Department of Homeland Security Daily Open Source Infrastructure Reprot

Tuesday, October 27, 2009

Complete DHS Daily Report for October 27, 2009

Daily Report

Top Stories

 According to Homeland Security Today, the Department of Homeland Security has made strides in utilizing inspection technology and equipment, encouraging stakeholders to assist in securing the supply chain, and enhancing cooperation among law enforcement agencies at ports of entry. However, significant challenges remain, according to the co-chairman of the House Subcommittee on Border, Maritime, and Global Counterterrorism, which held a hearing late last week on “Cargo Security at Land Ports of Entry: Are We Meeting the Challenge?” (See item 21)


21. October 26, Homeland Security Today – (National) Staffing, resources becoming stressed at ports of entry. The Department of Homeland Security has made strides in utilizing inspection technology and equipment, encouraging stakeholders to assist in securing the supply chain, and enhancing cooperation among law enforcement agencies at ports of entry. However, significant challenges remain, according to the co-chairman of the House Subcommittee on Border, Maritime, and Global Counterterrorism, which held a hearing late last week on “Cargo Security at Land Ports of Entry: Are We Meeting the Challenge?” “Many ports of entry were constructed decades ago and were simply not built to accommodate modern security technology or procedures,” he said. “In addition to infrastructure challenges, staffing has not kept pace with needs. Thousands of new Border Patrol agents have been hired in recent years, while only a relatively small number of Customs and Border Protection (CBP) Officers have been added to the ranks at the ports of entry.” These limitations not only undermine our security, but hamper the Department’s ability to expedite vital commerce, he insisted. Amplifying these points, president of the National Treasury Employees Union, which represents CBP officers, said that CBP’s continuing emphasis on reducing wait times without increasing staffing at the ports of entry creates an extremely challenging work environment for frontline CBP personnel. “The major challenge of this mission is securing movement of goods without costly wait times and delays,” she said. “On one hand, CBP Officers and Agriculture Specialists are to fully perform their inspection duties, yet at all times they are made aware by management of wait times.” She explained that increased staffing is the key to the more effective movement of people and goods at the land ports of entry while at the same time ensuring that illegal drugs, drug money, arms and other dangerous items are stopped at the border. She called for an increase of at least 4,000 new CBP Officers. Source: http://www.hstoday.us/content/view/10789/149/


 The New York Times reported on October 25 that the U.S. President has declared the swine flu outbreak a national emergency, allowing hospitals and local governments to speedily set up alternate sites for treatment and triage of any surge of patients, the White House said. (See item 32)


32. October 25, New York Times – (International) H1N1 is still spreading globally. The U.S. President has declared the swine flu outbreak a national emergency, allowing hospitals and local governments to speedily set up alternate sites for treatment and triage of any surge of patients, the White House said. The declaration Saturday did not signify any unanticipated worsening in the United States of the H1N1 outbreak, officials said. It seemed likely, however, to increase concerns, disruptions and at times, panicky reactions, to a disease now affecting most parts. The disease has continued to spread rapidly in parts of the Northern Hemisphere, though it has slowed in much of the Southern Hemisphere. Worldwide, the swine flu has claimed nearly 5,000 lives, according to the World Health Organization. U.S. officials say more than 1,000 Americans have died because of it. Flu activity — virtually all of it the swine flu — is now widespread in 46 states, a level equaling the peak of a typical winter flu season. Millions of people in the United States have had swine flu either in the first wave in the spring or the current wave. Source: http://www.nytimes.com/2009/10/26/health/26H1N1.html?_r=1


Details

Banking and Finance Sector

16. October 25, ABC News – (Florida) Madoff billionaire found dead in Palm Beach swimming pool. A philanthropist who made $7 billion in the largest Ponzi scheme in history was found dead in his Palm Beach, Florida., swimming pool October 25. The Palm Beach Fire Department told ABC News that the philanthropist had no pulse when fire rescue workers arrived at his oceanfront mansion after his wife called 911. She and his housekeeper pulled his body from the pool shortly after noon. No one benefited more from the Ponzi scheme than the philanthropist, according to bankruptcy lawyers who sued him and alleged he had taken out $7 billion more than he had put in. Investigators told ABC News.com that he would also have likely faced criminal charges. Some investigators considered the philanthropist to have been the actual mastermind of the massive con, or at least an equal “partner in crime” to the financier who ran it. “He made 30 times what the financier did from the scam and about a third of the missing money went to the philanthropist,” said one of the investigators on the case. Source: http://www.abcnews.go.com/Blotter/jeffry-picower-madoff-billionaire-found-dead-palm-beach-pool/story?id=8912743


17. October 24, Deseret News – (Utah) Investigators say $59 million scheme targeted Utah County. A 4th District Judge gave an order last week not to move any property as prosecutors pursue charges in an alleged $59 million Ponzi scheme. In an unusual pre-emptive strike, investigators moved to block suspects from selling or transferring real estate and vehicles valued at almost $2.3 million. It is a tactic normally employed when charges are filed in a white-collar criminal probe, which typically takes years to complete. But by that time, the assets are often long gone. Prosecutors want to do all they can to prevent that in what has become one of the largest scams Utah County has ever seen, said the chief investigator for the Utah County Attorney’s Office. Fraud probes such as this are keeping investigators busy. Victims of fraud in Utah County alone lost $64 million in 2008 and have lost $76 million so far this year. That is a spike from $45 million in the previous two years combined. Source: http://www.deseretnews.com/article/705339222/Scam-59M-down-drain.html


18. October 23, DarkReading – (International) Gift cards convenient and easy to hack. It is not just credit cards and debit cards that are at risk of fraud: pre-paid gift cards can also easily be cloned and stolen by cybercriminals, according to newly published research. Researchers at UK-based Corsaire say the magnetic-stripe technology used for gift cards and customer loyalty cards, as well as their easy accessibility, make them attractive targets for the bad guys. Gift cards can easily be “sniffed” off the shelf in the checkout line with a scanner and then cloned; the card number on the back of the card stolen; and the retailers’ Web-based gift card applications hacked. “Gift cards are a type of currency and thus, they’re likely to be targeted by fraudsters in the future, says the principal security consultant with Corsaire, which first revealed some of its gift card hack research at EUSecWest in May, “It looks like standardized security guidelines are needed for the gift card industry. We’re hoping that our paper will serve as a good first step in accomplishing this.” Even unactivated gift cards are at risk: Corsaire says all a fraudster has to do is take one from a display in a retail store, scan it with the proper scanning device to clone it, and then use the card once an unsuspecting customer buys it and it’s activated. “Although gift cards need to be at a visible location in stores to attract customers, they should not be at a location easily available for anyone to reach. Doing so would help stop attackers from cloning them and putting them back on the stand,” the consultant says. “By doing this, all the attacker needs to do is wait for a customer to activate the gift card and load it with credit. Because the magstripe track data on these gift cards is the same before and after being activated, the attacker could now purchase goods for ‘free.’” Some gift cards display their card number on the back, which can provide a fraudster with enough information to clone a card, or even to redeem the gift card at the retailer, for instance. This way, they don’t even have to swipe the magnetic stripe. And sometimes the gift card numbers are printed on sales receipts, the researchers noted. “Some gift card balance lookup sites only require users to enter their gift card number, whereas others also require PIN in addition to the card number,” the consultant notes. And like any Web application, a gift-card application has its vulnerabilities, including the pervasive SQL injection flaw. “We also introduced some attacks which although we haven’t tested, could work against certain implementations. For instance, manipulating a card’s balanced in the back-end database by crafting magstripe data with malicious SQL statements,” he says. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220900404&subSection=Vulnerabilities+and+threats


Information Technology


40. October 26, IDG News Service – (International) Guardian jobs site falls victim to ‘sophisticated’ hack. A major U.K. newspaper has notified 500,000 people that details they posted to the newspaper’s employment site may be in the hands of hackers. The Guardian posted a warning of the breach on its Web site on Friday. On Saturday, the newspaper said the system had been secured and those affected had been contacted by e-mail. The newspaper downplayed the impact of the breach, saying it affected “only a minority” of the 10,328,290 unique users who visit the site annually, and that some of the data lost was up to two years old. A spokeswoman for the Metropolitan Police said the Police Central e-Crime Unit is investigating, but there have been no arrests. The Guardian’s Jobs Web site runs on software from a company called Madgex. Officials from the company could not immediately be reached on Monday morning. Source: http://www.networkworld.com/news/2009/102609-guardian-jobs-site-falls-victim.html?hpg1=bn


Communications Sector

41. October 26, Los Angeles Times – (California) Court says cities have the right to bar telecommunications towers. In Palos Verdes Estates, where the first home builders 80 years ago had to pass muster before an “art jury,” it came as little surprise when city fathers nixed wireless telecommunications contraptions that would clash with the community’s carefully nurtured ambience and obstruct ocean vistas. “When you move to a community, you want cell coverage, but you also want beauty and aesthetics,” said an attorney who helped the city wage a legal battle against Sprint. Earlier this month, the U.S. 9th Circuit Court of Appeals sided with the seaside community, ruling that city officials could bar the construction of unsightly cellular towers. The city’s victory was hailed by urban planners concerned about the proliferation of visual blight in the name of technological progress. Like Palos Verdes Estates, San Francisco, San Diego County, La Cañada Flintridge and other communities have fought the purveyors of cellular service in court on aesthetic grounds and, for the most part, have won. The recent legal disputes, planners say, could encourage telecommunications companies to develop more creative alternatives amenable to residents’ concerns - or spur more litigation. Sprint had argued that the city’s rejection of two wireless construction projects on aesthetic grounds violated the 1996 Telecommunications Act, which bars municipalities from action that constitutes “a prohibition on the provision of wireless service.” A Sprint spokesman would say only that the company was “disappointed with the decision because of its potential impact on wireless coverage.” He declined to speculate on how the ruling might affect other pending projects denied building permits, including two similar wireless towers rejected by La Cañada Flintridge. Source: http://www.latimes.com/news/local/la-me-ugly-telecoms26-2009oct26,0,5439620.story


42. October 23, KTVX 4 Salt Lake City – (Utah) National Security Agency to build secretive data center in Utah. An intelligence official says the National Security Agency will build a secretive electronic data center at a National Guard camp in Utah. The deputy director for the Office of National Intelligence for Collection says the data center will be dedicated to protecting the nation from cyber-attacks. But that may be only part of the data center’s mission. Utah news reports based on federal budget documents have described the center as a collection point for surveillance of domestic and international telecommunications. The deputy director refused to say exactly what would go on at the data center. He was at the Utah Capitol on Friday along with the governor of Utah and Utah’s congressional delegation to talk about the $1.6 billion project. Source: http://www.abc4.com/content/news/top stories/story/National-Security-Agency-to-build-secretive-data/N2-hF2i5Qk6iB1B6LaaVxg.cspx


43. October 23, The Register – (International) Hotspot sniffer eavesdrops on iPhone in real-time. People who use public WiFi to make iPhone calls or conduct video conferences take heed: It just got a lot easier to monitor your conversations in real time. At a talk scheduled for October 24 at the Toorcon hacker conference in San Diego, two security researchers plan to show the latest advances in the open-source UCSniff tool for penetrating voice-over-internet-protocol systems. With a few clicks of a mouse, they will eavesdrop on a call between two audience members using popular iPhone applications that route the calls over the conference network. For more than a year, UCSniff has provided everything a hacker needs to plug a laptop into a network and within seconds begin intercepting VoIP transmissions. But until now, the program has allowed eavesdroppers to reassemble the conversations only after they were concluded, a limitation that was far from the elite bugging capabilities shown in Mission Impossible and other spy thrillers. “As the private call is in progress, we can see and hear what is happening,” said a developer of UCSniff and director of Viper Labs, the research arm of security firm Sipera Systems. “There’s real-time violation of confidentiality.” In addition to monitoring voice conversations as they happen, UCSniff can also bug video conferences in real time. The developer said he and a fellow Viper Labs researcher plan to show those capabilities at Toorcon as well. Source: http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/


For another story, see item 38 below

38. October 25, Middletown Journal – (Ohio) Warren County’s 911 phone line restored. Warren County, Ohio’s 911 emergency service is back on track. Sometime before 7 a.m. until about 3:15 p.m. Sunday, October 25, anyone who called 911 from a Cincinnati Bell land line in Warren County may have experienced no audio, said a dispatcher and shift supervisor. A cable carrying fiber was cut by work crews, according to the county. The outage did not affect any other phone carrier or cell phone users. The outage also affected the city of Franklin’s 911 center. Source: http://www.middletownjournal.com/news/middletown-news/warren-countys-911-phone-line-restored-366047.html