Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, October 7, 2009

Complete DHS Daily Report for October 7, 2009

Daily Report

Top Stories

 According to the Panama City News Herald, four people were injured, one critically, after a dust explosion Monday at E.B. Pipe Coating at Port Panama City, Florida. (See item 9)

9. October 5, Panama City News Herald – (Florida) Dust sparks plant explosion; four injured. Four people were injured, one critically, after a dust explosion Monday at E.B. Pipe Coating at Port Panama City. The critically injured person was airlifted to a burn center in Georgia; the remaining three were treated and released Monday afternoon. Panama City police did not release the names of the injured workers Monday. “What we have is a dust explosion that happened in the two dust collectors. We are not exactly sure what triggered it,” said a police spokesman. “It could have happened for a number of reasons. The dust could have been sparked, or it could have spontaneously combusted,” he continued. “Our next step is going to be to interview all the employees and try to determine what triggered it.” The explosion occurred in the E.B. Pipe Coating building located behind its parent company, Berg Pipe. “It started in the areaĆ¢_¦where the coating is put on the pipes,” said a sergeant with the Panama City Police Department. The complex was shut down, and between 20 and 30 employees were sent home, the sergeant said. The facility will be closed for at least the next few days while officials from the Occupational Safety and Health Administration investigate the incident. Source:

 According to the Associated Press, more than 1,800 patients treated by one nurse at Broward General Medical Center in Fort Lauderdale, Florida may have been exposed to HIV and hepatitis. The hospital said Monday the nurse reused saline bags and tubing during cardiac stress tests involving the injection of fluids from January 2004 to early September 2009. (See item 27)

27. October 6, Associated Press – (Florida) 1,800 patients may have been exposed to HIV, hepatitis at Florida hospital. More than 1,800 patients treated by one nurse at a South Florida hospital may have been exposed to HIV and hepatitis. Broward General Medical Center in Fort Lauderdale said Monday the nurse reused saline bags and tubing during cardiac stress tests involving the injection of fluids. The hospital has sent letters to all 1,851 people who may have been affected from January 2004 to early September. Hospital officials say the risk of exposure is low, but all affected patients should be tested for HIV and hepatitis B and C. The nurse, who has not been identified, resigned and was reported to the Board of Nursing. The hospital discovered the problem after a patient noticed the nurse misusing the equipment and anonymously called in. Source:,2933,560960,00.html?test=latestnews


Banking and Finance Sector

11. October 6, San Francisco Chronicle – (National) Northern California bankers want boost for FDIC. Northern California’s community bankers support a plan to bolster the Federal Deposit Insurance Corp. as the financial system continues to reel from the ripple effects of the collapsing credit bubble. Coping with nearly 100 bank failures so far this year, the FDIC recently proposed that healthy banks prepay three years of deposit insurance to raise $45 billion so the fund would not have to borrow from the Treasury Department. “It would look like another bailout for banks, which frankly we don’t need,” said the chief executive of Mechanics Bank, one of the regional institutions that have stayed out of trouble thus far by avoiding risky mortgages. “We have never had to spend a single penny of taxpayer money on FDIC insurance,” said the general counsel of the California Bankers Association. The FDIC could borrow up to $500 billion from the Treasury but has said it wants to reserve that credit line for an “emergency or other unforeseen event,” adding that current and anticipated failures “can be planned for and met by industry resources.” Now experts hope the prepayment plan will see the FDIC through the worst spate of failures since the savings and loan crisis of the late 1980s and early 1990s. Source:

12. October 5, SCMagazine – (National) Visa creates guidance for merchants wanting to encrypt. Visa on October 5 released a best practices document for merchants considering adoption of end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. The guidance is meant to fill a temporary void until industry standards are established by the American National Standards Institute the senior business leader in Visa’s payment system risk division told “We felt it was important to provide [help] for those companies clearly looking for guidance today,” she said. “I think a lot of merchants are looking for that next solution that is going to be a longer-term data security step.” The document calls on merchants to achieve five goals when deploying end-to-end, or data field, encryption: Limit clear-text cardholder and authentication data, use robust key management solutions that meet international standards, use recognized cryptographic algorithms, protect devices used to perform cryptographic functions and consider technologies, such as tokenization, that replace card numbers that must be stored with unique identifiers. Visa does not require any merchants to store card numbers, but some merchants require it for certain business functions, such as recurring subscriptions, the business leader said. Meanwhile, some acquiring banks/processors mandate that their retail customers store the numbers for processes such as chargebacks. Source:

13. October 5, DarkReading – (International) Bankers gone bad: financial crisis making

the threat worse. A former Wachovia Bank executive who had handled insider fraud incidents says banks are in denial about just how massive the insider threat problem is within their institutions. Meanwhile, the economic crisis appears to be exacerbating the risk, with 70 percent of financial institutions saying they have experienced a case of data theft by one of their employees in the past 12 months, according to new survey data. An individual who spent 21 years at Wachovia handling insider fraud investigations and fraud prevention, says banks do not want to talk about the insider fraud, and many aren’t aware that it’s an “epic problem.” “There needs to be more training around this issue,” says the individual, who co-authored a book about bank insider fraud called Insidious, How Trusted Employees Steal Millions and Why It’s So Hard for Banks to Stop Them, which publishes later this month. “We are seeing a huge increase in this country of organized crime rings threatening individuals who work in financial institutions and making them [commit fraud on their behalf],” she says. Meanwhile, according to a new survey by Actimize, nearly 80 percent of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn. “A significant number of folks are being impacted more than a couple of years ago,” which is when the last survey was conducted, says the director of the financial crimes product group at Actimize. The Actimize survey found that only 28 percent of financial institutions had not suffered an insider breach in the past 12 months. Interestingly, it’s not the stereotypical offshore or outsourced employee who’s most risky to their organizations. Nearly 70 percent of financial institutions say their full-time employees are most likely to pose an insider fraud threat, versus 10 percent of part-timers, 8 percent of outsourced workers, 6 percent of temporary workers, and 5 percent of offshore employees, according to the survey. Source:

14. October 5, Reuters – (National) SEC standardizes rules for U.S. “erroneous trades”. The U.S. Securities and Exchange Commission on October 5 adopted a single set of rules for “clearly erroneous” trades, eliminating a mixed bag of standards that exchanges used to monitor increasingly electronic trading. So-called clearly erroneous trades can result from human error or computer malfunction, the regulator said. “Because the markets today are so fast, automated and interconnected, an erroneous trade on one market can very rapidly trigger a wave of similarly erroneous trades on other markets,” it added. The SEC chairman said in the statement that consistent standards “will strengthen the resiliency of our markets by reducing the potential for market confusion, especially during periods of high market volatility.” Exchanges cancel trades determined to be clearly erroneous, relieving firms of obligations that result from the trades. The exchanges, including Nasdaq OMX’s Nasdaq Stock Market, began revealing the new rules last week. The rules force exchanges to investigate potentially erroneous trades within 30 minutes, and to resolve the matter within 30 minutes thereafter. As well, exchanges can only consider canceling a trade if the share price exceeds the last public sale price by more than 10 percent for shares priced under $25, by more than 5 percent for shares priced between $25 and $50, and by more than 3 percent for shares priced at more than $50. The new standard comes amid heightened concern about fairness in markets that rely increasingly on computer algorithms to function smoothly. Source:

Information Technology

37. October 6, CNET – (International) Passwords for Google, Yahoo and Hotmail accounts illegally leaked online. Documents seen by CNET UK suggest thousands of usernames and passwords for Hotmail, Google and Yahoo accounts have been illegally posted to the Internet. Login credentials for accounts ending with,,,, and were seen. Users of these services are strongly encouraged to immediately change their passwords. Usernames and passwords for Google’s Gmail service could also provide hackers with access to users’ YouTube, Blogger, Google Docs and Google Talk accounts, as these services are all owned by Google and often work under a single login ID. CNET UK contacted Google, which acknowledged the leaked details and blames phishing attacks rather than insecurities within Google’s system. “We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts,” a Google spokesperson told CNET UK. “As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them.” CNET UK also contacted Yahoo; a spokesperson confirmed, “We are aware and are investigating.” Reports of leaked Hotmail account details first appeared on Neowin. Microsoft later confirmed the news, and announced that “as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.” Source:,39029471,49303832,00.htm

38. October 5, Network World – (International) Prototype security software blocks DDoS attacks. Researchers have come up with host-based security software that blocks distributed denial-of-service attacks without swamping the memory and CPU of the host machines.The filtering, called identity-based privacy-protected access control (IPCAF), can also prevent session hijacking, dictionary attacks and man-in-the-middle attacks, say researchers at Auburn University in their paper, “Modeling and simulations for Identity-Based Privacy-Protected Access Control Filter (IPCAF) capability to resist massive denial of service attacks.” This new method is suggested as a replacement for IP-address filtering, which is sometimes used to block DDoS attacks but is problematic because IP addresses can be spoofed, says a professor of electrical and computer engineering at Auburn and lead author of the paper. The method also greatly reduces the resources attacked machines have to expend in order to figure out whether requests are legitimate, he says. Under IPCAF authorized users and the servers they try to reach receive a one-time user ID and password to authenticate to each other. After that they cooperate to generate pseudo IDs and packet-field values for each successive packet so packets get authenticated one at a time. The receiving machines simply check the field value in each packet in order to decide whether to reject it. Only after the filter value checks out are more memory and CPU resources allocated to further process the packets, the professor says. IPCAF runs on servers and client machines and does its work with negligible impact on performance of the machines involved, he says. For instance, the CPU on a machine running IPCAF and processing legitimate requests during testing was 10.21 percent. That rose to 11.78 percent when the same machine was under attack, the professor says. Source:

39. October 5, The Register – (International) IE, Chrome, Safari duped by bogus PayPal SSL cert. If a individual is using the Internet Explorer, Google Chrome or Apple Safari browsers during PayPal transactions, now would be a good time to switch over to the decidedly more secure Firefox alternative. That is because a hacker on October 5 published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago, but Microsoft has yet to fix it. The October 5 release of the so-called null-prefix certificate for PayPal is a serious blow to online security because it makes it trivial for cybercrooks to defeat one of the web’s oldest and most relied upon defenses against man-in-the-middle attacks. PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren’t forgeries that were set up by con artists who are sitting in between the user and the website he’s trying to view. The certificate exploits a security hole in a Microsoft application programming interface known as the CryptoAPI, which is used by the IE, Google Chrome and Apple Safari for Windows browsers to parse a website’s SSL certificates. Even though the certificate is demonstrably forged, it can be used with a previously available hacking tool called SSLSniff to cause all three browsers to display a spoofed page with no warnings, even when its address begins with “https.” “Use this with SSLSniff and it’s game over,” a hacker who demonstrated the SSL weakness at the Black Hat security conference in Las Vegas, Nevada, said of the bogus PayPal cert. “It’s true that posting this doesn’t exactly seem prudent and is personally frustrating for me. Technically, though, it might be more fair to say that Windows users are at risk because of a vulnerability that remains unpatched by Microsoft.” Source:

Communications Sector

40. October 6, – (International) Etisalat users hit by more network problems. UAE operator Etisalat has been hit by a third day of network problems, with some mobile users across the country today complaining that they are unable to make or receive calls. An Etisalat spokesman said the problem relates to a series of network upgrades it is carrying out. It comes two days after the operator’s BlackBerry subscribers were hit by connectivity problems which prevented them from accessing the internet and sending and receiving emails. Etisalat claimed on October 4 that it had “successfully resolved a temporary outage on its BlackBerry service”, but on October 5 some users of the RIM device were still complaining that they were unable to receive emails. Etisalat said the outage was caused by a problem affecting an international carrier link. In a statement, the operator said: “Etisalat investigated the issue on a priority basis with the international carrier to resolve the problem. Etisalat regrets any inconvenience because of the outage.” Source:

41. October 6, The Hill – (National) Senate OK’s prison cellphone jamming bill. The Senate unanimously passed legislation that would block calls from cellphones within prison walls, intended to prevent prisoners from using contraband cellphones to orchestrate crimes or plan escapes. The bill is backed by a senator from Texas who is also a ranking member on the Senate Commerce Committee. “This legislation will disconnect the communications networks that prisoners and criminal enterprises have patched together using smuggled cell phones,” the senator said in a statement. “With innocent lives on the line, Congress has a responsibility to give the nation’s law enforcement community the tools necessary to effectively fight this growing problem. By adding cell jamming technology to the tools our corrections professionals can deploy, we can prevent criminals from terrorizing Americans from behind bars – even when phones evade detection and discovery and fall into convicts’ hands. I urge my colleagues in the House to swiftly pass this legislation.” As part of the Safe Prisons Communications Act, the Federal Communications Commission would conduct a rulemaking regarding the use of jamming devices in prison facilities, and the agency would have to approve any device used for the purpose. The bill also requires prisons that install the jamming device to have formal procedures for shutting down the system if it causes interference with outside networks or with public safety networks. Source:

42. October 5, The Register – (International) DDoS attack rains down on Amazon cloud. Web-based code hosting service Bitbucket experienced more than 19 hours of downtime over the weekend after an apparent DDoS attack on the sky-high compute infrastructure it rents from This in turn left many developers without access to code projects hosted on Bitbucket, a GitHub-like service based on the Mercurial version control system. The news is sure to fuel fears over the security of Amazon’s Elastic Compute Cloud (EC2) and similar “infrastructure clouds,” online services that provide grid-like access to scalable processing, storage, and networking resources. “The lesson here is: ‘Don’t bet the farm on a single cloud provider,’” says the founder of and a security practitioner at a Fortune 500 company. “It’s common sense really. But people get lulled into thinking they site is always going to be available [when they host with a single provider].” According to a blog post from the Danish developer who runs, the site’s Amazon-hosted network storage became “virtually unavailable” beginning October 2, and the outage persisted well into October 3 before Amazon pinpointed the problem. Amazon advised him not to divulge the cause of the outage. But he divulged anyway. “We were attacked. Bigtime. We had a massive flood of UDP [User Datagram Protocol] packets coming in to our IP, basically eating away all bandwidth to the box,” he wrote. “So, basically a massive-scale DDOS. That’s nice.” After uncovering the problem, at least 16 hours after it was first reported, Amazon blocked the offending traffic, and service returned to normal. But by the October 4, the problem returned, and another two hours passed before this second outage was reversed. Then, it seems, a third attack arrived. The Danish developer told The Register that an attack on an Amazon edge router took out service for some but not all Bitbucket customers for close to one and a half hours earlier October 5. Source: