Tuesday, September 15, 2009

Complete DHS Daily Report for September 15, 2009

Daily Report

Top Stories

 The U.S. Nuclear Regulatory Commission has announced that it issued guidelines on September 11 making effective a section of the Atomic Energy Act that authorizes the NRC to allow the licensees and certificate holders of NRC-regulated facilities to apply for permission for their security personnel to possess and use certain “enhanced weapons.” (See item 8)


8. September 11, U.S. Nuclear Regulatory Commission – (National) New NRC guidelines published today are first step toward allowing security personnel to possess enhanced weapons at nuclear facilities. The Nuclear Regulatory Commission (NRC) issued guidelines on September 11 making effective a section of the Atomic Energy Act that authorizes the NRC to allow the licensees and certificate holders of NRC-regulated facilities to apply for permission for their security personnel to possess and use certain “enhanced weapons.” These weapons are machineguns, short-barreled shotguns or short-barreled rifles. These guidelines have been approved by the U.S. Attorney General as required by the Energy Policy Act of 2005. Previously, with limited exceptions, only federal, state, or local law enforcement could lawfully possess machineguns. As indicated in the guidelines, an NRC licensee or certificate holder will have to apply for NRC approval in order to exercise the new authority. As part of the approval process, the NRC would first designate the nuclear facilities, radioactive material or other property eligible for such authority. As part of the application, the licensee or certificate holder is required to update the applicable security plan, training and qualification plan, and contingency response plan, to reflect this new weaponry. In addition, the licensee or certificate holder is required to submit a weapons safety assessment evaluating the impact of the potential use of these weapons. The security personnel of those facilities whose duties require access to any weapon will be subject to a fingerprint check and a firearms background check by the U.S. Attorney General. The licensee or certificate holder will also need to comply with applicable U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives requirements relating to enhanced weapons. Source: http://www.nrc.gov/reading-rm/doc-collections/news/2009/09-152.html


 According to the Associated Press, dangerous staph bacteria have been found in sand and water for the first time at five public beaches along the coast of Washington, and scientists think the state is not the only one with this problem. The staph bacteria strains resembled the highly resistant ones usually seen in hospitals, rather than the milder strains acquired in community settings. (See item 36)


36. September 12, Associated Press – (National) Dangerous staph germs found at U.S. beaches. Dangerous staph bacteria have been found in sand and water for the first time at five public beaches along the coast of Washington, and scientists think the state is not the only one with this problem. The germ is MRSA, or methicillin-resistant Staphylococcus aureus — a hard-to-treat bug once rarely seen outside of hospitals but that increasingly is spreading in ordinary community settings such as schools, locker rooms and gyms. “We don’t know the risk” for any individual going to a beach, a microbiologist at the University of Washington in Seattle said. “But the fact that we found these organisms suggests that the level is much higher than we had thought.” Last year, her team reported finding a different type of bacteria, enterococci, at five West Coast beaches. And earlier this year, University of Miami researchers reported finding staph bacteria in four out of 10 ocean water samples collected by hundreds of bathers at a South Florida beach. Many communities also commonly restrict bathing at beaches because of contamination with fecal bacteria. In the new study, researchers tested 10 beaches in Washington along the West Coast and in Puget Sound from February to September 2008. Staph bacteria were found at nine of them, including five with MRSA. The strains resembled the highly resistant ones usually seen in hospitals, rather than the milder strains acquired in community settings, the microbiologist said. No staph was found in samples from two beaches in southern California. However, people should not avoid beaches or be afraid to enjoy them, scientists say. They caution to just make sure all the sand is washed off as soon as possible. Source: http://www.msnbc.msn.com/id/32813802/ns/health-infectious_diseases/


Details

Banking and Finance Sector

10. September 12, CNN – (National) 3 more down: Bank failure tally hits 92. Regulators closed one large bank in Illinois on September 11 in one of the biggest collapses of the year, while two other smaller failures pushed the 2009 total to 92. Customers of the banks, however, are protected. In Illinois, 16 banks have failed so far this year, including Chicago-based Corus Bank, which was closed by the Office of the Comptroller of the Currency on September 11. Corus, which operated 11 branches, had deposits of about $7 billion and total assets of around $7 billion assets, the FDIC said. MB Financial Bank, which is also based in Chicago, will acquire all of the failed bank’s deposits and agreed to buy $3 billion of its assets. Much of Corus’ assets are condo loans backed by developments, and the FDIC is expected to sell them off within the next 30 days. In Minnesota, Brickwell Community Bank, which operated one branch in Woodbury, was closed by state officials. Mitchell, S.D.-based CorTrust Bank will take over Brickwell’s $63 million in deposits and will purchase “essentially all” of its $72 million in assets, the FDIC said. And in Washington state, Venture Bank of Lacy was closed by state regulators. First-Citizens Bank&Trust Company in Raleigh, N.C., took over all of the deposits of Venture Bank. Venture Bank had 18 branches that will reopen Saturday as branches of First-Citizens Bank & Trust Company. As of July 28, Venture Bank had assets of $970 million and deposits of about $903 million. First-Citizens Bank agreed to purchase some $874 million of the assets. Source: http://money.cnn.com/2009/09/11/news/economy/bank_failure/?postversion=2009091207


11. September 12, Bloomberg – (National) Fed failed to curb flawed bank lending, inspector general says. Federal Reserve examiners failed to rein in practices that led to losses from excessive real estate lending at two banks in California and Florida that later closed, the central bank’s inspector general said. Riverside Bank of the Gulf Coast in Cape Coral, Florida, “warranted more immediate supervisory attention” by the Atlanta district bank, the Federal inspector general said in a report to the central bank’s board. In overseeing County Bank in Merced, California, the San Francisco Fed should have taken a “more aggressive supervisory” approach, she said in another report, also dated September 9. The findings follow criticism by lawmakers including the Senate banking committee chairman, who say the Fed failed to curtail flawed underwriting and other lending abuses that contributed to the collapse of the housing market. Another report by the Fed’s inspector general in June faulted the Atlanta Fed’s oversight of First Georgia Community Bank. Congress is reviewing a U.S. Treasury proposal to give the Fed more power by making it the supervisor for large and interconnected firms that may damage the U.S. financial system in the event of failure. The Treasury plan is part of an effort to overhaul U.S. financial regulation. “The Fed does not come out smelling like a rose,” said a former associate general counsel of the Fed board and now a partner at law firm Schwartz & Ballen LLP in Washington. “There are things that could have been done better.” Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=atgnqYrMSrtI


12. September 11, U.S. Department of Justice – (National) International hacker pleads guilty for massive hacks of U.S. retail networks. An international computer hacker pleaded guilty today to multiple charges relating to hacking activity and credit card fraud, announced the Assistant Attorney General of the Criminal Division, the Acting U.S. Attorney for the District of Massachusetts, the U.S. Attorney for the Eastern District of New York and the Director of the U.S. Secret Service. More than 40 million credit and debit card numbers were stolen from major U.S. retailers as a result of the hacking activity. The 28 year old suspect of Miami, pleaded guilty today to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft relating to hacks into numerous major U.S. retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. The suspect was indicted in August 2008 in the District of Massachusetts on charges related to these hacks. The suspect also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in the Eastern District of New York. The pleas in both cases were entered before a U.S. District Court Judge in federal court in Boston. According to the indictments to which the suspect pleaded guilty, he and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including “wardriving” and installation of sniffer programs to capture credit and debit card numbers used at these retail stores. Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Using these techniques, the suspect and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers. Also according to the indictments, the suspect and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs. According to the indictments, the suspect and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe. Source: http://www.usdoj.gov/opa/pr/2009/September/09-crm-494.html


Information Technology


28. September 14, Sophos – (International) Fake anti-virus attack hits New York Times website readers. Recently, readers of the New York Times website NYTimes.com were exposed to danger as the popular media outlet served up malicious adverts to some of its visitors. According to a posting on the website, some readers saw a pop-up messaging warning them that their computer had been infected, and urging them to install fake anti-virus software (also known as scareware.) Aside from a message on its website, the New York Times posted a message on their Twitter feed in an attempt to warn its readers. It has been reported that the New York Times published a warning on the front page of its website on September 13. In the past, other media outlets (such as the Daily Mail, ITV and RadioTimes) have fallen foul of poisoned adverts serving up malware and fake anti-virus alerts. Source: http://www.sophos.com/blogs/gc/g/2009/09/14/fake-antivirus-attack-hits-york-times-website-readers


29. September 14, IDG News Service – (International) Domain-name abuse proliferates; rogue registrars turn a blind eye. For legitimate businesses, a domain name is a way to hang a shingle in cyberspace. In the criminal world, domain names are a key part of botnet and phishing operations, and cyber-criminals are plundering domain-name registrars around the world to get them. Criminals are amassing domain names by registering them under phony information, paying with stolen credit cards or hard-to-trace digital currencies like eGold, and breaking into legitimate domain-name accounts. To add to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in. “There’s absolutely a big problem,” says the director of network abuse at Go Daddy, an Arizona-based domain-name registrar that is authorized by the Internet Corporation for Assigned Names and Numbers and the appropriate ICANN-accredited registries to sell domain names based on the generic top-level domains (gTLD) that include .com, .aero, .info, .name and .net. Go Daddy has 36 million domain names under management for more than 6 million customers, making it one of the largest registrars around the globe. It fights a round-the-clock battle to identify domain-name abuse, and if a domain name is determined to be used for harmful purposes Go Daddy will essentially “kill the domain name,” the director says. In spite of all these efforts, criminals still slip through the net, in part because registration services are highly automated, validation processes are insufficient, and the criminals are cagey, determined and technically savvy. The problem encompasses the entire domain-name registration system, along with the faulty Whois database of registrant information (overseen by ICANN) that contains fake data, even total gibberish. “It’s not intentionally designed for this kind of abuse, but it works in favor of the criminals,” a researcher notes. Effective reform of the domain-name registration process would strike at the heart of Internet crime, she says. Source: http://news.idg.no/cw/art.cfm?id=B809FA70-1A64-67EA-E4B5B30FF36D196B


30. September 13, Ars Technica – (International) FTC forces Sears, Kmart out of the spyware business. The Federal Trade Commission (FTC) has busted a strange set of spyware purveyors — U.S. retailing giants Sears and Kmart. The FTC recently approved its final consent order against the companies (which share the same owner) over an episode that can only be chalked up to incompetence of a truly epic scope. Sears Holding Management Company decided that it could really use a lot more marketing data to fuel its decision-making process, so it began offering visitors to sears.com and kmart.com a special invite — sign up for “My SHC Community,” download a piece of “research” software, and earn 10 American dollars. All one had to do was turn over to the company every single bit of information about one’s Web browsing. This was not just about the websites visited, or even about specific URLs; the “research” software transmitted the complete contents of a browsing session, even secure sessions. This meant that Sears and its data collection partner would have access to the “contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails,” said the FTC. Among other things — the software also collected non-Web information about the user’s personal computer. Sears did tell people that it would track their “online browsing,” but when security researchers looked into the software in early 2008, they charged that the disclosure was mostly buried in legalese. Under the settlement with the FTC, Sears has now agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the wild. In addition, if it wants to do any tracking in the future, the company has committed to “clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party.” Source: http://arstechnica.com/tech-policy/news/2009/09/ftc-forces-sears-kmart-out-of-the-spyware-business.ars


31. September 12, The Register – (International) Trojan taps Google Groups as command network. Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation. The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, a Symantec security researcher writes. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time. Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter. Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyze. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned. Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symantec’s classification of the malware as a low risk threat. Source: http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/


32. September 12, The Register – (International) Linux webserver botnet pushes malware. A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they have also been hacked to run a second webserver known as nginx, which serves malware. “What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,” the researcher wrote. “To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).” The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. Source: http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/

Communications Sector

33. September 14, Network World – (International) Ethernet switch vendors propose data center collapse. The emergence of 10 Gigabit Ethernet, virtualization and unified switching fabrics is ushering in a major shift in data center network design: three-tier switching architectures are being collapsed into two-tier ones. Higher, non-blocking throughput from 10G Ethernet switches allows users to connect server racks and top-of-rack switches directly to the core network, obviating the need for an aggregation layer. Also, server virtualization is putting more application load on fewer servers due to the ability to decouple applications and operating systems from physical hardware. Moreover, the migration to a unified fabric that converges storage protocols onto Ethernet also requires a very low latency, lossless architecture that lends itself to a two-tier approach. Storage traffic cannot tolerate the buffering and latency of extra switch hops through a three-tier architecture that includes a layer of aggregation switching, industry experts say. All of this necessitates a new breed of high-performance, low-latency, non-blocking 10G Ethernet switches now hitting the market. And it will not be long before these 10G switches are upgraded to 40G and 100G Ethernet switches when those IEEE standards are ratified in mid-2010. “Over the next few years, the old switching equipment needs to be replaced with faster and more flexible switches,” says a representative of Layland Consulting, an adviser to IT users and vendors. “This time, speed needs to be coupled with lower latency, abandoning spanning tree and support for the new storage protocols. Networking in the data center must evolve to a unified switching fabric.” Source: http://www.networkworld.com/news/2009/091409-switch.html


34. September 12, Anchorage Daily News – (Alaska) Temporary outages on horizon for GCI. Alaska telecom company GCI said its cable TV, Internet, and long-distance phone customers could experience temporary outages from October 6 through October 19. “These semiannual interruptions, called sun outages or transits, affect all satellite-based communications. When the sun, satellite and Earth-based antenna line up, the noise energy from the sun is often greater than the communication signal level and may result in loss of signal,” GCI said. Customers could find long-distance calls in particular might be disrupted. Traffic on fiber-optic cables and microwave systems will not be affected, the company said. Source: http://www.adn.com/news/alaska/story/933119.html


35. September 12, TechFlash – (Oregon) Report: Amazon halts work on Oregon data center complex. Amazon.com appeared to be making a big addition to its internet infrastructure last fall, when the Oregonian reported that a huge data center linked to the ecommerce giant was under construction in eastern Oregon near the Columbia River. Now comes word that the project has “quietly come to a halt,” according to a new report from InformationWeek, which visited the site. Local officials cited economic conditions as the reason for the delay. Amazon is one of a number of tech giants that have come to the Columbia River area for data centers, drawn by the cheap land and hydroelectric power. Google is building a data center facility in The Dalles, Oregon. Microsoft and Yahoo, which set up shop on the Washington side of the border, have been re-evaluating their plans, however, after the state determined they do not qualify for a sales tax deferral program. Microsoft recently announced it is shifting some of its Azure cloud computing platform away from its data center in Grant County, Washington. Amazon confirmed with InformationWeek that Vadata, the company that owns the Oregon data center, is a “legal entity” of Amazon, clearing up some of the confusion that accompanied the original story last fall. But Amazon offered very little detail beyond that. InformationWeek, citing local officials, said the project is on hold “until sometime next year.” Data centers are a critical piece of infrastructure for Amazon, which needs massive data storage and computing capacity to power its ecommerce operations, Kindle electronic books, and cloud computing services. Source: http://www.techflash.com/seattle/2009/09/report_amazon_halts_work_on_oregon_data_center.html