Department of Homeland Security Daily Open Source Infrastructure Report

Friday, June 27, 2008

Daily Report

• The Associated Press reports that Saudi Arabian authorities have arrested this year 520 people with suspected ties to Al Qaeda. Some of those arrested and detained were plotting attacks against an oil installation and “security target.” (See item 1)

• The National Intelligence Council chairman warned that global climate change could sap the country’s military forces – while fueling new conflicts around the world. He also reported that a number of active coastal military installations in the U.S. are at risk for damage, including two dozen nuclear facilities and numerous. (See item 12)

Banking and Finance Sector

Nothing to report

Information Technology

35. June 26, IDG News Service – (International) Antispam group outlines defenses to block botnet spam. A major anti-spam organization is pushing a set of new best practices for ISPs (internet service providers) to stop increasing volumes of spam from botnets. The guidelines, from the Messaging Anti-Abuse Working Group (MAAWG), were drawn up at a meeting in Germany last week and deal with forwarded e-mail and e-mail that is sent from dynamic IP (Internet Protocol) addresses. Many people forward their e-mail from one address to another, a relay that goes through their ISPs mail server. But many ISPs use automated tools that could begin blocking further e-mail to an address if a large volume of e-mail has come through. Legitimate messages would be blocked, too. ISPs can fix this by separating the servers that receive e-mail and ones that then forward e-mail. That way, ISPs can filter out spam coming into the accounts before forwarding, taking a look at the messages, and spotting which ones came from dodgy domains, he said. MAAWG’s second recommendation deals with the long-standing problem of PCs that have been infected with malicious software that sends spam. The PCs are part of botnets, or networks of computers that have been compromised by hackers. After a PC is infected, it will often start sending spam through port 25 straight onto the Internet. That contrasts with legitimate e-mail, which usually goes through the ISP’s mail server first before being sent on. MAAWG’s primary suggestion for ISPs is to block all machines on dynamic IP addresses that are sending e-mail on port 25 outside their own network unless there are special, legitimate circumstances. But MAAWG said that idea may not be possible for some ISPs, and its guidelines offer another alternative: ISPs should share information about their dynamic address space. That would let other ISPs refine their spam filters. Source:

36. June 25, SC Magazine – (International) Szirbi botnet causes spam to triple in a week. Malicious spam has tripled in volume in a week, most of it caused by the Srizbi botnet, according to research by the Marshal TRACE team. In the beginning of June, three percent of total spam was malware. However by the following week, that amount jumped to 9.9 percent. Malcious spam usually contains a URL linking to a malware-serving website. Since February, Srizbi has been responsible for nearly half of all spam, overtaking the previous record holder — the Storm botnet. Srizbi is a pernicious botnet, not just due to its size, but also because it implements an extremely fast mail-sending engine, a senior anti-spam technologist at messaging security vendor MessageLabs said. With Srizbi, botnet authors “moved the engine into the Windows kernel” “This allows it to send more mail per hour than a regular botnet.” Most of the recent malicious spam is capitalizing on two popular ways of social networking. One is to spoof the site by sending messages saying there is an update on friend information. The other is to send a video link with a message stating, “Here’s a link of you doing something stupid.” “The botnet is very good at keeping out of sight,” he added. “It changes frequently, making it more difficult to detect with malware scanners.” Source:

37. June 25, – (International) USB thumb drives fingered as Trojan carriers. The Japanese newspaper Yomiuri Shimbun reports a local Trend Micro survey that says USB-carried Trojans are on the rise. The most damaging Trojan is called MAL OTORUN1 along with its derivatives. There were 58 infections of this through flash drives in February, which rose to 138 in March, 110 in April, and 150 last month. Source:

38. June 25, ComputerWorld – (International) Cleaning Chinese malware sites a ‘bigger challenge’ than in U.S., says researcher. More than half the sites spreading malicious code are hosted on Chinese networks, an anti-malware group said Wednesday. Of the over 213,000 malware-hosting sites analyzed last month by — a joint effort of researchers at Harvard University, Oxford University and several corporations, including Google Inc. and Sun Microsystems Inc. — 52% were hosted by servers running Chinese IP addresses. Of the top 10 networks serving malicious code, six are Chinese. The U.S. hosts 21% of the malware sites, giving it the dubious honor of second place., which uses data collected by Google’s crawlers, would not speculate on what proportion of the sites, Chinese or otherwise, are deliberately hosting malicious code and what fraction are actually legitimate sites that have been hacked. But the dramatic year-to-year growth in the number of sites serving up malware is likely due to a boom in site hacking. The problem has become so acute, said Microsoft Corp. Tuesday, that it and Hewlett-Packard Co. joined forces to launch free tools that site developers and administrators can use to search for vulnerable code and block incoming attacks Source:

Communications Sector

39. June 26, Xinhua – (International) African countries meet over submarine fiber optic cables. Ten African countries are meeting in Lome, Togo, to explore and work out ways to promote and enhance access to the deployment and use of fiber optic technologies across parts of West and Central Africa, according to official sources. The meeting, which began on Wednesday, will deliberate on ways to spur the implementation of the Agreement for Construction and Maintenance as well as contracts for the supply of the system, approved and signed by the governments of the ten countries. The ten countries, all member states of the Interim Committee for the Management Project of Fiber Optic Submarine Cables (WAFS), are scheduled to meet for two days in a bid to address the issue of communications in the sub-region, according to a statement issued by the organizers of the event. The WAFS project is intended to lay a series submarine fiber optic cables along the West African coast while passing through ten members, including Togo, Benin, Cameroon, Angola, the Republic of Congo, Gabon , Equatorial Guinea, the Democratic Republic of Congo, Botswana, and South Africa. These cables will be interconnected with other fiber optic cables, which are already existent in the West African sub-region. They will be used to provide broadband internet services in each of these countries. Source:

40. June 26, New York Times – (New York) More delays for cameras in subways. Aging fiber-optic cable in Brooklyn and Queens has become the latest obstacle to a planned high-tech system of surveillance cameras meant to safeguard the subway and commuter railroads, according to Metropolitan Transportation Authority officials. The system, which is expected to cost at least $450 million, is a crucial component of a larger program to thwart terrorist attacks on the region’s transportation network, but it has met repeatedly with technical problems and delays. On Wednesday, the authority’s board authorized the replacement of 84,000 feet of old fiber-optic cable, which was installed in the late 1980s. The replacement will cost $5 million and is being done as part of a separate project to build out the subway’s data network. According to a board document, tests on the cable showed that it had “many broken fibers unsuitable to carry the high bandwidth required” to transmit large amounts of data, which hindered the surveillance camera project. The document did not say how long it would take to replace the cable. Source:

41. June 25, Network World – (National) Avaya, Cisco and Nortel face VoIP vulnerabilities. Voice-over-IP (VoIP) customers of Avaya, Cisco, and Nortel should look Wednesday for patches that correct newly found vulnerabilities that, if exploited, can result in remote code execution, unauthorized access, denial of service, and information harvesting. The vulnerabilities were found by VoIPshield Laboratories, the research division of VoIPshield Systems Inc., and reported earlier to the three vendors to give them time to develop patches for the flaws, said the president and chief executive officer of VoIPshield. He would not reveal more details because his company and the affected VoIP vendors agreed to a simultaneous announcement. Details of the vulnerabilities and the vendor responses are scheduled to be released Wednesday at noon Eastern Standard Time. The vulnerabilities affect voice servers -- VoIP PBXes -- and softphone software that runs on laptops and desktops. VoIPshield ranks most of the vulnerabilities found as either critical or high, the two most severe rankings on its four-step scale. Avaya, Cisco, and Nortel were chosen for vulnerability testing because they represent the bulk of IP PBX sales in North America. Source:

Thursday, June 26, 2008

Daily Report

• The LA Times reports that bacterial, viral, and parasitic infections are plaguing the U.S.’s poor. The Public Library of Science journal PLoS Neglected Tropical Diseases lists 24 “neglected infections of poverty.” (See item 23)

• The associate technical director of the Defense Intelligence Agency’s Missile & Space Intelligence Center warned in a recent presentation that terror groups could use lasers, radio frequency jammers, and even nuclear weapons to knock out U.S. satellites by the year 2020. (See item 38)

Banking and Finance Sector

11. June 23, Government Computer News – (International) Cybercrooks going after the euros. A supposed hacker is attempting to extort 10,000 euros from European Union banks in exchange for stolen credit card information on 48,000 accounts. According to the online security company SecureWorks, e-mails with the subject line “We can have a deal!” have been sent to banks in France, the Netherlands, Denmark, Belgium, and Norway, and an apparent copycat has targeted banks in the United Kingdom, Spain, and Germany. “And now I have two ways to do,” the blackmailer writes. One, he can post the information on the Web to the embarrassment of the bank. “However, I have the second way. We can have a deal if you transfer 10,000 EUR on my account.” In this case, he promises – no doubt sincerely – to destroy the data. The information described by the blackmailer is worth only about 1,000 euros on the underground market, and news of a successful extortion is likely to be more damaging to a bank than a breach would be. “We will almost certainly see this one jump the pond and target banks in the United States shortly,” the director of threat intelligence at SecureWorks said. Source:

Information Technology

31. June 25, TechTree News – (National) Windows XP support extended until 2014. Microsoft has decided to offer technical support for Windows XP with updates and security patches until April 2014. However, it will not go back on its decision to discontinue Windows XP sales after June 30. This means that after June 30, Microsoft will stop distributing Windows XP as a stand-alone product, as well as stop licensing it to PC manufacturers like Dell, HP, Lenovo, and others. However, it doesn’t mean that XP will disappear overnight. Consumers may still find copies of the software or computers pre-loaded with it for months, as stores and PC makers typically work through their inventories. Microsoft’s move to extend the deadline for technical support is primarily influenced by large business customers, who haven’t yet upgraded their systems to Windows Vista. The companies have been reluctant to switch to Vista due to the costs and heavy system requirements involved. So, large business customers might just skip Vista and continue with XP until the release of Windows 7, which is scheduled for release in 2010. Source:

32. June 24, Wired Blogs – (National) Net neutrality advocates call for fast, universal access to the Net. The United States’ anemic broadband penetration rate has led to the formation of a new lobbying group whose goal is to build the political will to bring a more determined, coherent approach to the problem. Many members of the group, including its chief non-profit organizing entity Free Press, have been allies in the fight to shape public opinion and build wide-spread support for the concept of net neutrality. “We’re going to create one of the largest coalitions ever assembled, which is going to demonstrate to policymakers that the will of the people is to create an internet system that has competition, access, and that fosters innovation,” said the Free Press’ executive director at a Tuesday press conference unveiling the initiative at The Personal Democracy Forum in New York City. The group wants better leadership from the White House on this issue, but is not advocating for any specific piece of legislation. Google’s involvement in the deal is significant. The company has expanded its Washington, D.C. lobbying group significantly in the past few years. Source:

33. June 24, CNET News – (National) Trojans exploit Mac OS X ARDAgent flaw. Building on the Trojan released last week, a group of hackers appear to be targeting the Mac OS X platform with more variations. Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5, and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password. The Washington Post on Monday reported the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at has since been removed. The Post was nonetheless able to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template. Buried within the template was an e-mail from one of the Trojan’s authors, “Andrew.” Despite their existence, there is no evidence these Trojans are circulating widely on the Internet. Source:

34. June 24, IDG News Service – (International) $1B market for meddling with DNS poses security problem. The interception of Internet traffic to snoop on phone calls or track surfers’ behavior is a hot topic, but members of Internet Corporation for Assigned Names and Numbers (ICANN)’s Security and Stability Advisory Committee (SSAC) are concerned about the interception of traffic to and from sites that don’t even exist. There are still a few possible domain names out there that have not been registered, and if you accidentally type one of them into your browser’s address bar, you ought to receive an error message from the DNS signaling that the domain does not exist. What happens to those error messages is of concern to SSAC’s members, who advise on the security and integrity of the domain name systems that ICANN coordinates. Some internet service providers and domain name registrars see the error messages as a missed opportunity to “help” their customers find the site they are looking for and to make a little money on the side. They do this by intercepting the error messages and modifying them to point to a web site that they control, typically carrying advertisements related to the domain name typed. “There’s a perceived $1 billion market for domain error resolution,” said ICANN’s senior security technologist. At the top of his list of reasons why ISPs and registrars should not be allowed to profit from people’s typing errors in this way is that they may open up security holes in users’ computers. For example, a security researcher demonstrated in April that he could exploit the error message redirection system used by ISP EarthLink to execute his own JavaScript. Source:

35. June 24, ComputerWorld – (International) Researcher slams Adobe for ‘epidemic’ of JavaScript bugs. Adobe Systems Inc. patched its free Reader and commercial Acrobat software late Monday to plug the latest in what one researcher called an “epidemic” of JavaScript vulnerabilities in the popular programs this year. Both the Windows and Mac editions of the Adobe software require patches. Adobe last patched JavaScript bugs in Reader and Acrobat in February, although other fixes were issued in early 2007. In February, Adobe updated both programs to Version 8.1.2 by patching nearly 30 problems. At the time, the company was criticized for not providing more information about exactly what was fixed. Days later, reports surfaced that some of the JavaScript bugs patched this year had been exploited by hackers for several weeks and had infected thousands of users. According to Adobe, Versions 8.0 through 8.1.2 of both Reader and Acrobat should be patched; Reader and Acrobat 7.1.0, which were released in February, do not contain the bug and therefore do not need to be updated. Users still relying on Version 7.0.9 or earlier, however, should update to 7.1.0, urged Adobe. Reader 9 and Acrobat 9, which are expected to launch next month, are not vulnerable.

36. June 24, ComputerWorld – (International) Microsoft, HP ship free tools to protect Web sites from hackers. Microsoft Corp. and Hewlett-Packard Co. on Tuesday unveiled free tools to help Web developers and site administrators defend against the rapidly growing number of SQL injection attacks that aim to hijack legitimate sites. The move is in response to a major upswing during the first six months of 2008 in the number of attacks targeting legitimate sites. Most of the hacks have used SQL injection attacks, and have compromised significant sites including ones operated by government agencies, the United Nations, and major corporations. In a report issued the same day, Finnish security company, F-Secure, estimated the number of pages hacked by SQL injection attacks so far this year at between two and three million. Previously, Microsoft denied that its software was vulnerable to attack or otherwise responsible for the flood of hacked sites. Instead, the company told developers and administrators to follow the company’s guidelines to protect their sites from attack. Source:

Communications Sector

37. June 25, Forbes – (National) Calling during disasters. Corporations and some government agencies have used wireless technologies to make their labor more mobile for years. But when a disaster can make the infrastructure supporting wireless literally vanish, disaster relief specialists need more than a just a conventional cell phone or BlackBerry. Now commercial technology that can set up a global communications network in under an hour is emerging. These technologies can support devices like personal digital assistants (PDAs) and cell phones in places where infrastructure breaks down. With a little help from satellites, wireless is saving lives. Recent disasters have offered a unique testing ground for burgeoning wireless technology. Events from Hurricane Katrina to California wildfires have illustrated the need for a diverse communications infrastructure with various technologies playing key roles. When using wireless networks to communicate through a disaster, the scope of communications infrastructure is especially important, says the president of Kingsbridge Systems, a disaster-planning consulting company. Communications networks are fairly robust and can withstand some pretty remarkable devastation. When the Twin Towers collapsed, they knocked out cables and cell towers attached to the buildings, disrupting Internet and cell service all over New York City. But that disruption turned out to be only temporary; fail-safes, or backup networks, quickly jumped into place, allowing people to keep in contact with relatives and loved ones. In past years, the military has turned to costly satellite-and-radio combinations to keep up communications in remote places. Now some of the companies that catered to the military in the past are making low-cost versions of the technology available to the private sector. Source:

38. June 25, Wired Blogs – (National) Pentagon spy: Terrorists ready to launch satellite strikes by 2020. The associate technical director of the Defense Intelligence Agency’s Missile & Space Intelligence Center warned in a recent presentation that terror groups could use lasers, radio frequency jammers, and even nuclear weapons to knock out U.S. satellites by the year 2020. Countries like China might launch anti-satellite [ASAT] ballistic missiles – or position weapons in orbit. These states might be “hesitant,” at first, to start blasting American orbiters, he observes, “but [would] probably be willing under appropriate conditions” to attack. His presentation, “Threats to Space Capabilities,” was delivered earlier this month to the Space Security & Defense Conference. In it, he observes that advanced countries already “have the technical basis to develop” an ASAT arsenal. He also notes that “rogue nation/terrorist[s]” can use jammers to interfere with satellite transmission. Source:

39. June 24, CNet News – (National) T-Mobile’s home phone service goes nationwide. T-Mobile USA plans to announce Wednesday that its new @Home voice service will be available nationwide starting July 2. The cell phone operator has been testing the new Internet telephony service since February in Dallas and Seattle. And now the new service, which is meant to replace traditional home phones, will be offered to any T-Mobile cell phone customer. Subscribers will be able to connect any regular home telephone to a T-Mobile router that will send calls over the Internet much the same way as services like Vonage operate. The service costs $10 a month plus taxes and fees for unlimited domestic local and long-distance calls. Source: