Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 20, 2009

Complete DHS Daily Report for April 20, 2009

Daily Report

Top Stories

 Detroit News reports that officials are investigating an explosion at the Continental Aluminum Corp. plant in Lyon Township, Michigan that injured several workers on April 16. (See item 11)

11. April 17, Detroit News – (Michigan) Investigators look for cause of blast at aluminum plant. While the investigation continues into what caused a blast sending three workers to the hospital with injuries, the operators of Continental Aluminum said Friday at no time was there a gas leak as initially reported. Continental Aluminum on Milford Road resumed operations Friday as it continues its investigation into an explosion that occurred Thursday night inside the recycling plant. The Michigan Occupational Safety and Health Administration (MIOSHA) is on the scene to conduct an independent investigation. Lyon Township Fire Department and emergency crews, as well as the Oakland County Sheriff’s Department, responded immediately to the incident around 10 p.m. Thursday. Three of five workers inside the plant suffered injuries: two were treated and released for smoke inhalation and a third, who has minor burns, was hospitalized overnight for observation. All three are expected to return to work the week of April 20, a company statement said. According to a statement released Friday, the explosion occurred inside the charge well of one of the furnaces inside the plant. A charge well is the area where the scrap material is introduced into the furnace. Fire officials turned the gas line off at the plant as a precautionary measure and authorized Continental Aluminum to turn the line back on Fridaymorning. Milford Road was also closed as a precautionary measure and has since reopened. The plant did not suffer any damage that would disrupt further operations, no hazardous materials were involved, and the local community was not at risk, according to the company’s press release. Source:

 According to the Los Angeles Times, a pharmacy technician showed up for work at Long Beach Memorial Medical Center in California on April 16, brandishing two handguns, killed his boss and another manager, and then fatally shot himself, witnesses said. (See item 27)

27. April 17, Los Angeles Times – (California) Gunman kills 2 and takes own life at Long Beach Memorial Medical Center. A pharmacy technician showed up for work at Long Beach Memorial Medical Center on Thursday brandishing two handguns, killed his boss and another manager and then fatally shot himself, witnesses said. Long Beach police officers called to the scene found two bodies, one inside the hospital and another outside the emergency room entrance, the police chief said. According to witness accounts, the shooter went first to the pharmacy, near the emergency room and outpatient area, and fatally shot the first victim. He then found the second victim outside the emergency room. The hospital went into an immediate lockdown, forcing all inside to stay put for about an hour. Source:,0,4629048.story


Banking and Finance Sector

15. April 15, Wall Street Journal – (National) Banking group warns against FDIC wind-down authority. A top U.S. banking industry trade group said it opposes giving the Federal Deposit Insurance Corp. the authority to wind-down large nonbank financial institutions. The American Bankers Association, a top industry lobbying group, said in a letter to the Treasury Secretary that it was concerned about the possible cost to banks if the FDIC’s authority to deal with struggling firms was expanded. “The FDIC would likely have ongoing costs to be in a position to deal with nonbank resolutions,” which would probably fall on the banking industry to pay, the ABA president said in an April 14 letter to the Treasury Secretary. Additionally, the group questioned whether the FDIC had the expertise necessary to wind-down a major financial institution on the brink of collapse. The agency currently deals with resolving failed banks, but the ABA president noted that many of those firms are smaller than the systemically important financial firms that have been in trouble over the last year. Source:

Information Technology

36. April 17, IDG News Service – (International) Researcher offers tool to hide malware in .Net. A computer security researcher has released an upgraded tool that can simplify the placement of difficult-to-detect malicious software in Microsoft’s .Net framework on Windows computers. The tool, called .Net-Sploit 1.0, allows for modification of .Net, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications. Microsoft makes a suite of developer tools for programmers to write applications compatible with the framework. It offers developers the advantage of writing programs in several different high-level languages that will all run on a PC. .Net-Sploit allows a hacker to modify the .Net framework on targeted machines, inserting rootkit-style malicious software in a place untouched by security software and where few security people would think to look, said the software security engineer for 2BSecure who wrote the tool. “You will be amazed at how easy it is to devise an attack,” the engineer said during a presentation at the Black Hat security conference in Amsterdam on April 17. .Net-Sploit essentially lets an attacker replace a legitimate piece of code within .Net with a malicious one. Since some applications depend on parts of the .Net framework in order to run, it means the malware can affect the function of many applications. For example, an application that has an authentication mechanism could be attacked if the tampered .Net framework were to intercept user names and passwords and send them to a remote server, the engineer said. Source:

37. April 17, Macworld – (International) First Mac OS X botnet activated. The first botnet created with Mac computers running OS X software has been activated, according to reports filtering out across the Internet. Macworld reported in January that illegal copies of iWork ‘09 and Photoshop CS4, distributed via peer-to-peer networks, were infected with a Trojan called iServices. It now appears that the botnet created from this Trojan has been activated, marking this the first time a Mac OS X botnet has appeared. Source:

38. April 17, SC Magazine – (International) Possible bug in Apple’s iPhone. A possible bug has been identified in Apple’s iPhone, according to reports. A well-known hacker and analyst at Independent Security Evaluators in Baltimore said that he found a way to trick the iPhone into running code that enables shellcode — which if successfully exploited would enable an attacker to run whatever code they wanted on the phone, according to reports. He described the potential bug on Thursday at the Black Hat Europe security conference in Amsterdam. Shellcode, which was previously thought of as incapable of being run on the iPhone, is a piece of code used as the payload in the exploitation of a software vulnerability. It enables access to the entire file system as well as hundreds of different commands, according to Mac security vendor Intego. To run shellcode, an attacker would first need a working exploit for the iPhone, however, he said. “For now, this is more of a warning than anything else,” an Intego spokesman wrote in a blog post Friday. “Mac OS X can run shellcode — in fact, many trojan horses exploit this ability — but this is an inherent part of the operating system. The real issue is exploits that may be able to launch this code on an iPhone, and we’re waiting for those to arise.” Source:

39. April 17, Spamfighter News – (International) Non-professional Web page creation driving phishing & viruses. The popular trend of ‘do-it-yourself’ Web page creation by amateur Internet users is assisting to trigger more viruses as well as phishing attacks, reveals a new report named “Symantec Internet Security Report for 2008.” The report states that during 2008 there was a threefold increase in the total number of malware threats identified by Symantec and surged to 1.66 million from 2007. This increase, according to the Symantec vice president, is due to a rising number of non-professionals creating blogs, Web pages and other online destinations. The Symantec vice president added that more people were setting up Web sites, although they did not have a sound programming knowledge. According to him, since the main objective of hackers is to install viruses on users’ computers, they would exploit any security flaws which are easily available on the less proficient Web sites. Furthermore, 60 percent of the total malware threats during the last twenty years appeared in the past 12 months alone, said the vice president of Security Content and Intelligence, Symantec. The report also states that attackers are replacing their spam mail method known as ‘phishing,’ to obtain users’ personal information, with legitimate Web site corruption such as corrupting a local entrepreneur’s site to use it for theft. Thus, if a site is trusted, popular and receives high traffic, corrupting it could yield a huge number of compromises with just one attack, according to Symantec. Source:

40. April 16, Washington Post – (International) Creating a public nuisance with insecure Web sites. Thousands of Web sites that were cited last year for harboring security flaws that could be used to attack others online remain a hazard and an eyesore along the information superhighway. At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities. According to the latest Internet Security Threat Report from Symantec Corp., only 3 percent of those XSS flaws recorded at last year were fixed. Ironically, Symantec’s own site was recently featured on as vulnerable to a nasty XSS flaw (Symantec has since fixed the problem). XSS bugs can even be used to power Web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue anti-virus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software. Source:

