Department of Homeland Security Daily Open Source Infrastructure Reprot

Friday, October 30, 2009

Complete DHS Daily Report for October 30, 2009

Daily Report

Top Stories

 According to the Associated Press, an oil tanker ran aground off southeastern Puerto Rico after being rerouted because of a massive fuel depot explosion, but did not spill any of its cargo, officials said on October 28. (See Item 1)


1. October 28, Associated Press – (Puerto Rico) Tanker rerouted from fuel depot runs aground in PR. An oil tanker ran aground off southeastern Puerto Rico after being rerouted because of a massive fuel depot explosion, but did not spill any of its cargo, officials said on October 28. The Port Stewart, a Marshall Islands-flagged vessel, got stuck in sand and mud about 3 miles from Yabucoa on Tuesday, the Port Authority director said. Crews secured the tanker and unloaded 136,000 barrels of fuel. The U.S. Coast Guard reported finding no leaks during an inspection of the ship. Arriving from the French Caribbean island of Martinique, the Port Stewart was originally scheduled to unload at the Caribbean Petroleum Corp. in Bayamon, just west of San Juan, where 21 fuel tanks caught fire early Friday and burned for three days, spewing thick toxic smoke across the region. Officials diverted the 570-foot tanker to Shell facilities in Yabucoa. Source: http://www.cnbc.com/id/33509417


 The Washington Post reported that as increasing numbers of children are coming down with swine flu, more parents are facing a shortage of liquid Tamiflu for children. Spot shortages of the liquid form of the antiviral medicine are forcing mothers and fathers to drive from pharmacy to pharmacy, often late into the evening after getting a diagnosis and prescription from a pediatrician, in search of the syrup recommended for the youngest victims of the H1N1 pandemic. (See Item 28)


28. October 29, Washington Post – (National) Tamiflu shortages have parents on wild dose chase. As increasing numbers of children are coming down with swine flu, more parents are facing a shortage of liquid Tamiflu for children. Spot shortages of the liquid form of the antiviral medicine are forcing mothers and fathers to drive from pharmacy to pharmacy, often late into the evening after getting a diagnosis and prescription from a pediatrician, in search of the syrup recommended for the youngest victims of the H1N1 pandemic. The drug can make the flu milder, go away more quickly and may cut the risk of potentially life-threatening complications. The shortages are being caused by a surge in demand because of the second wave of swine flu sweeping the country, combined with a decision by Roche, the Swiss company that makes the medication, to focus on producing it in capsule form. In response, the government has shipped to states hundreds of thousands of five-day courses from the Strategic National Stockpile, which is on standby in case there are disease outbreaks or bioterrorism attacks. Officials have also instructed doctors to suggest that pharmacists mix the powder from capsules with syrup to make a liquid for children if the company’s version is unavailable. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/10/28/AR2009102803823.html?hpid=topnews


Details

Banking and Finance Sector

13. October 29, Washington Post – (National) Credit-rating bill clears committee. A House panel on October 28 voted to tighten controls on credit-rating firms in response to complaints that the firms misjudged the risks of many of the mortgage-related securities that sank financial markets last year. The House Financial Services Committee threw bipartisan support behind a bill that would try to reduce the conflicts of interests at rating firms and make it easier to sue them when they make flawed findings. The three big credit-rating firms — Moody’s, Standard & Poor’s and Fitch Ratings — have faced stinging criticism in the past two years for giving high marks to mortgage-related securities that were backed by subprime or otherwise risky loans, helping instill a false sense of confidence among investors in the investments being sold by banks. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/10/28/AR2009102804731.html


14. October 29, Nashville Tennessean – (Tennessee) Nashville banks report skimming thefts at ATMs. Metro Police believe Nashville bank ATMs have been targeted by an organized skimming operation. So far, 39 people have reported that their ATM cards have been compromised, but investigators said Wednesday that they believe there may be hundreds of victims across the city and most of them may not even realize their information has been stolen. Police say the suspects, described as three white men with European accents, may have left town. They are believed to be traveling from city to city in groups, staying for two or three days before moving on. Metro Police have contacted agencies in Florida, Georgia and North Carolina that reported similar fraud operations. In Nashville, the suspects were able to steal nearly $30,000 by installing skimmer devices on bank ATM machines. When a customer places his or her card into the machine, the skimmer records the card number and the personal identification number. Source: http://www.tennessean.com/article/20091029/NEWS03/910290328/2066/Nashville+banks+report+skimming+thefts+at+ATMs


15. October 28, American Banking News – (National) Consumer Alert: Fake credit unions ripping-off customers with advanced-fee loan scams. It’s been reported that a new wave of fake credit unions are promising to loan people at under-market interest rates. These fake credit unions are offering consumers unusually good loans then charging them with a “processing fee” for the loan application. Once they receive the processing-fee from the customer, they take the application fee and “deny the loan”, but it turns out the supposed “credit union” probably doesn’t actually exist and there was never a possibility that the consumer would get a loan to begin with. One allegedly fraudulent operation was running ads in national newspapers around the country promising that it had money to lend. The Los Angeles Times was one of many newspapers that ended up running the ads. The fake credit union even listed a real address that turned out to be the street address of a shopping mall! Two state agencies from Michigan and Pennsylvania exposed that particular operation, but there is still the possibility that similarly minded con artists will use the same scam to get more money out of victims. Source: http://www.americanbankingnews.com/2009/10/28/consumer-alert-fake-credit-unions-ripping-off-customers-with-advanced-fee-loan-scams/


16. October 28, Dow Jones Newswires – (National) FDIC warns consumers about fraudulent bank closure emails. The FDIC this week issued a consumer alert warning people not to click on links provided in emails alerting customers to bank closures, fraudulently said to be from the FDIC. The links lead to downloadable files containing password-stealing software. “If their bank should happen to fail, there’s absolutely nothing the consumer has to do,” an FDIC spokesman said. The FDIC so far has shut down 106 banks this year—the highest number in any single year since 1992. Source: http://www.nasdaq.com/aspx/stock-market-news-story.aspx?storyid=200910281511dowjonesdjonline000767&title=fdic-warns-consumers-about-fraudulent-bank-closure-emails


Information Technology


35. October 29, Computer World – (National) Amazon downplays reports of vulnerabilities in its EC2 cloud service. Amazon says it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego. The report described how attackers could search for, locate, and attack specific targets in Amazon’s Elastic Computer Cloud (EC2) because of certain underlying vulnerabilities in the infrastructure. Though the attack described in the report was conducted against Amazons infrastructure, the researchers concluded that similar targeted attacks could be carried out in other cloud services as well because the vulnerabilities were generic. In response, an Amazon spokeswoman said on October 28 that the report describes cloud cartography methods that could increase at attacker’s probability of launching a rogue virtual machine (VM) on the same physical server as another specific target VM. What remains unclear, however, is how exactly attackers would be able to use that presence on the same physical server to then attack the target VM, she told Computerworld via e-mail. The research paper itself described how potential attackers could use so-called “side-channel” attacks to try and steal information from a target VM. The researchers had argued that a VM sitting on the same physical server as a target VM, could monitor shared resources on the server to make highly educated inferences about the target VM. Source: http://www.infoworld.com/d/cloud-computing/amazon-downplays-reports-vulnerabilities-in-its-cloud-service-994


36. October 28, IDG News Services – (National) Twitter warns of new phishing attack. Twitter warned users Tuesday of a new phishing scam on the social networking site. It is the latest in a series of scams that have plagued the site over the past year, designed to trick victims into giving up their user names and passwords. The message reads, “hi. this you on here?” and includes a link to a fake Web site designed to look like a Twitter log-in page. After entering a user name and password, victims enter an empty blogspot page belonging to someone named NetMeg99. Neither of these pages appears to include any type of attack code, but both should be considered untrustworthy, according to a Sophos Technology consultant. Hacked Twitter accounts are a great launching pad for more attacks, he said. “We don’t know precisely what they’re going to do in this case, but often they will send spam messages to advertise a particular site.” Source: http://www.computerworld.com/s/article/9140071/Twitter_warns_of_new_phishing_attack?taxonomyId=17


37. October 28, CNET – (International) Survey: Few companies addressing cyberterrorism. Cyberterrorism is on the rise around the world. But only one-third of companies are tackling it in their disaster recovery plans, says a survey released October 27 by data center association AFCOM. Although the majority (60.9 percent) of companies questioned see cyberterrorism as a threat to be addressed, “AFCOM’s 2009/2010 Data Center Trends” survey found that only 24.8 percent have adopted it in their policies and procedures manuals. Further, only 19.7 percent provide cyberterrorism training to their employees. Around 82 percent do run background checks on new hires. But that still leaves almost 20 percent of all data centers that don’t perform security checks on new employees, even those working directly with personal, financial, and even military records, noted AFCOM. AFCOM noted that over the past five years, 63 percent of all its data center members have seen a dramatic rise in the amount of information they need to store and protect. The report urges data center managers to include cyberterrorism in their disaster recovery and security plans. Source: http://news.cnet.com/8301-1009_3-10385230-83.html?part=rss&subj=news&tag=2547-1_3-0-20


For another story, see item 12 below:


12. October 28, Nextgov – (National) Federal, industry reps call for national standards to report data breaches. The Homeland Security Department should establish a national standard to encourage companies and individuals to report data breaches to federal authorities, helping them gauge the intensity of cyberattacks and investigate cybercrime, security professionals said on October 28. Federal agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team, which is part of DHS. Reporting requirements for companies, however, vary by state. California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases have been accessed by someone not authorized to view it. Most states have since passed variations of the disclosure law. A national breach notification system is needed because companies and individuals are the main targets for cyber criminals, whose goal typically is to steal credit card information and bank credentials. According to Symantec’s 2008 Internet Security Threat Report, 90 percent of all threats target confidential information that, once stolen, is sold. Consumers are particularly vulnerable to cyberattacks because one in five individuals fail to protect personal information on their computers and 40 percent do not update or patch their operating systems. Symantec also said rogue security software, which relies on scare tactics to fool users into downloading malicious code by posing as legitimate antivirus programs, is on the rise. The company identified 250 such programs and received 43 million reports from customers of installation attempts. Because most cyberattacks focus on individuals and companies, a national standard for breach notification would provide a more accurate picture for security vendors and federal law enforcement agents. Companies are reluctant to report incidents of cyberattacks, in fear that they will be held accountable for the data loss and possibly lose business or be fined. Source: http://www.nextgov.com/nextgov/ng_20091028_3572.php?oref=topnews


Communications Sector

See item 32 below:

32. October 29, New Jersey Star Ledger – (New Jersey) N.J. 911 dispatcher couldn’t pinpoint slain Chatham priest’s call due to glitch in outdated system. Minutes before he was killed, a Chatam, New Jersey man dialed 911 from his cell phone, but help never arrived. The State Police received the call, but the dispatcher was unable to determine the location of the emergency. An investigation into last week’s murder has highlighted a glaring flaw in the state emergency response system. It is not a fault of the police, but of the technology. State officials said dispatchers are sometimes unable to locate a distressed caller using a cell phone. While the state has spent at least $60 million on upgrades in the past five years, outdated phone technology and lagging police equipment — and the occasional glitch — can hamper emergency efforts. Industry experts said cell phones, which are quickly replacing landlines in U.S. homes, are a double-edged sword for emergency management. On one hand, the public can contact police from virtually anywhere on a moment’s notice. On the other hand, cell phones are not tethered to an address like landlines, making it more difficult for police to quickly locate the caller. This failure is critical in a state like New Jersey, where more than half of the 7.5 million 911 calls made last year came from cell phones, a state spokeswoman said. Source: http://www.nj.com/news/index.ssf/2009/10/nj_911_dispatcher_unable_to_de.html

Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, October 29, 2009

Complete DHS Daily Report for October 29, 2009

Daily Report

Top Stories

 According to the Los Angeles Times, high winds were buffeting neighborhoods across Southern California the evening of October 27, knocking down trees and power lines, leaving tens of thousands of people without electricity, kicking up massive clouds of dust and complicating landings for at least three flights at Los Angeles International Airport. (See item 3)


3. October 27, Los Angeles Times – (California) Tens of thousands in Southern California without power as strong winds whip through area. High winds were buffeting neighborhoods across Southern California the evening of October 27, knocking down trees and power lines, leaving tens of thousands of people without electricity, kicking up massive clouds of dust and complicating landings for at least three flights at Los Angeles International Airport. In Los Angeles, 23,100 customers were without power as of 9 p.m. Tuesday, according to the city’s Department of Water and Power (DWP). The DWP serves a total of 1.4 million electricity customers. Among the hardest-hit Los Angeles neighborhoods were Hyde Park, where 3,441 customers were without power, and Northridge, where 2,947 had no electricity, the utility said. The DWP said crews were working to restore power in affected areas. In areas served by Southern California Edison (SCE), about 16,000 customers were without power as trees and wind-blown debris snapped power lines, the utility said. The power outages ranged from beach communities in the South Bay and Orange County to foothill neighborhoods in the San Gabriel Valley. In Huntington Beach, about 4,300 customers had no electricity, and 3,500 more were without lights in Arcadia, said a SCE spokesman, adding that crews were trying to restore power. Source: http://latimesblogs.latimes.com/lanow/2009/10/thousands-in-southern-california-without-power-as-strong-winds-whip-through-area.html


 KGO 7 San Francisco reports that the Bay Bridge in California will be closed indefinitely after several pieces of the bridge fell onto the upper deck during the October 27 evening commute. (See item 20)


20. October 28, KGO 7 San Francisco – (California) Broken cable causes Bay Bridge shutdown. The Bay Bridge will be closed indefinitely after several pieces of the bridge fell onto the upper deck during the Tuesday evening commute. Just after 5:30 p.m., three pieces that were attached to the bridge structure during emergency repairs made over the Labor Day closure broke loose and fell onto the roadway, striking several cars. There were no injuries. Caltrans is investigating what caused the pieces that were attached to support the cracked eyebar broke loose. Although there were high winds on Tuesday, it is unclear if that contributed to the incident. A contractor who helped with the Labor Day closure repairs has been contacted to aid in the emergency construction. Drivers were stuck in traffic for two to three hours Tuesday evening. Drivers who were stuck in the Bay Bridge Toll Plaza were given the option of turning around or were escorted across the bridge by the California Highway Patrol. Cars were still being escorted along one lane of the upper deck at 9:15 p.m. Bay Area transit organizations are planning for a heavy commute Wednesday morning. BART will be running longer trains and have called in extra train operators to run extra trains. The Larkspur ferry will by using a high capacity ferry and the Golden Gate Bridge will have all toll lanes open by 4 a.m. Source: http://abclocal.go.com/kfsn/story?section=news/state&id=7086319


Details

Banking and Finance Sector

14. October 27, New York Times – (National) Bill seeks to shift rescue costs to big banks. The U.S. President’s administration and the head of an important House committee unveiled legislation on October 27 to give the government broad new powers to shift the cost of rescues of big, troubled financial institutions from taxpayers to other large companies. The legislation, drafted jointly by Treasury officials and a Representative who is the head of the House Financial Services Committee, would create a special fund, paid by assessments on financial companies with more than $10 billion in assets, to bear the costs of big firms that fail. A statement by the committee said that the legislation followed a “polluter-pays model where the financial industry has to pay for its mistake, not taxpayers.” Assessments on those companies would be made only after the collapse of a large institution, and the legislation gives the government authority to levy such payments over an extended period. The measure, directed at institutions whose troubles might pose risks to the financial system, would create a powerful financial services oversight council, led by the Treasury secretary and composed of top regulators, to set policy and tougher regulations for the largest companies and mediate disputes between federal agencies. It would also give the Federal Reserve Board a lead role in directly supervising many of the largest financial conglomerates. The legislation would impose new restraints on industrial loan companies, financial institutions owned by commercial enterprises like retailers or manufacturers, and in the future, would not permit any more commercial companies to own banks. Source: http://www.nytimes.com/2009/10/28/us/politics/28regulate.html?_r=1&hp


15. October 27, Bank Info Security – (Ohio) Data storage bins stolen from 3 Ohio bank branches. Police in three Ohio cities are investigating the theft of three large storage bins from bank branches earlier this month. The storage bins were used to store paper waiting to be shredded. The most puzzling part of the theft is how the thief was able to remove the bins, which were reported to weigh more than 500 pounds each. Three branches of the FirstMerit Bank in Streetsboro, Westlake and Elyria, Ohio each reported a bin missing beginning on October 7. One of the three bins contained personal documents of bank customers, said a FirstMerit spokesman. He was uncertain which bin contained the customer documents. The spokesman says the bank is still working to identify how many customers may have had personal information in the bin. The bank has contacted the potentially compromised customers and is working with the police. Source: http://www.bankinfosecurity.com/articles.php?art_id=1884


16. October 27, Courthouse News Service – (National) BofA abetted $37M Ponzi scam, class claims. Bank of America aided and abetted a $37 million Ponzi scheme disguised as an “investment club” called Diamond Ventures, a class action claims in Federal Court. The class claims the bank knew or should have known that a 27-year-old suspect was running a scam. The class claims that if BofA followed its own policies of discovery, monitoring, tracking and evaluating of financial activities it would have discovered the scam. The suspect allegedly stuffed his BofA bank account more than $37 million from April 2006 through December 2008. He holds no securities or commodities license, had no management team or employees and no legitimate business model, his banking activities reflect no investment business or business-generated revenue, only payouts to clients made from new clients’ deposits, a classic Ponzi scheme, according to the complaint. Many of the investors lost their life’s savings. They say BofA facilitated the fraud by allowing offshore wire transfers, commingling of accounts, access to unlicensed trading in foreign exchange markets, and a banking platform that facilitated conversion of investors’ funds. BofA’s “Premier Bankers” authorized wire transfers of more than $700,000 to the suspect’s personal account, according to the complaint, including charges at the MGM Grand Hotel and the Wynn Las Vegas. The suspect allegedly sent a string of deceptive emails to investors in December 2008, blaming payment delays on banking errors, then said he had changed banks, then that the checks were in the mail. Then, according to the complaint, he used his victims’ money to go to Costa Rica, then announced that all of their money had been lost due to the economic crisis. The class wants their money back. Source: http://www.courthousenews.com/2009/10/27/BofA_Abetted_$37M_Ponzi_Scam_Class_Claims.htm


17. October 27, Wicked Local Rockland – (Massachusetts) Suspected bomb found to be harmless, bank robbery investigation continues. A bomb scare occurred on October 27 at East Bridgewater Savings Bank. Police say a package suspected of containing a bomb was found to be of no danger, and have reopened the traffic route around the East Bridgewater Savings Bank, 29 Bedford St. A 5-foot-10-inch white male entered the bank, robbed it of an undisclosed amount of money and left a white shopping bag with a box within at the base of the counter that officials feared contained a bomb, said the East Bridgewater chief of police. The bank was evacuated at about 10 a.m. this morning, and area schools were notified. The state fire marshal’s office, FBI, East Bridgewater Fire Department, and Plymouth County Sheriff’s Office were called to the site. A state fire marshal’s robot was sent into the bank and determined that the bag contained nothing dangerous. The investigation is ongoing. Source: http://www.wickedlocal.com/bridgewatereast/homepage/x1520366550/BREAKING-NEWS-Suspected-bomb-found-to-be-harmless-bank-robbery-investigation-continues


18. October 27, Honolulu Advertiser – (Hawaii) Hawaii Central Credit Union warns of phone scam. Hawaii Central Credit Union is warning the public not to respond to a phone scam in which a caller purporting to be from the credit union seeks confidential information. The scammer has called credit union members and nonmembers saying their account or credit card has been compromised. The caller asks for confidential information to be submitted either verbally or through the phone’s keypad. Credit union officials said the calls are bogus and warned that anyone receiving such a call should not give out any information. Hawaii Central Credit Union never requests confidential information via the telephone, the officials said. Source: http://www.tmcnet.com/usubmit/2009/10/27/4448425.htm


19. October 27, WCBS 2 East Orange – (National) Massive bank phishing scam targets through texts. There is a warning about a new scam that could cost you big bucks. It involves text messages claiming to be from Chase, but they are not. When one customer got an urgent text message from his bank he quickly responded. Since the customer signed up for his bank’s alert system he called the number and entered his account information. The customer is among countless cell phone users who have been targeted by scam artists. Posing as banks, they send texts trying to snag personal information like bank account numbers and pin numbers. A spokesman of PricewaterhouseCoopers said the scam is widespread and netting tens of millions of dollars. Source: http://wcbstv.com/technology/bank.text.message.2.1274531.html


For more stories, see items 42 and 43 below in the Communications Sector


Information Technology


38. October 28, CNET – (International) More security breaches hit midsized companies. More midsized companies are being attacked by cybercriminals at the same time they are spending less on security, says a McAfee report released on October 28. Across the world, more than half of the 900 midsized businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said they have seen an increase in security breaches over the past year. Despite the threat, the recession has caused most of these companies to freeze their IT security budgets. McAfee found that the costs of dealing with a security attack can be high. Over the last year, one of five midsized companies surveyed lost $41,000 in sales on average as a result of a breach. In China alone, 38 percent of the businesses questioned lost an average of $85,000 due to an attack. And more than 70 percent believe a serious data breach could put them out of business, noted the report. But as the recession has grown, IT budgets have dropped. Almost 40 percent of the companies trimming their IT security budget plan to limit the purchase of new security products. And more than a third are switching to cheaper security software to cut expenses, even though they realize that may put them at greater risk. “An organization’s level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources,” said the senior vice president of global midmarket for McAfee, in a statement. “But this creates a vicious cycle of breach and repair that costs far more than prevention.” Midsized companies also may underestimate their risk, according to

McAfee. Among companies with fewer than 500 employees, more than 90 percent believe they’re protected from cybercriminals and feel they don’t face the same threats that larger firms do. Source: http://news.cnet.com/8301-1009_3-10384916-83.html


39. October 28, Network World – (International) Password reset email is new Facebook virus. Security firm MX Lab said in a blog post on October 27 it has detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation.” According to MX Lab, the From address in the email is shown as “The Facebook Team “, but this address is spoofed. The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. The part between _ and .zip at the end is choosen randomly and contains letters and numbers. The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total, MX Lab researchers said. According to MX Labs, Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions). Source: http://www.networkworld.com/news/2009/102809-password-reset-email-is-new.html?hpg1=bn


40. October 27, The Register – (International) Free Microsoft security tool locks down buggy apps. Microsoft has released a free tool designed to harden software applications against attacks that exploit common security vulnerabilities. EMET, short for Enhanced Mitigation Evaluation Toolkit, allows developers and administrators to add specific security protections to applications. Unlike mitigations released in the past, EMET doesn’t require programs to be recompiled, so it can be used to fortify applications even when the source code isn’t available. EMET also allows specific mitigations to be applied to a particular application process, a granularity that helps when a given process is not compatible with a given control. Over the past few years, developers have increasingly focused on adding measures to their applications that make it harder for attackers to exploit vulnerabilities. The approach makes a lot of sense given the inevitability of buffer overflows and other garden-variety vulnerabilities in complex software. Rather than trying to weed out such bugs, mitigation intends to neutralize their harmful effects. At the moment, EMET is shipping with just four mitigations, including SEHOP, which prevents many structured exception handling exploits; DEP, or data execution prevention, which marks certain parts of process memory as non-executable; NULL page allocation, designed to block NULL dereference exploits in user mode; and heap spray allocation, which pre-allocates certain memory addresses to make it harder for attackers to predict the location of malicious payloads. Microsoft plans to add new protections to EMET over time. Source: http://www.theregister.co.uk/2009/10/27/microsoft_security_tool/


41. October 27, ComputerWorld – (International) Mozilla fixes 16 flaws with Firefox 3.5.4. Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4. The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines. “Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in some of the advisories outlining the most serious flaws. Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical. The disparity between the two versions’ patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in MFSA-2009-63 that required upgrades of the “liboggz,” “libvorbis,” and “liboggplay” open-source media libraries. Three of the four vulnerabilities spelled out in MFSA-2009-64 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable or unwilling to patch the browser. Only one of the four engine crashes impacts Firefox 3.0. Mozilla rated three of the 16 vulnerabilities as “moderate,” the second-from-the-bottom ranking in its four-step system, and two as “low,” its least serious rating. Source: http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firefox_3.5.4


For another story, see item 28 below from the Government Facilities Sector


28. October 28, New York Times – (National) Old trick threatens the newest weapons. Despite a six-year effort to build trusted computer chips for military systems, the Pentagon now manufactures in secure facilities run by American companies only about 2 percent of the more than $3.5 billion of integrated circuits bought annually for use in military gear. That shortfall is viewed with concern by current and former United States military and intelligence agency executives who argue that the menace of so-called Trojan horses hidden in equipment circuitry is among the most severe threats the nation faces in the event of a war in which communications and weaponry rely on computer technology. As advanced systems like aircraft, missiles and radars have become dependent on their computing capabilities, the specter of subversion causing weapons to fail in times of crisis, or secretly corrupting crucial data, has come to haunt military planners. The problem has grown more severe as most American semiconductor manufacturing plants have moved offshore. Only one-fifth of all computer chips are now made in the United States, and just one-quarter of the chips based on the most advanced technologies are built here, I.B.M. executives say. That has led the Pentagon and the National Security Agency to expand significantly the number of American plants authorized to manufacture chips for the Pentagon’s Trusted Foundry program. Despite the increases, semiconductor industry executives and Pentagon officials say, the United States lacks the ability to fulfill the capacity requirements needed to manufacture computer chips for classified systems. Source: http://www.hstoday.us/content/view/10831/189/


Communications Sector

42. October 28, IDG News Service – (National) Internet phone systems: The latest entry point for cybercriminals. Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S. In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords. The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim’s bank accounts. Hackers made headlines for breaking into phone company systems more than 20 years ago — a practice that was known as phreaking — but as the traditional telephone system has become integrated with the Internet, it’s creating new opportunities for fraud that are only just beginning to be understood. VoIP (voice over Internet Protocol) hacking is “a new frontier in the crossover world of telecom and cyber [crime],” said the assistant U.S. attorney for the district of New Jersey. “It is an ongoing threat and a serious threat that companies need to be worried about.” Attacks on one of the most popular VoIP systems, called Asterisk, are now “endemic,” said an individual who works for the product’s creator, Digium, as open-source community director. “It’s like stealing a baseball bat to break into a car. The first step is to break into Asterisk.” Asterisk hacking began evolving from a fairly “low-level problem” into a much more serious issue around September of 2008, when easy-to-use tools were first published. With these tools, it can be pretty easy to hack a VoIP system by hitting the server designed to connect traffic from the office’s local area network to a network provider such as AT&T, which connects the calls to the rest of the world. Source: http://www.infoworld.com/d/security-central/internet-phone-systems-latest-entry-point-cybercriminals-853


43. October 26, Reuters – (National) SEC and Homeland Security need web backup, GAO says. Securities exchanges have a sound network back-up if a severe pandemic keeps people home and clogging the Internet, but the Homeland Security Department has done little planning, Congressional investigators said on October 26. The department does not even have a plan to start work on the issue, the General Accountability Office said. But the Homeland Security Department accused the GAO of having unrealistic expectations of how the Internet could be managed if millions began to telework from home at the same time as bored or sick schoolchildren were playing online. Many companies and government offices hope to keep operations going as much as possible with teleworking using the Internet. Among the many problems posed by this idea, however, is the issue of bandwidth — especially the “last mile” between a user’s home and central cable systems. “Such network congestion could prevent staff from broker-dealers and other securities market participants from teleworking during a pandemic,” reads the GAO report. “The Department of Homeland Security is responsible for ensuring that critical telecommunications infrastructure is protected.” Private Internet providers might need government authorization to block popular websites, it said, or to reduce residential transmission speeds to make way for commerce. The Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, a group of private-sector firms and financial trade associations, has been working to ensure that trading could continue if big exchanges had to close because of the risk of disease transmission. “Because the key securities exchanges and clearing organizations generally use proprietary networks that bypass the public Internet, their ability to execute and process trades should not be. Source: http://www.reuters.com/article/newsOne/idUSN2620750120091026


For another story, see item 5 from the Energy Sector below

5. October 27, IDG News Services – (National) Smart-grid money could assist broadband. The U.S. President on October 27 unveiled $3.4 billion in grants to update the nation’s electrical grid, but the benefits could reach to the broadband sector as well, one community broadband adviser said. The announcement of so-called smart-grid grants to 49 states is focused on creating a more efficient and reliable electric system in the U.S. However, the backbone of the smart grid, which uses digital technology to deliver electricity and control use, will be an Internet Protocol-based network, and the result could mean new broadband deployment in some areas, said a broadband analyst and president of consulting firm Successful.com. The money for the smart-grid deployments comes from the American Recovery and Reinvestment Act, a $787 billion economic stimulus package passed by the U.S. Congress in February. The legislation included $11 billion for smart-grid projects, and also included $7.2 billion for broadband deployment to rural and other unserved areas. The smart grid will include a smart-meter monitoring device paired with electricity meters at buildings. That device will collect data on energy use, as well as control many of the electrical appliances in the building, he said. Those devices will need to connect back to the electric utility through an IP network. With that in mind, smart grid and broadband applicants can work together, or piggyback on each other’s networks, he said. Source: http://www.computerworld.com/s/article/9139986/Smart_grid_money_could_assist_broadband