Department of Homeland Security Daily Open Source Infrastructure Report

Friday, January 22, 2010

Complete DHS Daily Report for January 22, 2010

Daily Report

Top Stories

 The Associated Press reports that Dayton, Ohio officials have ordered about 50 employees to evacuate the Lord Corporation APD aerospace plant near where a truck leaking hazardous acids forced the shutdown of Interstate 75 and created a green cloud drifting westward. (See item 13)


13. January 20, Associated Press – (Ohio) Some evacuations following Ohio acid spill. In Dayton, officials have ordered about 50 employees to evacuate an aerospace company’s plant near where a truck leaking hazardous acids forced the shutdown of Interstate 75 and created a green cloud drifting westward. A plant manager for Lord Corporation APD says employees were sent home early Wednesday evening. A patrol lieutenant says authorities were alerted Wednesday afternoon that a truck had pulled over and was leaking yellow fluid on the highway just north of Dayton. Authorities who arrived on the scene discovered the truck was carrying hydrochloric and sulfuric acid. The patrol does not know how much acid the truck was carrying or how much of the substance leaked onto the road. The highway will be closed for several hours as a hazardous materials crew cleans up the acid. He says authorities are not evacuating nearby areas, but they are keeping an eye on the scene. Source: http://www.wfmj.com/Global/story.asp?S=11855821


See item 4 below


4. January 21, Dayton Daily News – (Ohio) I-75 lane closures caused by acid leak expected through morning. It could be mid-morning Thursday, January 21, before all lanes of Interstate 75 north reopen because of the chemical spill from a semi-trailer January 20 night that led to an hours-long shut down of the north and south lanes, an official said. At 8:53 p.m., January 20, authorities were trying to reopen one northbound lane within the hour, said a coordinator of the Dayton Regional Hazardous Materials Unit. He explained that 100 to 300 gallons of run-off from waste material aboard the semi-trailer would have to be sopped up and the vehicle would have to be towed from the interstate before that could happen. He said hazmat workers traced the leak to a 300-gallon container of sulfuric acid, but they were still not clear how the leak began. The Ohio Highway Patrol and the Public Utilities Commission of Ohio will be investigating, he said. According to a preliminary investigation, the semi-trailer loaded with hydrochloric, sulfuric and phosphoric acids left West Carrollton from Veolia ES Technical Solutions on the afternoon of January 20 enroute to Michigan when it was pulled over by a trooper around 5:15 p.m. Source: http://www.daytondailynews.com/news/dayton-news/i-75i-75-lane-closures-caused-by-acid-leak-expected-through-morning-502728.html?imw=Y


 According to the Associated Press, federal authorities are investigating a rash of church fires in East Texas, where seven such blazes have been reported since January 1. (See item 58)


58. January 20, Associated Press – (Texas) Feds probing rash of church fires in East Texas. Federal authorities are investigating a rash of church fires in East Texas, where seven such blazes have been reported since January 1. Police said the latest Tyler-area fire at Bethesda House of Prayer in Lindale was quickly contained Wednesday morning. No injuries or deaths have been reported. The Lindale fire came after two weekend church fires in Tyler, about 100 miles east of Dallas. Authorities have not said the fires are linked, or whether arson was the cause. Agents with the Bureau of Alcohol, Tobacco, Firearms and Explosives moved in last week after three church fires were reported over 12 days in nearby Athens. The Athens blazes caused officials to re-examine a church fire in Canton, 40 miles west of Tyler. Source: http://www.dallasnews.com/sharedcontent/APStories/stories/D9DBJ2PO0.html


Details

Banking and Finance Sector

14. January 21, Computerworld – (National) Heartland’s $60M breach settlement offer not enough, lawyers say. Lawyers representing financial institutions in a data breach lawsuit against Heartland Payment Systems Inc are calling a recently proposed $60 million settlement offer from the company as way too meager. In a statement released on January 20, the lawyers said the proposed settlement would only pay banks and credit unions “pennies on the dollar,” while releasing Heartland and other potentially liable parties from further legal action. Princeton, New Jersey-based Heartland announced in January 2009 that unknown intruders had broken into its systems and stolen card data. More than 130 million credit and debit cards were believed to have been compromised in the intrusion, making it the biggest ever involving payment card data. Hundreds of banks were affected by the breach. Many of them later sued the payment processor seeking to recover card-reissuance and fraud-related costs. Earlier in January, Heartland and Visa announced a settlement under which Heartland said it would pay up to $60 million to compensate card issuers for breach-related costs. The proposed settlement requires card issuers to release Heartland and Visa from any additional liability. Banks and credit unions affected by the breach have until January 29th to decide if they want to accept the terms of the settlement or not. The proposed settlement will go into effect if at least 80 percent of affected Visa card issuers agree to it. Source: http://www.computerworld.com/s/article/9146758/Heartland_s_60M_breach_settlement_offer_not_enough_lawyers_say


15. January 21, V3.co.uk – (International) Security fears dog online banking. Online banking customers are worried about their financial security, but banks are lagging behind, according to a global survey of 4,500 internet users. The survey identified security as a concern for 86 per cent of online banking users, compared with just 68 per cent for users of government web sites and 64 per cent for online health care. Four out of five wanted better protection than a simple password. “Consumers are very much aware of the threats,” the senior manager of identity protection and verification at RSA, told V3.co.uk. “They are not satisfied with simple password protection. Consumers really want and need this security.” The manager explained that, while some European banks use two-factor authentication, many UK and US banks are turning to risk-based authentication. A risk-based approach monitors user behavior and applies computer algorithms to usage patterns to determine whether an account has been compromised. Such systems avoid the ‘man in the middle’ attacks that can defeat two-factor authentication. However, internet users are getting savvier about the threats from phishing and malware. In a similar survey in 2007, 63 per cent of respondents were aware of Trojans, but this had risen to 81 per cent last year. Source: http://www.v3.co.uk/v3/news/2256508/security-fears-dog-online


16. January 20, IDG News Service – (National) Heartland moves to encrypted payment system. Responding to its widely reported and massive data breach that took place a year ago, Heartland Payment Systems will be moving to an end-to-end encryption system for payment transactions, according to the Chairman and CEO. “End-to-end encryption is a good way to mitigate the risk of having the kind of compromise that we and hundreds of other companies have had,” the CEO said in an interview. “We’re using encryption on the front end to keep card numbers out of our merchants’ systems, and to also have all the card numbers coming through our network be encrypted throughout, except at the point of decryption,” he said. The company, which handles more than 4 billion transactions annually for more than 250,000 merchants, will be using Thales nShield Connect hardware security module along with Voltage Security’s SecureData encryption software as the basis of this capability. Source: http://www.pcworld.com/businesscenter/article/187260/heartland_moves_to_encrypted_payment_system.html


17. January 20, Wall Street Journal – (National) U.S. looks to keep bank fee from disrupting markets. The Treasury Department is consulting with Congress and market participants on the details of the government’s planned “financial crisis responsibility fee,” a Treasury spokesman said, amid worries that the levy could disrupt the Treasury market. A disruption in the Treasury market would hurt the broader economy by raising interest rates and also would hit the government’s own bottom line by boosting the costs of its borrowing at a time when Treasury has to sell massive amounts of debt to cover a trillion-dollar-plus deficit. The Treasury Department spokesman said the Treasury has been tuned in from the beginning on how the fee could affect markets and is broadly considering the concerns of market participants and mulling over a number of technical ideas that have been suggested. Around the time the U.S. President unveils his fiscal 2011 budget, on February 1, the Treasury is expecting to have more details on what form the fee could take, the spokesperson said. To keep the levy from disrupting markets, Treasury could exempt the securities repurchase market for government debt from the 0.15-percentage-point fee, which will be levied on liabilities that are not covered by the FDIC. The roughly $5 trillion repo market is the core of debt markets, where investors and financial firms raise short-term funding secured by government debt securities. Source: http://online.wsj.com/article/SB10001424052748704320104575015314043161970.html?mod=googlenews_wsj


18. January 20, NewsFactor Network – (International) DIY cybercrime kits power growth in phishing attacks. Do-it-yourself (DIY) cybercrime kits are driving a surge in Internet-borne computer infections. DIY kits have been a staple in the cyberunderground for some time. But now they have dropped in price and become more user-friendly. “If you know how to download music or a movie you have the necessary experience to begin using one of these kits,” says a senior researcher at security Relevant Products/Services firm Damballa. Indeed, new cybercrooks and veterans alike are using DIY kits to carry out phishing campaigns at an accelerated rate, security researchers say. They have been blasting out fake e-mail messages crafted to look like official notices from UPS, FedEx, or the IRS; or account updates from Vonage, Facebook, or Microsoft Relevant Products/Services Outlook; or medical alerts about the H1N1 flu virus. The faked messages invariably ask the recipient to click on a Web link; doing so infects the PC with a banking Trojan, a malicious program designed to steal financial account logons. Often, the PC also gets turned into a “bot”: The attacker silently takes control and uses it to send out more phishing e-mail. Generally sold for $400 to $700, the kits come with everything an individual needs to begin infecting PCs. Selling software is legal; what a user does with it can get the user into trouble. Source: http://www.newsfactor.com/news/DIY-Cybercrime-Kits-Spur-Phishing/story.xhtml?story_id=110003LAJ3EU


19. January 20, Reuters – (National) US FDIC geared up for busy year of bank failures. The U.S. agency charged with dismantling or selling off failed banks said it is equipped to deal with what it sees as a busy 2010, according to remarks to be delivered before Congress on January 21. The Federal Deposit Insurance Corp expects that bank failures will remain elevated this year, said the director of the FDIC’s division of resolutions and receiverships. Regulators seized 140 banks in 2009, the highest annual level since 1992 in the wake of the savings and loan crisis. Many of the institutions collapsed due to deteriorating loans from the credit boom. “While the economy is showing signs of improvement, recovery in the banking industry tends to lag behind other sectors. We expect to see the level of failures continue to be high during 2010,” the director said in testimony posted to the website of the House of Representatives subcommittee on financial institutions. The FDIC has said it expects the total bill for bank failures to reach $100 billion for the period of 2009 through 2013. The woes in the banking industry have migrated from home mortgages to commercial real estate (CRE), especially for community banks that tend to have higher concentrations of commercial loans. Source: http://www.reuters.com/article/idUSN2017182020100120


20. January 20, Associated Press – (California) SoCal businessman convicted of $62M Ponzi scheme. A Huntington Park businessman has been convicted of federal charges for running a $62-million investment scheme that bilked more than 2,000 people. The U.S. attorney’s office says the defendant was convicted on January 19 of mail fraud and making false statements. He could face up to 125 years in federal prison. He remained jailed on January 20 without bail. Prosecutors say the defendant’s company, Best Diamond Funding, promised high returns on real estate investments to mainly blue-collar clients — some of whom mortgaged their homes or emptied their retirement savings. Prosecutors say he used about $30 million from later investors to pay earlier ones and invested little of the money. The scheme was advertised in Spanish-language magazines, on the Internet, and in seminars. Source: http://www.mercurynews.com/breaking-news/ci_14231746


Information Technology


45. January 21, Computerworld – (International) Microsoft confirms 17-year-old Windows bug. Microsoft late on January 17 issued its second advisory of the last week, warning users that a 17-year-old bug in the kernel of all 32-bit versions of Windows could be used by hackers to hijack PCs. The vulnerability in the Windows Virtual DOS Machine (VDM) subsystem was disclosed on January 19 by a Google engineer on the Full Disclosure security mailing list. Coincidentally, the engineer received credit for reporting the single vulnerability that Microsoft fixed last week on its regular Patch Tuesday. The VDM subsystem was added to Windows with the July 1993 release of Windows NT, Microsoft’s first fully 32-bit operating system. VDM allows Windows NT and later to run DOS and 16-bit Windows software. The January 20 advisory spelled out the affected software — all 32-bit editions of Windows, including Windows 7 — and told users how to disable VDM as a workaround. Windows’ 64-bit versions are not vulnerable to attack. Source: http://www.computerworld.com/s/article/9146820/Microsoft_confirms_17_year_old_Windows_bug


46. January 20, The Register – (International) Adobe fixes critical Shockwave bugs with neanderthal patch. The critical patches for Adobe Systems software keep coming. This time, they fix serious security bugs in the company’s Shockwave Player. Adobe on on January 20 pushed out updates for Shockwave 11.5.2.602 and earlier on Windows and Mac operating systems. The patches fix multiple integer overflow and buffer overflow flaws that can be exploited to execute malicious code on computers that use the software. Adobe is strongly urging users to upgrade. Unlike the vast majority of today’s patches, the Shockwave fix requires users manually uninstall the out-of-date version, reboot their systems, and then install the latest version. More importantly, making it inconvenient for users to upgrade is a guarantee that a sizable portion of them will remain vulnerable. Adobe has recently unveiled an automatic updater for its Reader application. Source: http://www.theregister.co.uk/2010/01/20/critical_adobe_shockwave_bugs/


47. January 20, DarkReading – (International) Researcher: Flaws in Facebook app authorization could lead to clickjacking. Vulnerabilities in the way members authorize the use of third-party applications in Facebook could potentially lead to loss of personal information or even targeted attacks on specific individuals, a security researcher said on January 20. A well-known security researcher and author of Hacking: The Next Generation, says he has discovered design flaws in Facebook that could allow attackers to collect the personal information of users on the social networking site, and even build profiles of “friends” that might facilitate direct attacks on specific individuals within a company. The flaws were presented to Facebook in November; the researcher has agreed not to release specific code or other details for two weeks while technical staffers at the social networking site continue their efforts to patch the vulnerabilities. The researcher says he has begun to speak generally about the problem, with Facebook’s permission. The vulnerabilities center around the way Facebook enables users to place third-party applications on their social networking pages, the researcher says. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=222301736


48. January 20, IDG News Service – (International) ‘Sudden failure’ Wednesday morning brings Twitter down. On the morning of January 19, Twitter suffered a “sudden failure” and then encountered problems switching to a backup system, which left the site “largely inaccessible” for about 90 minutes, the company said. Once notorious for regular and prolonged outages, Twitter has improved in this respect in the past year, but remains inconsistent. In August of last year, Twitter logged more than 6 hours of downtime, following a total of only 17 minutes in July, according to monitoring company Pingdom. In October, it had more than 5 hours of downtime, sandwiched between only 33 minutes in September and 22 minutes in November. Source: http://www.computerworld.com/s/article/9146680/_Sudden_failure_Wednesday_morning_brings_Twitter_down


49. January 20, The Register – (International) BOFH-making bug plugged in D-link update. D-Link has plugged a security vulnerability involving protocol handling by some of its wireless routers that creates a potential means for normal users to grab super-user privileges. The network manufacturer issued a firmware update that addresses a recently discovered bug in how its networking devices handle the Home Network Administration Protocol (HNAP). The flaw meant that the devices offered a shadow connection outside of the regular administrative access channel. This permanent unauthorised connection might be exploited by miscreants to assume admin privileges and change router settings, and might also be used to bypass CAPTCHA login features introduced by D-Link in recent firmware upgrades. Successful exploitation requires valid login credentials, so the flaw is a privilege elevation risk rather than something more serious. The security shortcoming was found by SourceSec and covered by D-Link with an advisory on January 18. Only some of D-Link’s routers are vulnerable. The networking manufacturer issued updates for its DIR-635, DIR-655 and DIR-855 routers. Discontinued DIR-615, DI-634M and DIR-635 models are also at risk. An update for the DIR-615 is already available, with updates for the DI-653-M and DIR-635 promised for upcoming weeks. Source: http://www.theregister.co.uk/2010/01/20/d_link_security_update/


50. January 19, Computerworld – (International) Researchers up ante, create exploits for IE7, IE8. Researchers have created attack code that exploits a zero-day vulnerability in Internet Explorer 7 (IE7) as well as in the newest IE8 — even when Microsoft’s recommended defensive measure is turned on. Microsoft, however, continues to urge users to upgrade from the eight-year-old IE6 — the only version yet successfully attacked in the wild — to the newer IE7 or IE8. On January 17 a security vulnerability researcher and co-author of The Mac Hacker’s Handbook, crafted attack code that exploits the unpatched vulnerability in IE7 when it’s running on either Windows XP or Windows Vista. “And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn’t opt in,” said the researcher on Twitter. “My version [of the exploit] implements a different heap manipulation algorithm,” said the researcher in a telephone interview on January 19. “It works on IE7 on XP and Vista because the browser doesn’t opt in on DEP [data execution prevention].” In fact, said the researcher, even the newest IE8 is not safe from attack if it’s running on Windows XP Service Pack 2 (SP2) or earlier, or on Windows Vista RTM (release to manufacturing), the version Microsoft shipped in January 2007. Source: http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8


51. January 19, SC Magazine – (International) iDefense retracts claims made on Adobe’s involvement in cyber attacks. Security firm iDefense has withdrawn a comment made earlier about the Google attack. As published on the SC Magazine website on the 13th January, the iDefense head of international cyber intelligence claimed that ‘attackers delivered malicious code used against Google and others using PDFs as email attachments’, similar to an attack in July 2009 which employed a PDF file that exploited a zero-day vulnerability in Adobe Reader. However in a blog update on the Adobe website, iDefense has issued a statement retracting the comment. It said: “In iDefense’s press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely ‘malicious PDF file attachments delivered via email’ and suggested that a vulnerability in Adobe Reader appeared to have been exploited in these attacks. “Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of a vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue.” Source: http://www.scmagazineuk.com/idefense-retracts-claims-made-on-adobes-involvement-in-cyber-attacks/article/161661/


52. January 19, New York Times – (International) Fearing hackers who leave no trace. The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run. If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace. More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software. The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure recently that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies. “Originally we were saying, ‘Well, whoever got it has the secret sauce to Google and some 30 other California companies, and they can replicate it,’ “ said a director of security intelligence at VeriSign iDefense, which helped Google investigate the Chinese attacks. “But some of the more devious folks in our outfit were saying, ‘Well, they could also insert their own code — and they probably have.’ “ Source: http://www.nytimes.com/2010/01/20/technology/20code.html


53. January 19, IDG News Service – (International) Study: Click fraud rate relatively low in 2009’s Q4. Click fraud, a practice that dilutes the efficacy of pay-per-click (PPC) advertising campaigns run in search engines like Google, stayed relatively low in the fourth quarter, according to a study. Click Forensics, a provider of click-fraud detection services and products, said on January 19 that the industry’s average click-fraud rate for the quarter ending December 31 was 15.3 percent. Although that is up from the 14.1 percent rate in the third quarter, it also represents a significant drop from 2008’s fourth quarter, when the click-fraud rate hit an all-time high of 17.1 percent. Click Forensics credited search engines, Web publishers and ad networks with doing a better job of detecting click fraud in the commerce-heavy holiday season. Source: http://www.computerworld.com/s/article/9145998/Study_Click_fraud_rate_relatively_low_in_2009_s_Q4


For another story, see item 18 above in the Banking and Finance Sector


Communications Sector

54. January 21, Denver Post – (National) FCC plans to expand limits on “robocalls”. A federal agency wants to make it easier for consumers to avoid getting automated telephone solicitations unless they want them. The proposed rules announced on January 20 by the Federal Communications Commission (FCC) shore up regulations on businesses that rely on prerecorded telemarketing calls — referred to as “robocalls” — and makes it harder for them to pester consumers. “It’s certainly a step in the right direction as the vast majority of the public would love to get rid of all robocalls,” the Colorado attorney general said. The FCC rules apply to industries not covered by similarly restrictive rules issued last year by the Federal Trade Commission (FTC) — telephone companies, airlines, banks, and insurance companies. Companies would have to obtain a consumer’s written approval for the telephone pitches. Most businesses that use prerecorded sales calls — such as the automobile-warranty companies that peppered the state with calls last year — are subject to the FTC rules. The FCC rules bring in those industries not covered by the FTC. The FCC must take public comment before making the rules permanent. Source: http://www.denverpost.com/business/ci_14234066


55. January 20, KITV 4 Honolulu – (Hawaii) 22,000 Kauai Hawaiian Telcom customers lose service. A contractor working on Kauai on January 20 cut fiber optic lines that cut phone and data service to about 22,000 customers, Hawaiian Telcom said. The outage began at about noon when the contractor working on Wailua Bridget cut the lines, a Hawaiian Telcom spokeswoman said. The outage affected 17,000 voice customers and 5,000 data customers from Princeville to Kappa, she said. Customers also reported problems in the Kalaheo area, the spokeswoman said. The county urged people needing to call 911 to use their cellular phones, but Hawaiian Telcom said that some carriers have also been impacted. Hawaiian Telcom said that crews would gradually restore service at about 5 p.m. Source: http://www.kitv.com/money/22297915/detail.html



56. January 20, Torrance Daily Breeze – (California) Cable damage knocks out Verizon service in Rolling Hills. Dozens of Verizon customers in Rolling Hills are without phone service on January 20 after an underground cable line was damaged, possibly due to a storm-related power outage on January 19. The company has so far had 57 reports of trouble, but many more are likely affected. The outage is in the Amaga Springs Road and High Ridge Road areas. Crews are working to excavate the cable, but rainy weather is making repair efforts difficult, said a spokesman with the phone company. “We will be working around the clock until service is restored,” he said. Source: http://www.dailybreeze.com/news/ci_14230112


57. January 20, Press-Enterprise – (California) Murrieta puts hold on cell towers. Murrieta is putting the brakes on requests to build new cell phone towers in the city. The City Council recently agreed to stop accepting new requests to build the towers so officials can study the need for new regulations. Demand for cell towers is expected to increase in the coming years with demand exploding for mobile Internet service used by laptops and smartphones like Apple’s iPhone. The city’s public works director told the council that Murrieta has several active requests from companies seeking to build new wireless towers. Many more are expected in the near future, he said. He did not say where companies were proposing to build the new towers. New cell phone towers are commonly built to blend in with their surroundings, in such guises as trees and flagpoles. In many cases they are approved with little problem. But towers put in residential areas can be a different story. Murrieta’s regulations need to be revamped because they were written in 1997, before many advancements in wireless technology, the director said. They also apply only to towers built on private property. Source: http://www.pe.com/localnews/inland/stories/PE_News_Local_W_scell21.4673c1d.html