Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 27, 2009

Complete DHS Daily Report for February 27, 2009

Daily Report


 The Boston Globe reports that the Massachusetts Department of Public Utilities, reacting to concerns raised after three gas explosions in recent months, announced Wednesday it would review the 12 explosions that have occurred in the state during the past five years. (See item 2)

2. February 25, Boston Globe – (Massachusetts) State regulators to probe gas explosions. Reacting to concerns raised after three gas explosions in recent months, the state Department of Public Utilities announced on February 25 that it would review all the explosions that have occurred in the state during the past five years. The department’s review is intended “to make sure that there isn’t some sort of pattern that we should be concerned about,” said, a spokesman for the state’s Executive Office of Energy and Environmental Affairs, which oversees the DPU. He stressed the department has no reason to believe right now that there is a pattern. But the decision comes as authorities investigate three explosions that have killed two people and seriously injured another person over the last three months. (A fourth explosion that officials suspected was caused by gas killed a man this week in Manchester, New Hampshire.) The incidents should serve as “warning flags” for officials to seriously look at the state’s gas infrastructure, as the roughly 20,000 miles of pipeline are aging and in need of repair a director of analysis at the MIT Energy Initiative, told the Globe last week after an explosion killed a woman and her dog in Somerset. The state has seen a total of 12 gas explosions over the past five years, beginning with an explosion in Sudbury January 13, 2004. Source:

 According to Computerworld, the U.S. Federal Communications Commission may fine 600 operators for failing to properly file annual reports proving that they protect customer data. (See item 32)

See Communications Sector below for details.


Banking and Finance Sector

9. February 25, Reuters – (Connecticut) U.S. money managers accused of $550 mln fraud. Two money managers who oversaw investments for Carnegie Mellon University and other institutions were arrested on February 25 on charges of running an estimated $550 million, decade-long swindle. The managing general partners of broker-dealer WG Trading Co., with main offices in Greenwich, Connecticut, were charged by U.S. prosecutors with conspiracy, securities fraud and wire fraud. The pair is accused of using client money as “their personal piggy-bank” to fund lavish lifestyles, according to the U.S. Securities and Exchange Commission. The SEC and the Commodity Futures Trading Commission brought civil charges against the men and their companies, which also include WG Trading Investors LP and investment adviser Westridge Capital Management Inc in Santa Barbara, California. The SEC obtained a court-imposed asset freeze against the men and their affiliated entities. Source:

10. February 25, Reuters – (National) FDIC says U.S. bank deposits robust, to raise premiums. U.S. banking regulators are not pursuing nationalization of troubled institutions struggling to shed toxic assets from their balance sheets, the head of the chairman of the Federal Deposit Insurance Corp (FDIC) said on February 25. “Nationalization means different things for different people but nationalization is not the route we’re pursuing now,” the FDIC chairman told reporters after speaking to a group of bankers in New York. The chairman and other U.S. regulators are crafting a rescue package to help banks regain their footing by injecting capital, enticing private investors to buy bad assets and aiding millions of borrowers who have lost, or facing losing, their homes. The FDIC is slated to release industry earnings and other financial data for the fourth quarter soon. Many expect bleak financial results, but the one bright spot could be a growth in deposits, indicating consumer confidence. “It’s been a tough quarter,” the chairman told the bankers. She, however, told them some good news. “Deposit growth was robust,” the chairman said. “Insured deposits are stable. Source:

Information Technology

29. February 26, Apple Insider – (International) New phishing scam targets MobileMe users. In another attempt to con MobileMe users into providing their credit card information, a scammer has sent out spam spoofed to appear to come from Apple, which directs users to a fake site designed to look like Apple’s. Users who follow the email link and enter their information on the poorly formatted, fake Apple Web page will be sorry. While sent with a spoofed sender address of, the spam’s headers indicate that it actually appears to originate from, a server operated by a Web hosting outfit from the United Kingdom. The email contains formatting errors that should immediately tip off users, and directs to a sketchy URL: The email’s headers that indicate it was sent using Outlook Express, but those are only visible when the user examines the phony email’s raw headers. Of course, Apple itself has also sent out official MobileMe notices containing the same formatting error. Apple also does not sign or encrypt its official emails to users, a step that might help in thwarting the regular phishing attempts that target MobileMe users. While Apple pioneered certificate based security in iChat messaging for its MobileMe users, it has been a laggard in making it easy for users to sign and encrypt their MobileMe email using certificates issued by Apple, despite support in Mail and most other modern email clients to handle this. The significant difference in the real message from Apple over the phony spam is that Apple’s official email cites the account’s User Name, the ending digits of their credit card number, and directs the user to navigate to MobileMe themselves to correct their information within the online account section, rather than providing a link to follow. Doing so would result in the user initiating a MobileMe Web session secured via SSL before they are ever prompted to enter their private account information. There is no SSL security on the fake site users are directed to by the spam. The fraud site is hosted by, a domain not affiliated with Apple, but which might sound reasonably correct to many users. The domain appears to be registered to “Nike Jegart, co 9 Vista Estrella South, Lamy, NM 87540.” Source:

30. February 25, DarkReading – (International) Report: More than 500,000 Web sites hit by new form of SQL injection in ‘08. A new flavor of an old-school Web attack was responsible for compromising more than 500,000 Web sites last year. An automated form of SQL injection using botnets emerged as the popular method of hacking Web sites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Web site’s customers rather than the sensitive information in the site’s database. “It used to be that mostly e-commerce sites were targeted, but now it’s potentially any site, especially those with a large customer base,” says the director of application security research for Breach Security. “The attackers say, ‘You’re going to become a malware-launching point for us.’” The so-called Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report. “In the past, they had to do some manual reconnaissance with SQL injection to send the initial queries,” the director says. The automated approach sent one request with a script that automated all of those recon steps, using bots to perform the attacks. “While the initial attack vector was SQL Injection, the overall attack more closely resembles a Cross-Site Scripting methodology as the end goal of the attack was to have malicious JavaScript execute within victims’ browsers,” the WHID reports says. “The JavaScript calls up remote malicious code that attempts to exploit various known browser flaws to install Trojans and Keyloggers in order to steal login credentials to other web applications.” Source:;jsessionid=SOIH2N3YE2BCQQSNDLOSKH0CJUNN2JVN?articleID=214600046

31. February 25, Washington Post – (International) Adobe issues security update for Flash Player. Adobe Systems Inc. has shipped an update for its ubiquitous Flash player that fixes at least five security flaws. A few of the flaws are critical, meaning users could have malicious software installed on their system merely by visiting a Web page that features a booby-trapped Flash movie. Individuals will need to apply two different versions of this patch: One is designed for Internet Explorer, and another updates the Flash player in Firefox, Opera and Safari. This can be accomplished by visiting the Web site twice, once with IE, and then again with Firefox or whichever other browser they are using. The patch plugs security holes in Flash player and earlier. Updates are available for Flash versions made for Windows, Mac OS X, and Linux. Source:

Communications Sector

32. February 25, Computerworld – (National) FCC threatens 600 operators with fines over data protection rules. The U.S. Federal Communications Commission (FCC) may fine 600 operators for failing to properly file annual reports proving that they protect customer data. Telephone companies and voice-over-IP providers are required to submit to the FCC annual certifications proving that they have taken reasonable measures to protect against pretexting, or the practice of pretending to be a person or a law enforcement agent in order to obtain telephone records. Operators must also show the FCC that they have kept records of all instances when they disclosed customer information to a third party and report on customer complaints they have received regarding unauthorized release of their information. The FCC found that last year, 600 operators either did not file reports to the agency at all or they filed noncompliant reports. The FCC proposed a fine of $20,000 for operators that did not file at all and $10,000 for those that filed noncompliant reports. The carriers will be allowed to argue against the fine or demonstrate reasons to reduce the penalty due to an inability to pay it, the FCC said. In a statement, the FCC’s acting chairman said that the annual filings are essential for the agency to ensure that operators are complying with the privacy regulations. He also said he hopes the fines will help ensure compliance in the future. Source: