Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, May 5, 2010

Complete DHS Daily Report for May 5, 2010

Daily Report

Top Stories

 USA Today reports that the Transportation Department never conducted required safety checks on 20,000 to 30,000 companies that got special permits to move risky shipments of hazardous materials by road, rail, water and air, according to data compiled by DOT’s inspector general. (See item 25)

25. May 4, USA Today – (National) Records: Safety checks didn’t follow special hazmat permits. The U.S. Transportation Department never conducted required safety checks on 20,000 to 30,000 companies that got special permits to move risky shipments of hazardous materials by road, rail, water and air, records show. Starting this month, DOT will require all the companies to file new permit applications and undergo a “fitness review,” including assessments of their safety and security records, before the permit is issued, according to an agency plan. The special permits allow holders to move hazardous loads that normally are barred, such as mixed cargos of flammable, toxic or caustic compounds. Some companies using the permits have had serious hazardous materials accidents or safety violations, according to data compiled by DOT’s inspector general. This year, for example, a company got a special permit to haul a poisonous and flammable ammonia solution despite having 14 hazardous material spills in the last four years, including four “serious” incidents that caused evacuations, major injuries, highway closures or other significant consequences. The firm also had 11 violations of hazardous materials rules. By law, DOT must evaluate the fitness of every company given a special permit, but it has issued dozens of blanket permits over the last decade to industry trade groups. The thousands of companies using those permits were not vetted by DOT, which doesn’t even know all their identities. DOT’s failure to evaluate each permit holder is a “pernicious” practice that “can significantly impact (public) safety,” the Inspector General said last month. Source:

 reports that the Treasury Department blamed a cloud computing provider for the disruption of its Web site that provides the Internet face of the Bureau of Engraving and Printing. A researcher for IT security software vendor AVG wrote in his blog that “for a short while (Monday) a couple of websites were hacked, and were reaching out to an attack site in Ukraine.” (See item 37)

37. May 4, – (National) Treasury: Cloud computing host hacked. The Treasury Department blamed a cloud computing provider for the disruption of its Web site that provides the Internet face of the Bureau of Engraving and Printing, the agency that prints U.S. currency. A blog Monday reported that the sites were hacked. As of Tuesday afternoon, the bureau’s Web site was inaccessible. On Tuesday, Treasury issued the following statement: “The Bureau of Engraving and Printing (BEP) entered the cloud computing arena last year. The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected. On May 3, the Treasury Government Security Operations Center was made aware of the problem and subsequently notified BEP. BEP has four Internet address URLs all pointing to one public website. Those URLs are;;; and BEP has since suspended the Web site. Through discussions with the provider, BEP is aware of the remediation steps required to restore the site and is currently working toward resolution.” Treasury did not identify the host company. The chief research officer for IT security software vendor AVG wrote in his blog that “for a short while (Monday) a couple of websites were hacked, and were reaching out to an attack site in Ukraine.” He added: “They had been script injected with the line of code. BTW, you should not mess with the attack site. It was dead earlier (Monday), but could easily come back to life.” Source:


Banking and Finance Sector

21. May 4, Nashua Telegraph – (New Hampshire) Securities chief quits over scheme. New Hampshire’s securities chief resigned Monday and issued a scathing indictment of the government’s handling of the legal case against Financial Resources Mortgage (FRM) that has become a Lakes Region Ponzi scheme robbing investors of up to $100 million. The director of the Bureau of Securities Regulation vowed to press the Legislature to beef up powers to prevent this kind of case from recurring. The director contends the Banking Department stonewalled his investigators by not giving them all documents relating to the FRM matter. Asked if it amounted to a cover-up, he answered, “If someone is not providing the information that is available, then in fact that is a cover-up.” Last month, federal authorities indicted FRM and its president on wire fraud charges. They allege that many of the projects that investors contributed to were bogus and that he had pooled all the money collected into a single account. A trial date is set for June 5 in US District Court in Concord. House and Senate committees will open their investigation of the FRM matter Friday. Source:

22. May 4, Oklahoman – (Oklahoma) Serial bank robber sought in Oklahoma City area crimes. The FBI is looking for a man who has robbed at least seven banks in the Oklahoma City area, the last two crimes including pistol whippings. During each of the robberies, the man wore a ski mask and was armed with a black semiautomatic pistol. But on the last two robberies, including one in Edmond two weeks ago and another in Midwest City on Saturday, the robber used his gun to hit bank employees who were complying with the man’s demands. During the past 11 months the man has robbed banks in Oklahoma City, Norman, Edmond, and Midwest City. The man is suspected of robbing Bank of the West and Bank of Oklahoma banks. A reward of up to $10,000 is offered by Bank of the West, the Oklahoma Bankers Association, and the FBI for information leading to the capture and conviction of the robber. Source:

23. April 30, City of Berkeley, CA – (California; National) Community crime alert increase in credit card fraud. In recent months, the City of Berkeley Police Department (BPD) in California has seen a spike in identity theft and credit card fraud. These cases may be in the City of Berkeley, but personal and credit card information is usually used by a larger national and international network of criminals. After community members’ credit and bank accounts are compromised, suspects often use them at large retailers across the United States, with a high concentration in Texas, Louisiana, Michigan, and Georgia. BPD is investigating these cases and has some indications that they may be part of a larger data breach. Ultimately, BPD cannot confirm where the compromises originate. Source:

Information Technology

47. May 3, Krebs on Security – (International) Accused Mariposa botnet operators sought jobs at Spanish security firm. The technical director and blogger for Spanish security firm Panda Security spent much of the last year helping Spanish police with an investigation that led to the arrest of three local men suspected of operating and renting access to a massive and global network of hacked computers. Then, roughly 60 days after the hackers’ arrest, something strange happened: Two of them unexpectedly turned up at his office and asked to be hired as security researchers. He said he received a visit from them on the morning of March 22. The two men, known by the online nicknames “Netkairo” and “Ostiator,” were arrested in February by Spanish police for their alleged role in running the “Mariposa” botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries. “Ostiator told me, ‘The thing is, with everything that’s been happening, we’re not earning any money at the moment,’ “ the technical director recalled. “He said, ‘We thought we could look for some kind of agreement in which both sides would benefit. We think we have knowledge [that] could be useful to Panda and thought we could have some kind of agreement with Panda.’ “ Netkairo and Ostiator have not yet been charged with any crime. The technical director asked them how they got started creating Mariposa. “Basically, they said they started it as kind of a hobby, and that they weren’t working at the time,” he said. “Suddenly, they started to earn money, a few hundred Euros a week to start, and then discovered they couldn’t stop. And the whole time, their network kept growing.” Source:

48. May 3, IDG News Service – (International) Microsoft fixes bug in Producer software. Microsoft has released a new version of its Producer software, fixing a critical security problem that plagued the product for several months. Last March, Microsoft warned of a critical security bug in the product, but it did not release a new update. Instead, it said that Producer 2003 users should simply uninstall their software. On Monday, however, Microsoft posted an update, and is now recommending that “all customers using Producer 2003 upgrade to the new version,” according to a blog post from the Microsoft Security Response Center. The flaw, which has to do with the way Producer reads certain file formats, also affects Windows Movie Maker. But Microsoft issued a Movie Maker patch when it first warned of the issue in March. A similar product, Windows Live Movie Maker — which runs on Vista and Windows 7 — is not affected by the issue. Microsoft does not know of anyone exploiting the bug in online attacks, but it is worried that hackers might be able to use it to install unauthorized software on victims’ computers. Source:

49. May 3, eWeek – (International) Apple iPad jailbreak hits the street. Hackers have released software to jailbreak the Apple iPad as well as the latest version of the iPhone OS. The software, dubbed Spirit, works on the iPad, the iPod Touch, and iPhones running OS versions 3.1.2, 3.1.3 and 3.2. With Spirit, users can run programs not approved by Apple. Unlike other jailbreaks, Spirit is untethered, allowing users to reboot their devices without them being plugged into their computers. “Spirit is able to do this because it doesn’t actually kick in until after the kernel is running,” said the iPhone Dev Team. The Spirit jailbreak was demonstrated on the iPad in early April, but its release was delayed until the week of April 26 when the iPad 3G was released. Source:

50. May 3, DarkReading – (International) New IM worm spreading fast. A smiley-faced Instant Message (IM) with a photo link posing as if it is from someone on a user’s buddy list is actually spreading a worm on Yahoo Instant Messenger: The IM ultimately delivers a worm that allows an attacker to take over the victim’s machine, and to spread the worm to people on the victim’s contact list. Researchers at BitDefender, BKIS, and Symantec May 3, each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. A researcher for BitDefender says his team has seen infection rates as high as 500 percent per hour in his home country of Romania since they first spotted it last week. He expects the worm to make inroads in the United States May 3 and May 4, with potential victims coming off of a weekend. The worm — known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec — is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable. BitDefender said the worm contains a backdoor to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems. According to Symantec, once the worm is run, it adds itself to the Windows Firewall list, stops the Windows Update service, and configures itself such that it runs each time the system boots. The worm automatically sends itself to everyone on the victim’s contact list. Source:

51. April 30, The Register – (International) Researchers spy on BitTorrent users in real-time. Researchers have devised a way to monitor BitTorrent users over long stretches of time, a feat that allows them to map the Internet addresses of individuals and track the content they are sending and receiving. In a paper presented the week of April 26 at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, the researchers demonstrated how they used the technique to continuously spy on BitTorrent users for 103 days. They collected 148 million Internet Protocol (IP) addresses and identified 2 billion copies of downloads, many of them copyrighted. The researchers, from the French National Institute for Research in Computer Science and Control, also identified the IP addresses where much of the content originated. They discovered the the vast majority of the material on BitTorrent started with a relatively small number of individuals. “We do not claim that it is easy to stop those content providers from injecting content into BitTorrent,” they wrote. “However, it is striking that such a small number of content providers triggers billions of downloads. Therefore, it is surprising that the anti-piracy groups try to stop millions of downloaders instead of a handful of content providers.” The researchers said the information leak is built into the very core of most BitTorrent systems, including those used by ThePirateBay and IsoHunt. Source:

Communications Sector

52. May 3, – (International) Out-of-control satellite threatens spacecraft. An adrift Intelsat satellite that stopped communicating with ground controllers last month remains out of control and has begun moving eastward along the geostationary arc, raising the threat of interference with other satellites in its path, Intelsat and other industry officials said. In what industry officials called an unprecedented event, Intelsat’s Galaxy 15 communications satellite has remained fully “on,” with its C-band telecommunications payload still functioning even as it has left its assigned orbital slot of 133 degrees west longitude 36,000 kilometers over the equator. Galaxy 15 stopped responding to ground controllers April 5. The satellite’s manufacturer, Orbital Sciences Corp. of Virginia, said an intense solar storm in early April may be to blame. The first satellite likely to face signal interference problems from the adrift Galaxy 15 is the AMC-11 C-band satellite owned by SES of Luxembourg. The chief technology officer at SES World Skies said the period of May 31 to June 1 is going to be the riskiest time for AMC-11 customers. On May 3, Intelsat blasted a powerful signal intended to force it into a complete shutdown. The chief technology officer at SES said that both SES and Intelsat are fortunate in this case because their two satellites’ customers are mainly media companies using fairly large antennas to communicate with the satellites. During the period of maximum danger for AMC-11, SES expects to be able to reroute customer signals to SES-operated teleports with still-larger antennas to maintain communications links. Intelsat’s vice president for satellite operations and engineering said the current estimate is that Galaxy 15 will lose Earth-pointing capability by late July or early August. Source:

No comments: