Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, January 19, 2010

Complete DHS Daily Report for January 19, 2010

Daily Report

Top Stories

 The New York Times reports that on January 14 the Department of Homeland Security moved to increase random checks for explosives at American airports after officials cited a heightened concern over possible terror plots against the aviation system by al Qaeda operatives. Counterterrorism officials said the threat information was vague and did not specify a particular target or date. (See item 21)

21. January 15, New York Times – (National) Possibility of plots prompts more checks for explosives at airports. The Department of Homeland Security moved January 14 to increase random checks for explosives at American airports after officials cited a heightened concern over possible terror plots against the aviation system. Counterterrorism officials said that recent intelligence tips had hinted at a planned attack by Qaeda operatives, but that the threat information was vague and did not specify a particular target or date. Still, after failing to anticipate the attempted Christmas Day bombing of a Northwest Airlines flight, government officials said they wanted to take every precaution. “We must remain vigilant about the continued threat we face” from Al Qaeda,” the Homeland Security Secretary said in a statement. “We are facing a determined enemy and we appreciate the patience of all Americans and visitors to our country, and the cooperation of our international partners as well as a committed airline industry.” The measures will include random checks with explosive-detection devices of passengers or baggage at locations around some American airports, not just at security checkpoints, one Homeland Security Department official said. The devices search for trace amounts of explosives as a sign that someone might be carrying a bomb. Air marshals will also more frequently board flights on certain unidentified routes, officials said. Canine teams and so-called behavior detection officers — which have been deployed in larger numbers since the December 25 episode — will continue to patrol airports, looking for suspicious activity or explosives. Three American counterterrorism officials declined the evening of January 14 to say what prompted the new travel advisory. But they suggested that they had seen an increase in tips about a possible attack from Al Qaeda in the Arabian Peninsula, the Yemen-based group that claimed credit for the failed December 25 plot. Source:

 According to the Associated Press, a chemical spill at the Clackamas County Dental Clinic in Oregon City, Oregon sent at least 10 people to three area hospitals on January 14. The spilled chemical was formocresol, a solution used in dental work. (See item 41)

41. January 14, Associated Press – (Oregon) Ore. chemical spill sends at least 10 to hospitals. Officials say at least 10 people went to area hospitals following a chemical spill at a health building in Oregon City. The Clackamas Fire District says emergency personnel were called to the Clackamas County Dental Clinic shortly before noon Thursday after people complained of headaches and minor respiratory symptoms. An American Medical Response spokeswoman said ambulances took 10 people to three area hospitals. Portland television station KPTV reported that the spilled chemical was formocresol, a solution used in dental work. The station says a worker dropped a jar of it. The clinic was evacuated after the spill, but reopened in the afternoon. Source:


Banking and Finance Sector

13. January 15, IDG News Service – (International) UK defendants await sentencing in carding scheme. Two U.K. men have pleaded guilty to charges related to the infamous DarkMarket payment-card fraud ring busted by authorities in October 2008, according to British police. The two men both pleaded guilty to conspiracy to defraud in Blackfriars Crown Court in London on January 14. DarkMarket was a highly organized, password-protected online forum where criminals worldwide could buy and sell credit card numbers, a practice known as “carding.” Since its shutdown, more than 60 people have been arrested by law enforcement agencies in the U.K., U.S., Germany, Turkey and other countries. The 33 year old suspect was an “itinerant loner” who was allegedly observed selling lists of credit cards near the Java Bean Internet Cafe in Wembley where he frequently accessed the DarkMarket site, according to the Serious Organised Crime Agency (SOCA). He used a memory stick to carry data around and seemed to think using Internet cafes would help shield his activities, SOCA said. The 66 year old suspect was arrested in December 2008 after investigators found he was allegedly running a counterfeit credit card factory, SOCA said. This suspect, a retiree who lived in Doncaster, England, allegedly had details for more than 2,000 credit cards in his home along with a “suite of images and logos” needed to produce fake cards. Source:

14. January 15, United Press International – (National) FDIC head: ‘Shadow banks’ need regulation. Regulators and the market failed to control the “shadow banking system,” the head of the Federal Deposit Insurance Corp. said in Washington. In testimony before the Financial Crisis Inquiry Commission, the chairman said the last wave of federal regulation after the savings and loan crisis 20 years ago encouraged the growth of financial institutions outside the regulators’ reach. These institutions became so complex and large they could not simply declare bankruptcy when they got into trouble, she said. They are also outside FDIC receivership. The chairman said what is needed now is a “holistic” regulatory system. “To be sure, we can improve oversight of insured institutions, but if reforms only layer more regulation upon traditional banks, it will just create more incentives for financial activity to move to less regulated venues,” she said. “Such an outcome would only exacerbate the regulatory arbitrage that fed this crisis. If that occurs, reform efforts will once again be circumvented, as they were over the past two decades.” Source:

15. January 15, IDG News Service – (International) Romanian faces five years in prison for phishing scheme. A Romanian national pleaded guilty on January 14 to a charge related to a phishing operation that sought to defraud customers of banks such as Citibank and Wells Fargo, and of Web sites such as eBay. The 28 year old, of Galati, Romania, could face up to five years in prison when he is sentenced on April 5 in U.S. District Court for the District of Connecticut, according to the U.S. Department of Justice. He pleaded guilty to a single charge of conspiracy to commit fraud related to spam. The suspect and another Romanian were accused of setting up fake Web sites in order to steal passwords and sensitive financial information. They also were allegedly passing payment card details to others who would then make fraudulent cards. A third Romanian co-conspirator was the first foreign national convicted in the U.S. of phishing and was sentenced in March 2009 to more than four years in prison. The main the 28 year old admitted using software to collect e-mail addresses in order to send spam that would then try to entice people into browsing one of the fake Web sites. Source:

16. January 15, Gaithersburg Gazette – (Maryland) Few state banks have repaid TARP money to Treasury. Only three of the 20 Maryland banks that sold stock to the federal government through the Treasury Department’s Troubled Asset Relief Program have repaid at least part of the money, according to federal figures. The CEO of Shore Bancshares said the organization was “moving on,” and he did not want to comment beyond what the company said in a statement in March. Then, the CEO cited rule and image changes for the quick repurchase. “The representation made by the Treasury concerning TARP was that the program was designed to attract broad participation by healthy institutions, and that our participation in the program was important to restore confidence in our financial system and ensure that credit continue to be available to consumers and businesses,” the CEO said in the statement. “Over the past few months, however, it has become clear to us that the public, including many members of Congress, view institutions that participated in TARP as having done so because they are weak. ... We now believe that our participation in TARP puts us at a competitive disadvantage.” The only other Maryland bank that has repaid its TARP funds is Old Line Bancshares, according to Treasury figures as of January 12. Allowing banks to repay TARP funds so soon may backfire, said a bank analyst at Institutional Risk Analytics of Torrance, California, in a recent report. Despite signs of economic recovery, many banks may continue to experience higher losses this year from bad loans, he said. Source:

17. January 15, Associated Press – (National) Holder to look into FBI report of mortgage fraud. The Attorney General on January 14 told a commission investigating the financial crisis that he would find out whether anything was done in response to an FBI warning in 2004 of an “epidemic of mortgage fraud” that could plunge the country into financial collapse. He also said the diversion of hundreds of Justice Department and FBI officers to terrorism-related duties after the September 11, 2001, terror attacks may have made it harder for his agency to investigate the kind of risky banking practices that led to the nation’s financial meltdown in 2008. But he said that fighting white-collar crime had become a top priority for him and that more resources were being devoted to such cases. He testified at the second day of hearings by the Financial Crisis Inquiry Commission, a 10-member panel created by Congress to explore the causes of the economic collapse. The Commission Chairman grilled him over a September 4, 2004, warning from a top FBI official about “an epidemic of mortgage fraud coursing across this country” and the dire crisis that could occur if it were left unchecked. That was four years before the financial meltdown on Wall Street that led to unprecedented government bailouts of some of the nation’s largest banks and financial institutions. Source:

18. January 14, DarkReading – (New Hampshire) Lincoln National discloses breach of 1.2 million customers. Lincoln National Corp. (LNC) recently disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers. In a disclosure letter sent to the attorney general of New Hampshire January 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on January 6, the letter says. The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system. “This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,” the letter says. “The sharing of usernames and passwords is not permitted under the LNC security policy.” Upon further investigation, Lincoln found another of its subsidiaries, Lincoln Financial Advisers, was using shared usernames and passwords to access the portfolio information management system, the letter states. In the end the company found a total of six shared usernames and passwords, which were created as early as 2002. The forensic team that investigated the breach found no evidence that the data had been used outside of the company, either by hackers or former employers, according to the letter. Source:

For another story, see item 57 below in the Information Technology Sector

Information Technology

52. January 15, IDG News Service – (International) Conficker worm hasn’t gone away, Akamai says. Variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies. “Although mainstream and industry media coverage of the Conficker worm and its variants has dropped significantly since peaking in the second quarter, it is clear from this data that the worm (and its variants) is apparently still quite active, searching out new systems to infect,” Akamai said in its State of the Internet report for the third quarter of 2009, released on January 14. During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent, it said. Source:

53. January 15, SC Magazine – (International) Adobe offers conflicting statements on whether its software was connected to the Google attack. Adobe has said in a statement that researchers have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used in the Google incident. Adobe issued a statement on January 12, saying it was aware of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. In an update posted on January 14, Adobe’s director of product security and privacy acknowledged the ‘media coverage and headlines indicating that vulnerabilities in Adobe Reader may have been the attack vector in this incident’. He said: “Just like we always do in the case of reports of security vulnerabilities in an Adobe product, we have been actively tracking down samples or other information regarding potential vulnerabilities in Adobe products related to this incident.” “Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010. Even though we do not have any information regarding a zero-day vulnerability in an Adobe product, the sophistication of this incident also serves as a reminder to all of us the importance of layers of security to provide the best possible defense against those with malicious intent.” Source:

54. January 14, eWeek – (National) Rockefeller ready with cyber-security bill. Prompted by Google’s report that the search giant and some 20 other companies were victims of sophisticated cyber-attacks from within China, a senator promised on January 13 to mark up his cyber-security legislation early this year. Introduced by the senator and another senator from Washington in April and redrafted late this summer, the bill would create a National Cybersecurity Adviser under the authority of the president to coordinate cyber-security efforts. The two senators drafted the legislation in response to years of post-9/11 complaints that neither the private sector nor government officials were doing enough to adequately protect the nation’s critical cyber-infrastructure. According to a number of reports, the senators drafted the bill after consulting with the White House. While no one particularly objected to a cyber-czar, there were howls of protest about the details in the bill. As originally drafted, the Cybersecurity Act gave the president an Internet “kill switch” for reasons of national security or in an emergency and the authority to designate private networks as critical infrastructure subject to cyber-security mandates, including standardized security software and testing, and licensing and certification of cyber-security professionals. The new language dropped all references to the president’s ability to shut down the Internet. Instead, the two senators granted the president the authority to declare a cyber-security emergency and to direct the “national response to the cyber threat.” Source:

55. January 14, eWeek – (International) IETF completes fix for SSL security vulnerability. The Internet Engineering Task Force (IETF) has finished work on a fix to a vulnerability in the Secure Sockets Layer protocol security researchers uncovered last August. The vulnerability partially invalidates the SSL lock and allows attackers to compromise sites that use SSL for security — including banking sites and back-office systems that use Web services-based protocols. “The bug allows a man-in-the-middle to insert some malicious data at the beginning of a vulnerable SSL/TLS connection, but does not allow him to directly read the data sent by the legitimate parties,” explained one of the individuals who found the vulnerability. “This capability is referred to as a ‘blind plaintext injection attack.’ Initially, it was hoped that this limited capability would offer some mitigation. Unfortunately, it seems that HTTPS is particularly strongly affected because of its design, and an effective attack on the Twitter HTTPS API was demonstrated shortly after the vulnerability was publicly disclosed.” After incorporating feedback from the TLS community, the proposed fix was approved by the IESG on Jan. 7, 2010. The IESG is responsible for the technical management of IETF activities and the Internet standards process. The decision means customers can now begin to deliver patches that implement IETF’s change. Source:

56. January 14, Computerworld – (International) Microsoft confirms IE zero-day behind Google attack. Microsoft issued a security advisory Thursday that warned users of a critical and unpatched vulnerability in Internet Explorer (IE), and acknowledged that it had been used to hack several companies’ networks. “We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks,” said the director of Microsoft’s Security Response Center (MSRC), in a post to the group’s blog. Earlier on January 14, antivirus company McAfee said the IE bug had been exploited by hackers who had attacked computer networks of nearly three dozen major companies between mid-December 2009 and January 4, 2010. McAfee said then that Microsoft would soon release this advisory. The security advisory said that the only version of IE not containing the critical flaw was IE 5.01 running on Windows 2000. All other versions, including IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack. Even so, the director downplayed the threat to average Windows users. Source:

57. January 14, Washington Post – (National) Google China cyberattack part of vast espionage campaign, experts say. Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of

major financial, defense and technology companies and research institutions in the United States, security experts said. At least 34 companies — including Yahoo, Symantec, Adobe, Northrop Grumman, and Dow Chemical — were attacked, according to congressional and industry sources. Google, which disclosed on January 12 that hackers had penetrated the Gmail accounts of Chinese human rights advocates in the United States, Europe, and China, threatened to shutter its operations in the country as a result. Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit. Security experts say the attacks showed a new level of sophistication, exploiting multiple flaws in different software programs and underscoring what senior administration officials have said over the past year is an increasingly serious cyber threat to the nation’s critical industries. “Usually it’s a group using one type of malicious code per target,” said the head of international cyber-intelligence for VeriSign’s iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. “In this case, they’re using multiple types against multiple targets — but all in the same attack campaign. That is a marked leap in coordination.” Source:

58. January 13, Network World – (International) DDoS attacks are back (and bigger than before). Distributed denial-of-service (DDoS) attacks are not new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, in thanks to some high-profile targets and, experts say, two important changes in the nature of the attacks. The targets are basically the same — private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves. In fact, said the CSO of Cambridge, Massachusetts-based Akamai Technologies, the botnets launching many of today’s DDoS attacks are so vast that those controlling them probably lost track of how many hijacked machines they control a long time ago. “We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected,” the CSO said, referring to old-school worm attacks like Blaster, Mydoom, and Code Red. “Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon.” Source:

Communications Sector

59. January 15, Brown News Service – (Ohio) Damaged line knocks out phone service. A damaged fiber optic line in Brown County caused interruption to 911 service, cellular phones and long distance service in Adams and Brown counties for about five hours on January 11. Although the line directly affected Verizon customers, AT&T cellular customers were also out of service. Verizon, who is in the process of selling their Ohio land lines to Frontier Communications, said the aerial line was damaged on Hamer Road, south of Sardinia and Tracy Road in Brown County, at about 3:30 p.m. In addition to disrupting land line service, the fiber optic line also feeds a nearby cell phone tower that was temporarily disrupted as a result. “The fiber line was damaged by someone, however we do not believe it was vandalism,” the manager of North Central Media Relations for Verizon said on January 12. “We had everything transferred to the Highland County Sheriff’s Office, the Adams County Sheriff’s Office and to our regular business line,” said the Adams County 911 director. Source:

60. January 14, Dallas Morning News – (Texas) ATT doesn’t know what caused 3G network outage. AT&T Inc. said its cellular network in the Dallas area suffered from an unexplained outage on January 14. Several AT&T customers reported that the problems ceased when they turned off access to 3G on their phones and resorted to the slower 2G network. Critics have complained recently that AT&T’s network in many cities is buckling under the strain of so many new 3G users, particularly iPhone users. While AT&T acknowledged network problems in New York and San Francisco, it has said its service elsewhere has performed well despite the influx of 3G devices. The Dallas-based company said it was working to restore service. Source:

61. January 14, Newton Kansan – (Kansas) Phone line outage cuts Harvey County 911 service. Emergency calls to 911 had to be rerouted Wednesday after a cut communications cable resulted in a service interruption that affected several south-central Kansas counties. Service went down about 1:30 p.m. in Harvey County and was down for about three hours, until 4:30 p.m., said the assistant director of Harvey County Communications. The loss of service meant calls did not go through between cities or between the 316 and 620 area codes. The cities of Burrton, Hesston, and Walton set up answering points to redirect emergency calls. Calls in Newton, Halstead, Sedgwick, and Whitewater were redirected to local numbers. Harvey County’s back-up is in Hutchinson, which also was affected by the outage. The assistant director said he thought Sumner and Butler counties also were affected. The assistant director said there was one Hesston EMS call that had to be rerouted, but the reporting party used a cell phone and was able to get through to emergency personnel. Source: