Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 28, 2010

Complete DHS Daily Report for June 28, 2010

Daily Report

Top Stories

• Associated Press reports that Boeing said it is likely to recommend more inspections for some of its 767s after American Airlines found cracks where the engine attaches to the wing. Boeing is considering asking airlines to inspect the wings every 400 flights, a spokesman said Thursday. (See item 25)

25. June 24, Associated Press – (National) Boeing may recommend more 767 inspections. Boeing said it is likely to recommend more inspections for some of its 767s after American Airlines found cracks where the engine attaches to the wing. Boeing is considering asking airlines to inspect the wings every 400 flights, a spokesman said Thursday. He said Boeing wants airlines to evaluate how the proposed change would affect their maintenance and flight operations. He said the new recommendation, called a service bulletin, is expected in mid-July. Currently the Federal Aviation Administration (FAA) requires inspections every 1,500 flights. But the cracks on at least two American jets were found after fewer flights. That raises the possibility that the wings are more susceptible to cracks than previously thought. American has already inspected all 56 of its affected planes. About 260 jets built before June 1997 are involved. Planes built after that had a different design that prevents the cracks, the spokesman said. Another 400 planes built before 1997 were retrofitted with a reinforced wing strut aimed at preventing the cracks. The extra inspections would only be mandatory if the FAA issues its own order. It has not decided whether to mandate the increased inspections and is waiting to see Boeing’s service bulletin, an FAA spokesman said. Other operators of the affected jets include Delta Air Lines, United Airlines, Continental Airlines, and US Airways. Source:

• At least 11 of the 17 members of the Afghan military who went AWOL from an Air Force base in Texas have turned up on Facebook, according to Fox News. Some belong to the “Afghanistan Mujahideen” group, a page that features, among other content, videos from the American-born al Qaeda spokesman Azzam the American. (See item 37)

37. June 25, Fox News – (National) AWOL Afghans found ... on Facebook. At least 11 of the 17 members of the Afghan military who went AWOL from an Air Force base in Texas have turned up on Facebook. Some belong to the “Afghanistan Mujahideen” group, a page that features, among other content, videos from the American-born al Qaeda spokesman Azzam the American. According to a nationwide be-on-the-lookout (BOLO) bulletin that was sent by the North Texas Joint Terrorism Task force to law enforcement agencies across the country the week of June 14, the 17 Afghan deserters walked away from the Defense Language Institute at Lackland Air Force Base, where they had been studying English. The men have military identification that would give them access to secure U.S. military installations, the bulletin read. One week later, an Immigration and Customs Enforcement source said that only two or three of the 17 Afghans remain at large. The source said investigators have been working with Canadian immigration records and now believe that many of the men are in Canada. A spokesman for Randolph Air Force Base in Texas said he was told that four of the men remain unaccounted for. Of the 13 who have been located, he said, six have pending refugee claims in Canada, two have permanent residency in Canada, four are in the process of being deported, and one is a conditional resident alien in the U.S. Source:


Banking and Finance Sector

17. June 25, MarketWatch – (National) Negotiators in Congress OK sweeping reform of big banks. House and Senate lawmakers early June 25 approved the most significant increase in the regulation of U.S. banks since the Great Depression, placing new restrictions on the nation’s biggest lenders, reining in the Federal Reserve and crafting new consumer protections. It requires “too-big-to-fail” banks to install new capital and leverage limits, instructs the government to conduct unprecedented ongoing audits of the Fed’s lending programs, as well as a one-time audit of its emergency response programs. Also included in the sweeping package is a tough rule that would limit insured banks’ speculative proprietary trading activities. The controversial proposal would also force big banks to divest their major interests in hedge funds and private equity firms, allowing them to hold no more than 3 percent of a fund’s capital, though big banks could have as long as seven years to comply. Source:

18. June 25, CNN – (California) ‘Geezer bandit’ wanted in string of bank robberies. A Southern California bank robber dubbed the “geezer bandit” has struck again, possibly knocking off his 11th bank, the FBI said. The suspect held up a Bank of America branch in Temecula June 24. “During (the) robbery, the robber approached the victim teller and presented a demand note for cash,” a statement from the FBI said. “The robber carried a leather case which contained a small caliber pistol that he threatened to use, if the teller did not comply with his demands.” The FBI believes the suspect is responsible for robbing 10 banks in San Diego County and one in Riverside County. The “Geezer bandit” has carried a weapon in at least two of the robberies and should be considered dangerous, authorities said. The robber has been described as between 60- and 70-years-old. However, there has been some suggestion that he may be wearing a mask to conceal his real age and make him appear much older than he is. Source:

19. June 25, Bloomberg – (International) G-20 protesters expand rallies as Toronto braces for summit. Protesters and community groups aim to intensify their demonstrations in Toronto June 25 as businesses in the downtown of Canada’s largest city start to close ahead of the weekend’s Group of 20 summit. “There’s going to be a rally, a march, a block party and a tent city that’s going to go overnight,” a spokesman for the Toronto Community Mobilization Network said in an interview. Toronto’s core is shutting down ahead of the arrival of world leaders, with at least 36 branches of banks including Toronto-Dominion Bank closed. A 12-block section of Toronto’s downtown is surrounded by concrete barriers and 10-foot high metal fencing, part of the largest security operation ever in Canada with 20,000 police and security guards. Starting at 8 p.m. June 25, only people who work in the security zone or are accredited for the summit at the Metro Toronto Convention Centre will be allowed to pass the gates. Canada is spending as much as C$1.2 billion ($1.15 billion) for the meetings to host world leaders, including C$930 million on security. Source:

20. June 24, Bank Systems and Technology – (International) Australian bank to use bank of New Zealand’s anti-card-skimming technology. National Australia Bank has begun using card-fraud prevention technology developed by one of its subsidiary banks, Bank of New Zealand. The technology, called Liquid Encryption Numbers (LEN), is intended to prevent the skimming of cards, where information on magnetic stripes is captured by criminals without the customer’s knowledge, by attaching an illicit card reader to an ATM or using a pocket reader to scan a card en route to a cash register. LEN changes the magnetic stripe information every time a customer visits a bank ATM, so if a criminal captures the information and clones the card, he or she won’t be able to use it to commit fraud. LEN was invented by a fraud initiatives manager at Bank of New Zealand. Bank of New Zealand has been using LEN for two years and said its fraud numbers have decreased. According to ACI Worldwide, one in five consumers around the world was hit by debit or credit card fraud over the last five years. Source:

21. June 24, Eweek – (International) Inside text message phishing attacks. Not all phishing takes place online. Text-message-based phishing, called smishing, is still out there, and though on the decline, a report from security vendor Internet Identity (IID) shows it is still being used to target credit unions. In smishing, scammers use text messages to impersonate companies and lure victims into calling a fake interactive voice response (IVR) system designed to steal personal data like account credentials and Social Security numbers. “The most common text phishing is text-to-phone, where text messages are sent to potential victims with the goal of getting those victims to call a phone number provided in the message,” explained the CEO of IID. “When a victim calls the number, they are presented with an interactive voice response tree that often mimics the target institution’s own system. This system draws out and collects account access credentials from the victims.” Less common is text-to-Website, where the text message lures the victim to a traditional phishing Website, he added. According to the CEO, the attack patterns suggest there are no more than a few groups perpetrating text-phishing attacks as opposed to several dozen perpetrating other forms of phishing. IID reported the prevalence of the attack dropped 62 percent during the first quarter of 2010. Source:

22. June 23, Agence France-Presse – (International) Fake ATM dupes China bank customers. Thieves in Beijing set up a fake ATM machine that recorded the bank details of unsuspecting users whose accounts were later robbed, in the first such scam discovered in China, state press said June 23. Having duped bank customers into revealing their account details, the thieves forged duplicate bank cards to drain their accounts, China Central Television said. The machine was bought from a legitimate manufacturer, but was not affiliated to any bank, it added. The ATM was placed on a busy corner in central Beijing and advertised that it could accept many major credit and bank cards, but all transactions resulted in an error message, the official China Daily reported. According to the paper, one man who used the machine was robbed of 5,000 yuan ($735), while another person had his bank account “drained” of an unspecified amount. No arrests have yet been made. Source:

Information Technology

45. June 25, SC Magazine – (International) Researcher demonstrates Twitter XSS vulnerability. A Twitter user has demonstrated a cross-site scripting (XSS) vulnerability on the microblogging platform that could allow an attacker to take over users’ accounts or spread malware. An Indonesian security researcher, using the alias “H4x0r-x0x” and Twitter handle “0wn3d_5ys,” discovered the vulnerability and demonstrated the bug using his own Twitter account. In addition, the researcher June 21 announced details about the flaw on his blog. The vulnerability affects the “application name” field on Twitter’s application registration page, used by developers when setting up a new Twitter application. The flaw appears to be the result of a lack of input validation of the “application name field” when accepting new requests for Twitter applications, a partner at Praetorian Security Group told June 24. The flaw could be exploited by cybercriminals to insert malicious JavaScript code into a Twitter page. Visiting the researcher’s Twitter account causes a pair of XSS alert boxes, followed by a user’s browser being manipulated. The demonstration of the flaw also causes an animation from the film “The Matrix” to appear, followed by messages from the researcher, one of which states, “My Twitter Owned By : H4x0r-x0x..” Source:

46. June 25, The H Security – (International) Google uses remote delete to remove Android apps from smartphones. Google has, for the first time, used the “Remote Application Removal” security feature implemented in Android to remove apps from users’ smartphones. The two applications in question were created by TippingPoint security researchers who had deployed the apps to demonstrate how easy it is to inject malicious applications into Android smartphones and jailbroken iPhones. Although the researchers had removed the applications from the Android Market, some users still had the apps installed on their phones, prompting Google to delete them remotely. In such cases, users are notified that the deletion will occur. Google points out that the removed applications did not cause any damage, having been designed to show how easy it was to infect smartphones rather than to cause any malicious infection. Other mobile-device vendors also reserve the option for remote deletion and some have even exercised this option. In mid 2009, Amazon deleted the Kindle eBooks “1984” and “Animal Farm” by George Orwell, because the vendor in question was not licensed to distribute them. After a flurry of protests, Amazon promised that it would avoid such deletions in the future. Apple is also capable of remote deletion of installed applications from iPhones, but has not made use of this option so far. Originally, Google developed the remote-deletion feature to prevent the spreading of real malware and protect users. The vendor hopes that the option will never be needed on a large scale. Source:

47. June 25, The Register – (International) Spanish firm raided in logic-bomb backdoor probe. Three managers at an unnamed Spanish software developer have been arrested over allegations they planted “logic bombs” in software that meant clients were obliged to pay for disruptive repairs and extended maintenance contracts. The Guardia Civil said that more than 1,000 clients of the Andalucia-based developer have been affected by the scam since 1998. The unnamed firm sold marketed custom software to small- and medium-sized businesses with built-in errors such that it was guaranteed to fail at a predetermined date. These errors would “paralyze the normal functioning of businesses” and oblige customers to contact their supplier, who would hit them for repair fees and extended support. In the course of making repairs, the developer allegedly programmed systems to fail again at a future date. An anonymous Web-based tip-off led to a Guardia Civil investigation and a subsequent raid on the firm’s premises, where computer equipment and records were seized for analysis. The investigation — codenamed Operation Cordoba — is being led by the Guardia Civil’s hi-tech division in cooperation with local police in Cordoba, Spanish daily El Pais adds. Source:

48. June 25, The Washington Post – (National) Twitter settles with FTC over hacking breach. Twitter has settled charges brought by the Federal Trade Commission (FTC) that it deceived consumers by allowing hackers to obtain administrative control over the popular social-networking service because of loose security. The FTC said June 24 that Twitter allowed hackers in 2009 to view private “tweets” — micro-blogs of up to 140 characters — and to send phony messages purportedly from the accounts of (the President) and Fox News, among others. Under the settlement, Twitter will set up a security program to be assessed by a third party and will be prohibited from “misleading consumers about the extent to which it ... protects ... nonpublic consumer information,” the FTC said. No damages were sought. In a statement, the Twitter general counsel said that relatively few users were affected by the breach, and that the incidents occurred when the company had 50 employees and was grappling with explosive growth. The company said that it has since worked on security measures, and that no other complaints have been brought regarding privacy or security lapses. Source:

49. June 24, Adobe – (International) Pre-Notification: Quarterly security updates for Adobe Reader and Acrobat. A security advisory has been posted in regards to the upcoming Adobe Reader and Acrobat updates scheduled for June 29. The updates will address critical security issues in the products, including CVE-2010-1297 referenced in Security Advisory APSA10-01. These security updates will be made available for Windows, Macintosh and UNIX. Note that the June 29 updates represent an accelerated release of the next quarterly security update originally scheduled for July 13. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13. Source:

50. June 24, DarkReading – (International) Kraken botnet making a resurgence, researcher says. The Kraken botnet — one of the Internet’s largest and most difficult to detect in 2008 — is rearing its ugly head again. In fact, the old security nemesis — which was reported dismantled last year — has compromised more than 318,000 systems, nearly half of the 650,000-node size it achieved at its peak in 2008, according to a research scientist at the Georgia Tech Information Security Center (GTISC), a leading authority on botnet research. So far, the resurrected Kraken is primarily a spam distributor, focusing most of its output on ads for male enhancement and erectile dysfunction. The botnet’s performance is prodigious: a single node with a DSL-speed connection was detected sending more than 600,000 spam messages in a 24-hour period. Many popular antivirus tools do not detect Kraken. A scan by VirusTotal indicates that none of the top three antivirus tools — Symantec, McAfee, and Trend Micro — can detect current Kraken samples, he reports. The resurrected Kraken is usually installed by another botnet, using botnet malware such as Butterfly, the researcher reports. It is not clear whether Kraken installation is handled by the same criminal group as Kraken operations, but it may be an example of specialized criminal groups working together, he suggests. Kraken’s reappearance may indicate a broader trend toward the re-use of code. Source:

51. June 24, DarkReading – (Unknown Geographic Scope) iPads susceptible to iPhone malware, researchers say. PandaLabs, Panda Security’s antimalware laboratory, has revealed that malware designed to infect iPhones can also compromise the popular iPad, as demonstrated in a video on the PandaLabs blog. “This doesn’t mean we’re about to face an avalanche of infections. We have always stated that as Apple increases its market share, cyber-crooks will begin to show more interest in targeting the platform,” said the technical director of PandaLabs. “However, we are certainly beginning to see more proofs of concept, and so advise all Mac users to follow the manufacturer’s recommendations to maximize security on their operating systems.” Despite the fact that Apple has made it impossible to install peripherals and software outside of those found in its own App Store, cyber-criminals have found a way to infect jailbroken iPad devices with malware. All malware designed for iPhones, such as the iPhone/Eeki.A worm that PandaLabs warned about last year, will have the same ability to infect and spread to iPad devices due to the iPad and the iPhone sharing the same operating system, known as iOS. Apple released iOS 4, the new version of its operating system, June 21. The iPhone/Eeki.A worm infected jailbroken iPhones. Jailbreaking refers to the process by which criminals tamper with iPhones in order to install applications that are not available in the official Apple App Store. In addition to the iPad, malware designed for the iPhone can also infect the iPad touch. Source:

52. June 24, DarkReading – (International) ATT iPad breaches are about app security, not mobile devices, experts say. The recent breaches of Apple iPad customer data at AT&T have drawn attention to security issues in both the mobile device and service provider spaces. But after analyzing the leaks, analysts said the lessons to be learned are not related to mobile or service vulnerabilities — they are lessons in the links between Web applications and back-end databases. “Mobile computing is no longer about mobile computing — it’s really all about the Web,” said the chief marketing officer for Web app security company Cenzic. “Most people don’t realize that — even most telecom companies don’t realize it — so they’re focusing on the hardware piece. But if you think about the end-to-end cycle of a mobile computing service — from acquisition to processing orders to customer service — it’s all on the Web.” Earlier this month, AT&T and its partner, Apple, found chinks in their Web application security armor when more than 100,000 iPad-user accounts were exposed due to a business logic flaw in a public AT&T Web application. Apple suffered a second privacy breach when users reported accessing other customers’ private information while preordering the latest iPhone through AT&T’s Web site. AT&T and Apple claimed they could not replicate the problem, but security experts, such as a researcher of WhiteHat Security, claimed the issues sounded suspiciously like session exhaustion, a behavioral anomaly that occurs when an application is overloaded and begins to run out of session IDs. Observers said both incidents likely involved poorly deployed Web applications that put sensitive back-end data at risk, giving nonauthorized users access to private database information. Source:

53. June 24, Help Net Security – (International) Phishing requires more effort than one might think. When it comes to setting up phishing pages, there are some phishers that make the extra effort. Take those behind the fake Orkut log-in pages, for example. Symantec has been following their work, and noticed that phishers make the same changes to the Web sites that the original site makes - namely, the logo that changes on special occasions such as Earth Day, Mother’s Day, and others: Google had actually a pretty good idea with this logo-changing practice: not only does it make the services look more friendly and reminds the users that the sites are constantly monitored and updated, but it also makes “lazy” phishers fail. Source:

54. June 24, PC1News – (International) Amazon spam spreads Trojans. A new wave of malware distributing phony Amazon e-mails is flooding users’ mailboxes. The spam messages are quite real-looking and, thus, can easily deceive recipients to follow the provided malicious links. The e-mails are hand-crafted and look so identical to those Amazon sends that many users have become easy prey of the crooks. The fake Amazon e-mail and the real one are almost identical. The differences between the two e-mails are few but vital: The real Amazon e-mail is addressed to the user by name, not by e-mail address. A spammer will not know a Amazon user’s name; the real e-mail shows the user’s billing address, the fake - not; finally, if a user place the mouse pointer over any link in the spam message, it will show that the links lead only to one single place - a Korean Web site Booksalon(dot)kr. There the Trojan lies and waits. Source:

For another story, see item 56 below in the Communications Sector

Communications Sector

55. June 25, PC World – (National) Apple responds to iPhone 4 antenna problem. Since iPhone 4 smartphones reached the market June 22, several users reported poor reception issues with the device when holding the phone by its metal sides in two opposite places. The metal bands surrounding the sides of the iPhone 4 also act as antennas for the device, and the signal-drop problem seems to appear when a user touches both of the black lines on the phone’s metal sides towards the bottom, according to reports. An Apple statement recommends that if users are experiencing problems with the iPhone 4, they should “avoid gripping it in the lower left corner in a way that covers both sides of the black strip in the metal band, or simply use one of many available cases.” Source:

56. June 24, The Register – (International) VeriSign SSL certs open to tampering, competitor warns. VeriSign and one of its partners have come under fire for publicly exposing Web pages used to process customer-security certificates, a practice a competitor claims puts some of the biggest names on the Web at risk of serious targeted attacks. According to the CEO of the Internet-security firm Comodo, publicly accessible pages needlessly disclose sensitive internal information about VeriSign customers; Bank of America and the Commonwealth of Massachusetts are two examples. By exposing the e-mail address of the organizations’ security-certificate managers, and providing a comprehensive list of Web addresses that use secure-sockets-layer protection, VeriSign puts them at risk of targeted phishing attacks, he said. The CEO noted that one page provided by VeriSign partner of the Netherlands allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages, which provide buttons for revoking, renewing, and replacing the digital certificate. Source: