Department of Homeland Security Daily Open Source Infrastructure Report

Friday, April 16, 2010

Complete DHS Daily Report for April 16, 2010

Daily Report

Top Stories

 The Associated Press reports that an enormous ash cloud from a remote Icelandic volcano caused the biggest flight disruption on Thursday since the September 11th attacks as it drifted over northern Europe and stranded travelers on six continents. Meteorologists from the AccuWeather forecasting service said the ash plume will threaten air travel over Europe through April 18 at the least. (See item 23)

23. April 15, Associated Press – (International) Iceland’s volcanic ash halts flights across Europe. An enormous ash cloud from a remote Icelandic volcano caused the biggest flight disruption Thursday since the September 11 attacks as it drifted over northern Europe and stranded travelers on six continents. Officials said it could take days for the skies to become safe again in one of aviation’s most congested areas. The volcano beneath Iceland’s Eyjafjallajokull glacier began erupting April 14 for the second time in less than a month. The cloud, floating miles above Earth and capable of knocking out jet engines, wrecked travel plans for tens of thousands of people. All non-emergency flights in Britain were canceled until at least midday April 16, and authorities in Ireland, Denmark, Norway, Sweden, Finland, and Belgium also closed their air space. France shut down 24 airports. In Germany, airports in Berlin and Hamburg were shut the evening of April 15. Several U.S. flights bound for Heathrow, including those from Chicago, San Francisco, Denver, Las Vegas and New York, had to return to their departure cities or land elsewhere when London airports were closed. In Washington, the Federal Aviation Administration said it was working with airlines to try to reroute some flights around the huge ash cloud, which is hundreds of miles wide. The Icelandic plume lies above the Atlantic Ocean close to the flight paths for most routes from the U.S. East Coast to Europe, and was moving over Europe itself. Meteorologists from the AccuWeather forecasting service in Pennsylvania said the current ash plume will threaten air travel over Europe through April 18 at the least. A geophysicist at the Icelandic Meteorological Office said the problem might persist for weeks, depending on how much wind carries the ash. Source: http://www.google.com/hostednews/ap/article/ALeqM5jh7lQ-qBxQMPzPd3Iap7_s3YDBfQD9F3MO900

 According to DarkReading, the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems says that cyber security incidents in water and wastewater control systems have increased 300 percent and power/utilities systems by 30 percent over the past five years. (See item 41)

41. April 14, DarkReading – (National) Security incidents rise in industrial control systems. While only about 10 percent of industrial-control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years. A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years — down more than 80 percent — but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems. The database logs security incidents in process control, Supervisory Control And Data Acquisition (SCADA), and manufacturing systems, and gathers voluntary submissions from companies as well as from news or other reports. Nearly half of all security incidents were due to malware infections — viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: “A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It’s several layers removed, but once there’s a virus [on the business network], it finds its way into the control systems,” said the executive director of the Security Incidents Organization, which runs the RISI database. “And you see USB keys bringing in malware” to the SCADA systems, for instance, or via an employee’s infected laptop, he said. Source: http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=224400280

Details

Banking and Finance Sector

19. April 15, Agence France-Presse – (International) 79,000 clients identified from stolen HSBC data. Some 79,000 customers have been identified from data stolen from a Swiss unit of HSBC bank, a French prosecutor said Tuesday, citing a number far higher than previously made public. The chief executive of HSBC Private Bank (Switzerland) said last month that details on 24,000 bank customers may have been leaked in the theft three years ago by an IT worker at the bank. However, a French prosecutor said the stolen files, which have now been decrypted, allowed for the identification of 127,000 accounts belonging to 79,000 people. The major security breach has helped fuel pressure on Switzerland to prevent foreigners from using Swiss bank accounts for tax evasion. Source: http://www.google.com/hostednews/afp/article/ALeqM5hpM6JG9oD4CpspL4GohzUAV8D8_w


20. April 14, Bloomberg – (National) FDIC plans $1.97 billion sale of loans from 22 seized banks. The Federal Deposit Insurance Corp. (FDIC) is seeking bids on a $1.97 billion portfolio of loans from 22 seized banks, pushing the agency’s structured asset sales this year beyond the 2009 total. The sale consists of 1,739 loans mostly tied to commercial real estate, with borrowers late on payments for almost half the portfolio, according to a preliminary announcement obtained by Bloomberg News. Barclays Capital was listed as the marketing agent for the sealed-bid auction. The FDIC is stepping up sales of assets accumulated by the bank regulator as 182 firms have failed since January 2009. The agency is trying to restore its deposit insurance fund, which posted a $20.9- billion deficit last year after lenders collapsed at the fastest pace in two decades. The new portfolio will be sold as a structured transaction, which means the FDIC will share ownership and proceeds with the winning bidder, the announcement said. The FDIC may contribute financing, the announcement said. Source: http://www.bloomberg.com/apps/news?pid=20601103&sid=athIqKK8SwpM


21. April 14, Bloomberg – (International) Italy seizes EU1 billion in fake HSBC securities. Italian finance police seized more than 1 billion euros ($1.36 billion) in fake cashier’s checks produced in Africa and later sold in Europe. Each check claimed that an individual or company had 50 million euros deposited with HSBC Holdings Plc in London, and the counterfeit security was intended to be used as collateral for obtaining loans from other banks, a finance police captain said. The checks were fabricated by an Italian national living between Togo and the Ivory Coast and sold for as much as 20,000 euros each, the captain said. “We were able to track sales going back to 2007,” he said in a telephone interview from Rome today. “Italian banks won’t accept them as collateral. We know that banks in Geneva and in Germany were approached, but the probe is ongoing.” Three arrest warrants were issued, and 21 people remain under investigation for running a counterfeit securities ring based in Italy and involving at least six other countries, the captain said. Source: http://www.businessweek.com/news/2010-04-14/italy-seizes-eu1-billion-in-fake-hsbc-securities-update2-.html


For another story, see item 57 below in the Communications Sector


Information Technology


54. April 16, The Register – (International) Promoted tweet scheme ripe for abuse. Miscreants are highly likely to take advantage of Twitter’s move towards making money through ad-supported micro-blogging updates, security watchers warn. Twitter’s co-founder announced on April 13 that the micro-blogging service would begin selling advertising to select firms through a newly-established Promoted Tweet program. The idea finally answers the question of how Twitter intends to make money while posing fresh security challenges. The trial phase of the program will involve blue chip firms such as Best Buy, Bravo, Red Bull, Sony Pictures, Starbucks, and Virgin America. As the scheme takes hold, however, and expands towards to becoming a sort of AdWords for micro-blogging, ne’er-do-wells will almost inevitably start taking an interest, anti-spyware firm Sunbelt Software warned. “We’re wondering how long it will be before the online pharmacies, botnet operators and rogue, security-product pushers decide to mimic Twitter’s ads for their own nefarious purposes,” a Sunbelt analyst wrote. “Like the search-engine, optimization techniques that have taken advantage of the big search services, there will be attempts to use the promoted tweets. And there will be countermeasures by Twitter and the rest of us in the anti-malcode world.” Source: http://www.theregister.co.uk/2010/04/14/promoted_tweet_security_fears/


55. April 15, The Register – (International) DNS Trojan poses as iPhone unlocking utility. An application that offers to unlock iPhones is actually designed to hijack Internet connections on compromised Windows PCs, security watchers warn. Spam messages direct potential victims to a domain called iphone-iphone.info that offers links to download a Windows-executable called blackra1n.exe. The application claims to offer an unlock utility but instead it changes default DNS settings on infected Windows PCs, hijacking Internet connections in the process. Romanian anti-virus firm BitDefender, which identifies the executable as Trojan-BAT-AACL, explains that the malware comes as a Windows batch file packed alongside the iPhone jailbreaking application. “The Trojan attempts to change the preferred DNS server address for several possible Internet connections on the users’ computers to 188.210.[REMOVED],” BitDefender explained. “This allows the malware creators to intercept the victims’ calls to reach Internet sites and to redirect them to their own malware-laden versions of those sites.” Source: http://www.theregister.co.uk/2010/04/15/iphone_unlocking_trojan_scam/


56. April 14, U.S. News and World Report – (International) Documents reveal Al Qaeda cyberattacks. Buried inside hundreds of pages of heavily redacted, court documents from the case of a man accused of being one of al Qaeda’s chief recruiters, is evidence that the terrorist group has launched successful cyberattacks, including one against government computers in Israel. This was the first public confirmation that the terrorist group has mounted an offensive cyberattack. The attacks were relatively unsophisticated and likely occurred before November 2001, when the prisoner who described them was arrested. The terrorism suspect was ordered freed from the prison at Guantánamo Bay last month by a federal judge who found that the government had insufficient evidence to continue detaining him. The court records do not specify when and under what circumstances the suspect discussed al Qaeda’s venture into cyberwar. Though the vast majority of the court records dealing with the case remain classified, some details escaped redaction. For instance, the suspect told interrogators that al Qaeda “used the Internet to launch relatively low-level, computer attacks.” Al Qaeda “also sabotaged other Web sites by launching denial-of-service attacks, such as one targeting the Israeli prime minister’s computer server,” court records indicated. Source: http://www.usnews.com/articles/news/2010/04/14/documents-reveal-al-qaeda-cyberattacks.html


Communications Sector

57. April 15, Sydney Morning Herald – (International) Chinese cyber attackers hit Optus. The Optus network was in disarray April 14, following cyber attacks from China, which affected a number of its customers including Australia’s national news agency, AAP. Web-based attacks originating from China have become a growing issue for Australian businesses and government departments. At the opening of the Cyber Security Operations Centre in January, the government revealed that Defence had investigated about 200 electronic-security incidents on its own network every month in 2009. It also responded to about 220 incidents reported by other Australian government agencies last year. Optus indicated that at about 1:10 p.m. April 14, one of its corporate customers was hit with a “denial of service attack” that originated in China. Optus would not say which customer had been targeted, but The Australian reported that the target was a multinational, financial-services company. “The attack caused congestion on one of Optus’s international links leading to slow internet and delayed e-mail for some Optus corporate customers,” an Optus spokeswoman said. Publishers AAP, IDG and News Ltd are known to be among the affected corporate customers. Source: http://www.smh.com.au/technology/security/chinese-cyber-attackers-hit-optus-20100415-sgm8.html


58. April 15, IDG News Service – (International) Spam volumes grew 6 percent last year, says Google. Despite security researchers’ efforts to cut spam down to size, it just keeps growing back. The volume of unsolicited email in the first quarter was around 6 percent higher than a year earlier, according to Google’s e-mail filtering division Postini. Security researchers have won a few, significant battles against the spammers in the last year, first against those hosting the spammers’ control systems, and later against the control systems themselves. But researchers will have to change tactics again if they want to win the war, Google said in a posting to its Enterprise blog. In the first half of last year, experts concentrated their efforts on identifying the ISPs or hosting companies that allowed these command-and-control servers to operate, and shutting them down. The success of that tactic was short-lived. It took a little less than a month after the shutdown of ISP 3FN for spam sent to the 18 million business users of Google’s Postini service to return to its previous level, while the closure of Real Host affected spam levels for only two days. The bottom line: Botnet operators quickly found new homes for their servers and reprogrammed their botnets. Security researchers soon switched their attentions to the botnet command-and-control servers themselves, infiltrating them and preventing the botnet from receiving new instructions. Those successes meant that the volume of spam fell 12 percent from the fourth quarter of 2009 to the first of 2010, although levels remained higher than a year earlier. Source: http://www.networkworld.com/news/2010/041510-spam-volumes-grew-6-percent.html


59. April 14, IDG News Services – (National) Senator pledges support for Net neutrality, broadband plan. The powerful chairman of a U.S. Senate committee will push for additional authority for the U.S. Federal Communications Commission (FCC) to enforce Net neutrality rules and implement its new national broadband plan, if it is needed following a court ruling against the agency this month. The decision by the U.S. Court of Appeals for the District of Columbia to throw out the FCC’s attempt to enforce Net neutrality rules against Comcast puts the entire broadband plan, released last month, at risk, said a West Virginia Democratic senator and chairman of the Senate Commerce, Science and Transportation Committee. Comcast and other broadband providers want to take the FCC’s authority away, the senator added. “In the long term, if there is a need to rewrite the law to provide consumers and the FCC and industry with a new framework, I as chairman will take that task on,” he said. “This is a committee — at least so long as I am chairman — that is here to protect people, to protect consumers.” Source: http://www.computerworld.com/s/article/9175507/Senator_pledges_support_for_Net_neutrality_broadband_plan


60. April 13, KSTU 13 Salt Lake City – (Utah) AT&T 3G voice network restored in Salt Lake City after outage. A spokeswoman for AT&T said its 3G voice network in Salt Lake City, Utah, is now restored after an outage on April 12. 3G stands for third generation — the company’s latest technology. During the outage, AT&T reverted to using the 2G network. The representative said the outage only affected voice calls in Salt Lake City. AT&T did not confirm how many customers were affected by the outage. Source: http://www.fox13now.com/news/local/kstu-att-confirms-outage-affecting-3g-voice,0,1583662.story