Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, July 15, 2008

Daily Report

Our apologies for the delay in this report. However, as of 11:10am it has not been published. This post was made to our blog as soon as we received it. It arrived at 11:26am and its properties indicate it was created on July 14, 2008. It would appear that this report was not prepared by the regular DHS employee.

• The Securities and Exchange Commission announced on Sunday that it and other regulators would begin examining rumor-spreading intended to manipulate securities prices. The timing of the announcement was meant to warn broker-dealers, hedge funds, and investment advisers to quell any spreading of rumors before trading started Monday. (See item 11)

• A new study commissioned by the World Wildlife Fund and conducted by scientists from the U.S. Forest Service says global warming and population growth threaten the Southeast’s already precarious water supplies by fueling more extreme weather and degrading water quality. (See item 29)

Banking and Finance Sector


10. July 13, USA Today – (National) Banks at risk of failing almost double since 2006. Rising losses from bad mortgages and low capital levels are threatening the viability of a small, but growing, number of U.S. banks. The Federal Deposit Insurance Corp. says 90 institutions, about one percent of those it insures, are on its list of “problem banks” at greater risk of failing. That is up from 50 at the end of 2006. On Friday, IndyMac, a mortgage lender with $32 billion in assets, became the fourth-largest financial institution to be taken over by regulators, based on inflation-adjusted assets. The entire banking system is under “an increasing and very high level of stress,” says a chief economist at Moody’s Economy.com. At the end of March, real estate loans that were delinquent or in default accounted for 25 percent of banks’ available capital to cover such losses, he says. By comparison, troubled loans made up less than 10 percent of banks’ capital from 1995 through 2005. Source: http://www.usatoday.com/money/industries/banking/2008-07-11-indymac-shut-down_N.htm?loc=interstitialskip


11. July 13, New York Times – (National) S.E.C. warns Wall Street: Stop spreading the false rumors. The Securities and Exchange Commission announced on Sunday that it and other regulators would begin examining rumor-spreading intended to manipulate securities prices. The timing of the announcement, made before the markets opened in Asia, was meant to warn broker-dealers, hedge funds and investment advisers to quell any spreading of rumors before trading started Monday. “Traders know there is false information in the market. They need to think twice if they are going to pass it on,” said the director of the S.E.C.’s Office of Compliance Inspections and Examinations. The examinations are expected to begin Monday and will focus on what policies firms have in place to prevent the passing of false information. These examinations will focus on compliance and supervisory policies. In addition, continuing investigations will look at potential wrongdoing. The intent is to stop malicious rumors without hampering the natural exchange of information in the marketplace. Lehman Brothers, for example, faced rumors last week that two major clients had stopped doing business with the firm. Lehman’s stock dived almost 20 percent before recovering somewhat as both clients denied the rumors. Source: http://biz.yahoo.com/nytimes/080713/1194794604121.html?.v=1


12. July 13, San Francisco Chronicle – (National) Lender can tap accounts if debt payments lapse. Banks, credit unions and other financial institutions commonly exercise their legal right to appropriate money from a borrower’s checking, savings or other accounts to settle outstanding debts. If an overdue borrower has funds on deposit, the lender can get its hands on that money without going through the trouble of getting a court order. As the economy has turned sour and more borrowers have fallen behind, lenders have apparently stepped up their use of offsets to collect overdue loans. Consumer complaints and inquiries about offsets filed with the Office of the Comptroller of the Currency, the agency that regulates nationally chartered banks such as Bank of America and Wells Fargo, ballooned to 576 in the first half of 2008 from 151 such cases in the first half of 2007, according to a spokesman. Federal banking regulations prohibit unilateral offsets with consumer credit cards and other personal loans, said an attorney with Morrison & Foerster in San Francisco. But lenders get around that by putting language in consumer loan agreements giving them permission to draw on delinquent borrowers’ other accounts. Few consumers read the fine print that spells out a lender’s right to seize funds. But lawyers and credit counselors are well aware of the practice. They say lenders rarely take funds from accounts when they have collateral. When a mortgage borrower falls behind, the remedy is foreclosure. When a customer fails to repay an auto loan, the lender repossesses the vehicle. Lenders draw on other accounts most often when there is no other asset they can seize. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/12/BUS411LMH3.DTL

13. July 12, BaltimoreNews.net – (National) Large oil company charged with fraud. The Texas-based El Paso Corporation, a major energy firm, has been charged with fraud for improperly overstating its oil and gas reserves to investors. Misleading financial statements from 1999 to 2003 caught the eye of the US Securities and Exchange Commission (SEC) because El Paso had inflated the company’s proved oil and gas reserves. The company has agreed to settle the SEC’s civil legal action. El Paso owns North America’s largest natural gas pipeline network which transports over a quarter of the natural gas used in the United States every day. Source: http://www.baltimorenews.net/story/381442

14. July 11, Associated Press – (Missouri) Mortgage chief charged with $35 million fraud. The former president of First Bank Mortgage in St. Louis is facing federal fraud charges for allegedly funneling $35 million from the bank over nearly two decades. A U.S. Attorney says that over the years, the suspect falsified bank documents to hide the loss. She says he also borrowed money from Bear Stearns in New York to provide cash to his division, then told his bosses the borrowed money was actually income. Source: http://www.businessweek.com/ap/financialnews/D91RP1381.htm


Information Technology


37. July 14, IDG News Service – (National) Symantec: Microsoft Access ActiveX attacks will intensify. An easy-to-use toolkit used to hack computers has now been updated to take advantage of an unpatched security vulnerability in Microsoft’s software, which could mean attacks will intensify, according to vendor Symantec. The Neosploit toolkit is one of several on the Internet that can be used by less-technical hackers to compromise machines. Symantec said it has detected on its network of Internet sensors that Neosploit can take advantage of a vulnerability revealed early last week in Microsoft’s Access database program. Microsoft has not patched the bug yet, and the company just issued its patches for the month on July 8. The vulnerability is within the Snapshot Viewer ActiveX control, which launches a viewer for Microsoft Access reports that doesn’t require running the Access software itself. The vulnerability poses a special danger since the ActiveX control is digitally signed by Microsoft, which means that people who have Internet Explorer configured to trust ActiveX controls with that designation would run it automatically if encountered on a Web page. Some of the Web pages that have already been hacked with automated SQL injection attacks earlier this year are also hosting the Microsoft Access attack, according to a Symantec researcher. The problematic viewer accompanies all supported versions of Microsoft Office Access except Microsoft Access 2007. Source: http://www.pcworld.com/businesscenter/article/148355/symantec_microsoft_access_activex_attacks_will_intensify.html


38. July 14, Channel Register – (International) Relay server attack tactic dupes auto-reporting. System administrators have begun noticing a coordinated attack on servers with open SSH ports that tries to stay under the radar by only attempting to guess a password three times from any compromised machine. Instead of mounting an attack form a single compromised host, hackers have worked out a means to relay a brute force attack between multiple assault machines. An IT consultant and developer picked up on the attack, which started around the beginning of July, when he noticed a pattern of assaults on a small bank of dedicated Linux servers he manages. After falling victim to a hacking attack a few months back, the developer has diligently gone through system logs generated by DenyHosts, a security tool for SSH servers. System administrators often run monitoring software or intrusion detection systems that detect brute force SSH break-in attempts. But by running only three queries from each machine, that attack may go unrecorded because it falls below the detection thresholds of security software. Attempts to make more guesses would result in actions such as the blocking of an IP address and record of the attack being made. The assault is aimed at breaking into Linux systems with easily-guessable passwords rather than exploiting any particular security vulnerability. It is not clear who is behind the assault, which appears to originate from a botnet network of compromised Linux boxes. Over time the assault has switched from SSH ports to targeting the “root” account on servers. The developer believes a database is being used to coordinate the attack between a relay of bots. Source: http://www.channelregister.co.uk/2008/07/14/brute_force_ssh_attack/


39. July 14, VNUNet – (International) Homer Simpson spreading malware. An email address, which was registered by one of the writers of the TV show The Simpsons prior to the airing of a 2003 episode in which the name appeared, is now being used to distribute a Trojan disguised as a Simpsons movie file. A malware research director at FaceTime said that the screen name is sending auto-reply messages promising a special exclusive episode of the show available for download. The link in the message leads to an executable file. On launching the Trojan, the user is presented with a fake error message followed by several real error messages and finally a blank screen. On restarting, the user’s system will run noticeably slower and be prone to crashes. The malicious payload includes a rootkit and remote control software which logs the user in a botnet. The malware was traced back to Kimya, a Turkish botnet which has been infecting machines for the past four months. The malware is currently being spread only by that one user name, but the botnet could easily be used to launch a much larger malware attack in the future. Source: http://uk.news.yahoo.com/vdunet/20080714/ttc-homer-simpson-spreading-malware-6315470.html


40. July 14, Web User – (International) Internet cafés under attack. A new piece of malware has been spotted in China that could put internet cafés at risk from hackers and other online criminals. Researchers at McAfee drew attention to the problem recently after spotting MachineDog circulating in China. Internet cafés are very popular in China as many people cannot afford a home PC, but slack security policies mean that they are vulnerable to attack. “One special characteristic of this malware is that it’s designed to penetrate the hard disk. This means it can infect most machines in internet bars and cafes, in some cases without too much resistance,” said a McAfee researcher. The problem is that many internet cafes do not use conventional security software, but use back-up solutions instead. If a PC picks up an infection, it is simply restored to its pre-infection state. But the Machine Dog rootkit is much more difficult to get rid of, said McAfee. “The attack is so dangerous that once it successfully loads its driver into the kernel, most hard-disk protection software will be nothing but an empty shuck, with the administrator still having no idea.” Source: http://www.web-user.co.uk/news/news.php?id=263416


Communications Sector


41. July 13, Associated Press – (National) Cell phone companies scramble to halt trafficking. In South Florida, New York, California, Georgia, Texas, and elsewhere, traffickers have figured out they can make big profits by purchasing thousands of low-cost phones and tweaking the software so that calls can be made on any cell network. The altered phones are then sold all over the world — costing the phone companies tens of millions of dollars. Some traffickers employ dozens of people full-time as “runners” to buy the phones at retail stores so they can later be hacked into and resold. The problem for the phone companies is that they often sell the phones at a loss, instead making their money when customers have to buy additional minutes from them — a guaranteed profit once the phone is sold. But the phone companies have no guarantee that customers will buy minutes from them after the phones are hacked or shipped to a far-off country. It is technically not illegal to unlock the software on your personal cell phone — but the companies are hoping to put a stop to traffickers that they say are siphoning away profits. Led by Miami-based TracFone Wireless Inc., makers of the low-cost prepaid cell phones are suing traffickers in federal courts around the country. One such lawsuit resulted in a criminal conviction in Houston when a man disobeyed a court order by refusing to stop selling the phones. These phones are typically sold by traffickers for between $40 and $60 above the discounted TracFone price — and they are frequently marketed in lots of 10,000 or more. Web sites catering to these dealers boast about having huge numbers of unlocked cell phones. TracFone has filed 39 lawsuits in recent months — more than half of them in South Florida — seeking to stop companies and individuals from trafficking in its phones. Similar lawsuits have been filed by AT&T, Nokia Corp., Virgin Mobile USA Inc., and Motorola Inc. Source: http://news.yahoo.com/s/ap/20080713/ap_on_re_us/cell_phone_trafficking;_ylt=Ag2aYCO9BQ3DLwd.eUGOS9es0NUE


42. July 12, Associated Press – (National) FCC chief hopes Comcast sanction serves as warning. A recommendation to punish Comcast Corp. for blocking subscribers’ Internet traffic should serve as a warning to other service providers, the nation’s top telecommunications regulator said Friday. The Chairman of the Federal Communications Commission (FCC) chairman said he hopes his action will make network operators sensitive about putting “arbitrary limits on the way consumers can access information on the Internet.” The Associated Press reported Thursday night that he will recommend to his fellow commissioners that Comcast, the nation’s largest cable company, be punished for violating agency principles that guarantee customers open access to the Internet. Comcast was accused by consumer groups of blocking “peer-to-peer” Internet traffic, where users share large data files using special software. The complaint followed an AP investigation in October. Comcast denies it blocks content, but says it uses “carefully limited measures” to manage traffic on its broadband network to ensure all customers receive quality service. Source: http://ap.google.com/article/ALeqM5huAOgy6g1S5wW-7ft0FRuIypdzLQD91RTNTO2