41. April 16, IDG News Service – (International) Black Hat ‘supertalk’ halted due to vendor concerns. The Black Hat security conference is full of drama again in Amsterdam, with the last-minute cancellation of a presentation by a group of researchers scheduled to reveal a dangerous software vulnerability. In the run up to the conference, organizers promoted a talk that would be on the scale of the flaw in the DNS (Domain Name System) highlighted by a security researcher at Black Hat’s U.S. conference in July 2008. But this one is not going to happen. A press conference tentatively planned for April 16 was suddenly canceled. The flaw is so sensitive that even revealing the vendor affected could potentially cause hackers to start poking around with applications or operating systems to try to figure it out, said Black Hat’s CEO. The unnamed vendor has told the researchers that it could have a patch ready in a month or so, but it could take as long as four months, the CEO said. Security researchers who present at Black Hat are encouraged to practice what is called “responsible disclosure,” where the vendor is notified and allowed to create a patch before the vulnerability is publicly revealed. The CEO said it is hopeful that the vendor and the researchers will be able to release a patch and the details at the same time. Source:

42. April 16, Computer Weekly – (International) Oracle database at risk from easy hack, warns database security expert. Oracle users have been urged to update the database patches Oracle issued on April 15 as quickly as possible, because the flaw can be easily exploited, a database security expert has warned. The founding director of NGS Software, which is now part of the NCC Group, said, “There are a number of issues in this patch which are particularly dangerous. For example there is a remote, unauthenticated attack via the Oracle Process Manager and Notification Server that can allow an attacker to take full control over the system on Windows or the Oracle user on a Unix-based system.” He said a would-be attacker could use a format string vulnerability to damage the database. “It is trivial to exploit. My best advice to Oracle customers is to test and install this critical update as soon as possible.” Source:

43. April 15, DarkReading – (International) Open source metrics on tap for security patch management. Security consulting firm Securosis is spearheading a new effort to create metrics to quantify the cost and efficiency of an organization’s security patching process. The founder of Securosis says to date there is no real way to accurately measure the cost and productivity of an organization’s security patch management process. “Those fully quantified [IT] risk models do not apply and the numbers are not accurate,” he says. “It is also bothered me to see those uber-metrics approaches that get an overview of everything in the security program. So why not start with one thing we can accurately measure and use it as a core for building security metrics?” Securosis, with the financial backing of Microsoft for the initial phase of the project, will gather input in an open submission process for the so-called Project Quant metrics model. Version 1 is planned for release by the end of June. Many organizations do not have actual processes for out-of-cycle security patches, and end up in “panic mode” trying to apply them, the founder of Securosis said. Some do not even have processes for the scheduled patching their Oracle software, for instance, he says. “We know there are tremendous inefficiencies in how [organizations] approach patching,” the founder of Securosis says. “We are going to solicit [organizations] out there and find out different ways people are doing this and find a way to quantify this.” A director in Microsoft’s Trustworthy Computing Group who first approached Securosis about the project says the goal is to offer metrics that are consumable for business decision-makers. “Vuln counts and data risk [data] is cool for my tech people, but we would really like to see firms doing some analysis and getting results that are more appropriate for the business level,” he says. The metrics model will cover everything in the patch management process, from monitoring software for updates to installing the patches. It will analyze things like the amount of time it takes to test patches and roll them out, for instance, and on how many systems, etc., the director says. Source:

Communications Sector

44. April 16, Lincoln Journal – (Massachusetts) Town could face fines over radio tower. The town of Lincoln could face severe penalties if it does not address compliance issues surrounding the town’s public safety communications tower. According to a spokesman of the Public Safety Communications Technology Committee, the tower is currently in violation of regulations of the Federal Aviation Administration (FAA), the Federal Communications Commission (FCC), and the Lincoln Zoning Board of Appeals (ZBA). The town could face an initial fine of up to $75,000 as well as retroactive and ongoing daily fines until the tower is brought into compliance with federal regulations. Located at the highest point in town at the top of a hill off Bedford Road, the radio communications tower is in the flight path of aircraft heading in and out of nearby Hanscom Field. FAA safety regulations require a light be mounted on the tower to make it clearly visible to passing aircraft. The town had obtained an unconditional waiver from the FAA, but when the old tower was replaced with a new, taller tower in late 2007, the waiver was forfeited. The new tower, which rises 80 feet at the top of the highest antennas, has also run afoul of the FCC, which regulates radio frequencies, and the ZBA, as it was installed at a greater height and at a different location than was originally approved. Further complicating the situation is the requirement that the town maintain certain antennas on the tower as a condition of a grant from the Federal Emergency Management Agency. Source: