Department of Homeland Security Daily Open Source Infrastructure Report

Friday, August 8, 2008

Complete DHS Daily Report for August 8, 2008

Daily Report

• According to the Gallup Independent, the Gallup, New Mexico, Wastewater Treatment Plant has received an “unsatisfactory” rating from the state in six of seven categories pertaining to its federal discharge permit. (See item 20)

• IDG News Service reports that the security researcher who discovered a major flaw with the Internet’s Domain Name System has revealed the full details of the flaw, which he describes as the worst Internet security hole since 1997. (See item 34)

Banking and Finance Sector

9. August 7, Associated Press – (National) Pension transfers to banks vetoed. The Bush administration dealt a blow to the financial services sector Wednesday, ruling that companies cannot transfer their pension plans to large banks to be managed for a profit. The Treasury Department and the Internal Revenue Service said current law does not allow such transfers unless they are part of a larger transaction that also includes “significant business assets, operations or employees.” Despite the ruling, the Treasury Department indicated the Bush administration supports legislation that would allow the transfers to take place. Opponents warn that the banks would seek to profit from taking over the plans, a goal that could conflict with the pension plans’ primary purpose of paying benefits to current and future retirees. Source:

10. August 7, Bloomberg – (National) Bank of New York battles Dershowitz-backed Russia in RICO trial. Bank of New York Corp. paid $14 million three years ago to settle U.S. criminal allegations that an employee conspired to illicitly transfer money out of Russia. Now, officials in Moscow want their cut – $22.5 billion in damages for alleged money-laundering. Russia is going after the company, now called Bank of New York Mellon Corp., using a civil variant of the U.S. anti-racketeering law conceived to put mobsters behind bars. It is the first time a government other than the U.S. has tried to use the Racketeer Influenced and Corrupt Organizations Act, better known as RICO. The legal fight is spooking shareholders just when the bank’s chief executive officer hoped to reap the benefits of last year’s merger of Bank of New York and Mellon Financial Corp. The deal created the world’s biggest custody bank, safeguarding $23 trillion for investors. The Russian customs service sued BNY Mellon in May 2007, alleging that it illegally helped wire more than $7 billion out of the country during the 1990s. A Harvard law professor and a principal author of the RICO statute said that BNY Mellon ``got away in the U.S. with a slap on the wrist’’ and that that Russia is entitled to triple damages under the U.S. RICO law. An attorney leading the Russian legal team said a judgment against BNY Mellon can be enforced in 90 countries, raising the specter of asset seizures. Source:

11. August 6, New York Times – (National) I.R.S. offers a settlement in corporate tax shelter cases. The Internal Revenue Service, bolstered by recent court rulings, offered more than 45 corporations Wednesday the chance to settle disputes involving two tax shelters used to defer payment of billions of dollars in taxes. The questionable shelters, known as LILO and SILO, involve corporations leasing, on paper only, subways, bridges, sewers and other infrastructure, often overseas, and then leasing the facilities back to their owners or operators. I.R.S. officials said that the corporations, including many large banks, had bought more than 1,000 of the shelters, improperly deferring taxes and bolstering their balance sheets. Under the settlement, the I.R.S. said it would allow the companies to keep 20 percent of the deductions claimed through 2007 from use of the shelters — if they agreed to get out of them by December 2010 at the latest. The companies would have to pay the remaining 80 percent of the improperly claimed deductions — a level still likely to leave many with seven-figure tax bills. It was not clear Wednesday whether the more than 45 corporations were the only users of the shelters. The I.R.S. does not consider either shelter to be legitimate. It disallowed LILO, which is short for lease-in/lease-out, in 2000, and the related SILO, for sale-in/lease-out, in 2005. Source:

12. August 6, Reuters – (National) Prudential Financial settles SEC accounting case. Prudential Financial Inc agreed to settle allegations that the firm improperly reported more than $200 million in income involving reinsurance contracts, securities regulators said on Wednesday. The Securities and Exchange Commission (SEC) said Prudential Financial settled the case without admitting or denying any wrongdoing. The company did not pay any monetary penalties. According to an SEC complaint filed in a federal court in Newark, New Jersey, the contracts had no economic substance and no purpose other than to build up and then draw down an off-balance sheet asset held by General Reinsurance Corp for Prudential’s former property and casualty subsidiaries. General Reinsurance is a Berkshire Hathaway Inc unit. The SEC said Prudential filed inaccurate annual, quarterly and current documents after it became a publicly traded company in 2001. The SEC said that the improper accounting practices began in 1997. Source:

Information Technology

34. August 6, Wired Blog Network – (National) Black Hat: DNS flaw much worse than previously reported. The security researcher who discovered a major flaw with the internet’s DNS system finally revealed the full details of his reported DNS flaw. It turns out it is much worse than previously understood. “Every network is at risk,” he said at the Black Hat conference here Wednesday. “That’s what this flaw has shown.” he disclosed the security vulnerability in the Domain Name System on July 13 but promised to withhold details of the bug for one month to give DNS server owners a chance to patch their systems. But a week ago, some of the details leaked after security firm Matasano inadvertently posted information about it online. In addition to browsers, attackers could target numerous other applications, protocols and services, such as the File Transfer Protocol (FTP), mail servers, spam filters, Telnet, and the Secure Socket Layer that’s supposed to make online banking save from eavesdroppers. Another serious vulnerability involves sites that provide the ubiquitous “Forgot your password?” link for users who find themselves locked out of their accounts. He also showed how the DNS flaw could be exploited to provide hackers with a backdoor or “skeleton key” to the web accounts. He worked with major sites such as Google, Yahoo, PayPal, eBay, MySpace, Facebook, LinkedIn, and others to fix the issue before he disclosed information about that attack scenario today. He said that more than 120 million broadband consumers are now protected by patched DNS servers, which amounts to about 42 percent of broadband internet users. Seventy percent of Fortune 500 companies have also patched, while 15 percent have tried to patch but run up against problems. Another 15 percent have done nothing to fix the hole. Source:

35. August 6, Computerworld – (National) Massive faux-CNN spam blitz uses legit sites to deliver fake Flash. More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that’s part of a massive spam attack masquerading as news notifications, security researchers said Wednesday. The bogus messages, which claim to be from the news Web site, include links to what are supposedly the day’s Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a newer edition, said the vice president of information security at Denver-based security company MX Logic Inc. On Tuesday a Bulgarian security researcher reported finding more than 1,000 hacked sites hosting the fake Flash Player update. Source:

Communications Sector

36. August 6, Forbes – (Nebraska) No signal? Neb. policy could expand cell coverage. Sparsely populated areas of Nebraska with no cell phone service could be helped by a policy from the Public Service Commission that makes millions of dollars available for new cell towers. For years, a phone surcharge paid by Nebraskans that gathers millions of dollars annually has mainly gone to landline phone companies to help pay for rural service. Last year 48 phone companies received a total of nearly $71 million from the state Universal Service Fund. But cell phone users contribute more than half the money to the fund. Now, under the new policy, $5 million of the fund will be available each year to build cell towers in parts of the state with no coverage. “We’re recognizing that many of the contributions to the Universal Service Fund are cell users and we’re trying to spend some of the funds on cellular technology,” said the state Public Service commissioner. The policy, he said, is designed to help build towers in remote areas that private companies avoid because not enough people in the area are paying for service. Asked why more of the multimillion dollar fund isn’t being set aside to help build cellular towers, he said the landline system that benefits from much of the fund is still a key cog in cellular technology. Cell calls are often routed through landlines. Source: