “most of today’s water pollution has no scent or taste.” The Times said its research included the review of “hundreds of thousands of water pollution records” from all 50 states and the US Environmental Protection Agency (EPA) obtained through Freedom of Information Act requests, as well as from more than 250 interviews with state and federal regulators, water-systems managers, environmental advocates and scientists. The Times compiled a national database of water pollution violations “that is more comprehensive than those maintained by states or the EPA,” the report said. The Times says its research shows that 40 percent of the nation’s community water systems violated the Safe Drinking Water Act at least once last year. “Those violations ranged from failing to maintain proper paperwork to allowing carcinogens into tap water. More than 23 million people received drinking water from municipal systems that violated a health-based standard,” the report said. The Times reported that the federal Clean Water Act, a water pollution-control law passed in 1972, has been violated more than 506,000 times since 2004, by more than 23,000 companies and other facilities, according to reports submitted by polluters themselves. “Companies sometimes test what they are dumping only once a quarter, so the actual number of days when they broke the law is often far higher. And some companies illegally avoid reporting their emissions, say officials, so infractions go unrecorded,” according to the report. Source:


Banking and Finance Sector

10. September 15, Bloomberg – (International) Alberta men collected C$400 million in Ponzi scheme, Globe says. The two Alberta men charged with allegedly defrauding as many as 3,000 investors in a Ponzi scheme may have raised as much as C$400 million ($368.3 million), the Globe and Mail reported. The Royal Canadian Mounted Police charged the pair on September 14 with fraud over C$5,000 and theft over C$5,000, the newspaper said. None of the allegations have been proven in court. A firm that the police say was controlled by one of the suspects is also linked to an alleged tax fraud that affected seven National Football League players, the Globe said. Source:

11. September 15, Courthouse News Service – (National) Investors say bank abetted Ponzi scam. Former clients and creditors of bankrupt Summit Accommodators say Umpqua Bank loaned Summit millions of dollars to help it continue a $30 million Ponzi scheme, and that Umpqua knew about the scam. The bankruptcy trustee overseeing the defunct firm filed a similar lawsuit in June. The lead plaintiff says Summit Accommodators owners spent 13 years funneling millions from Summit’s bank accounts to affiliate Inland Capital before the company went bankrupt in 2008. Two more conspirators joined Summit as quarter-owners in 2006, according to the complaint. The owners allegedly embezzled from Inland and spent the money on themselves, causing liquidity problems that left Summit unable to pay its bills. That is when the owners started their Ponzi scheme, bringing in new investors to pay off the old ones, according to the complaint. In 2007, the owners “described in great detail all relevant aspects of their Ponzi scheme and embezzlement” to Umpqua’s CEO and then-President during a pitch to get a loan or equity investment from the bank, the lawsuit states. Umpqua granted Summit substantial loans despite its knowledge of Summit’s Ponzi scheme, according to the complaint. It allegedly encouraged Summit to shift all of its business to Umpqua, facilitating the exchange of millions because of the large fees it earned on Summit’s deposit base. Source:

12. September 14, KMTR 16 Springfield – (Oregon) Bank robbery suspect dies of wounds. Officers responded to a holdup alarm at Key Bank in Eugene, Lane County around 5:15 p.m. on September 11. When they arrived in the area, the suspect fired a weapon at an officer who returned fire, according to a Eugene police spokesperson. There were reports that the suspect carried a bomb into the bank. Police say a suspicious device was found inside the bank, but it was later determined to be a “hoax” device. Source:

Information Technology

29. September 15, The Register – (International) Malware lingers months on infected PCs. Malware stays around on infected PCs far longer than previously thought, according to the latest research from Trend Micro. Previous estimates suggested that a compromised machine remains infected for approximately six weeks. Based on an analysis of around 100 million compromised IPs, Trend Micro concludes that many infected IPs are infected (or repeatedly infected) for more than two years, with a median infection length of 300 days. Four in five compromised machines are infected for more than a month. A graph from Trend Micro suggests that if systems are not disinfected quickly then infection tends to linger around indefinitely, possibly until the point users exchange compromised boxes for new machines. Trend’s study also looked at the botnet landscape. Three strains of botnet agent — Koobface, Zeus/Zbot and Ilomo/Clampi — are causing the most damage in terms of identity theft. The Koobface botnet, for example, has co-opted around 51,000 machines into its ranks. Koobface uses between five and six command and control centers (C&C) to control these zombie clients at any one time. If a particular control domain is taken down by a particular provider, then botnet herders behind the malware establish a new command outpost elsewhere. Between the middle of March and mid-August 2009, Trend Micro recorded around 46 Koobface control domains. Source:

30. September 14, eWeek – (International) Microsoft backports Windows 7 security change to XP, Vista. Microsoft has backported changes to its AutoRun and AutoPlay features to Windows Vista and Windows XP to help users fight malware that spreads via USB devices. Microsoft made the change in Windows 7 earlier in 2009 to stop the spread of the infamous Conficker worm, which was taking advantage of the functionality to silently jump from PC to PC. With the change, Windows will no longer display the AutoRun task in the AutoPlay dialog except for removable optical media such as CDs and DVDs. The functionality was made available for XP, Vista, and Windows Server 2003 and 2008 on August 25. The decision to make the change followed the well-publicized growth of malware spreading via USB devices during the past couple of years. In fact, a report by Symantec found that self-copying to removable media was among the most common means of malware propagation in the second half of 2007. “McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames and other consumer electronics,” the director of security research at McAfee Avert Labs, blogged in January. “This trend will continue due to the almost unregulated use of flash storage [devices] across enterprise environments as well as their popularity among consumers.” Source:

31. September 14, CSO – (International) New Facebook scam targets ‘Fan Check’ application. While incidents of identity theft, phishing attacks and other schemes that take place on Facebook have been well documented, it turns out the latest scam simply uses the popular social networking site as a scapegoat while leading users to outside malicious sites. Last week, rumors swirled around Facebook that a new application known as “Fan Check” was infecting users with a virus. The story spread as many users updated their status to read: “The FAN CHECK Application is a VIRUS that takes 48 hours to kick in. Even if you are tagged in a photo the virus still attacks you. Please inform all you friends and remove/delete the applications ASAP. Copy and paste this as your status so word gets around quickly.” However, according to several security firms, including United Kingdom-based Sophos, it is not the Fan Check application that is the problem, it is the so-called “removal kits” that are being hocked by hackers that are the real danger. As rumor of the alleged Fan Check virus made the rounds, the term skyrocketed in popularity on Google and other search engines. As a member of Sophos blogs, hackers have set up several malicious sites that prompt users to purchase fake anti-virus software. The sites, which users get to through their search engines results, “display bogus warnings about the security of your computer in an attempt to get you to install fraudulent software and cough-up your credit card details,” according to the blogger. Source:

32. September 14, The Register – (International) FreeBSD bug grants local root access. A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems. The bug in FreeBSD’s kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, an independent security consultant in Poland, told The Register. It affects versions 6.0 through 6.4 of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation. Versions 7.1 and and beyond are not vulnerable. Those exploiting the bug must first have local access to a vulnerable system, either as a legitimate user or by exploiting some other flaw (say, a vulnerable PHP script) that gives an attacker a toe-hold in to the targeted system. The consultant said the vulnerability is trivial to exploit. The bug is the result of a race condition in the FreeBSD kqueue that leads to a NULL pointer dereference in kernel mode. Attackers can cause vulnerable systems to run malware by putting the code in a memory page mapped to address 0x0. The consultant said he notified FreeBSD officials on August 29 and has yet to get a response. A FreeBSD Core Team member told the Register that it appeared the email had gotten “lost in the slew” and he expected an advisory to be issued soon. Source:

Communications Sector

33. September 14, KSTU 13 Salt Lake City – (Utah) Lightning causes all Utah networks to go off-air, except Fox 13. Almost all the major broadcast television networks in Utah went dark on September 13, except FOX 13. DTV Utah, a group of stations that formed together to share the cost of a broadcast tower on Farnsworth peak, was hit by lightning on September 13 at about 8:15 p.m. A piece of equipment took the brunt of the hit, knocking all of the stations that use that tower off the air. DTV Utah houses eight broadcast stations. The FOX 13 facility is about 300 feet to the south and independent, meaning that FOX 13 was able to stay on the air when the other stations went out. The outage lasted about an hour. Some stations powered back up before others. All the other stations are back up to full power after going into a lower power mode on September 14 while crews fixed the problem. Source:,0,2130985.story

No comments: