Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, September 23, 2008

Complete DHS Daily Report for September 23, 2008

Daily Report


 Government Executive reports that the U.S. Energy Department has failed to implement cybersecurity measures, leaving its unclassified computer systems and data open to hackers. Despite improvements, weaknesses still exist, according to the agency’s Inspector General, who conducted the evaluation between February and September. (See item 28)

28. September 19, Government Executive – (National) Energy’s unclassified networks still open to cyberattack. The U.S. Energy Department (DOE) has failed to implement cybersecurity measures, leaving its unclassified computer systems and data open to hackers and employees who may not have authorization to access certain files, according to an audit report released by the agency’s inspector general (IG). DOE improved some security weaknesses the IG identified in its fiscal 2007 audit, including strengthening configurations of networks and systems, updating security policies and procedures related to laptops, and improving reporting of security incidents. The agency also began including cybersecurity requirements in relevant contracts. But weaknesses still exist, according to the IG, who conducted an evaluation of unclassified systems between February and September. The Office of Independent Oversight performed a separate evaluation of systems that contain sensitive data. At the time of the IG’s evaluation, department sites reported 480 cybersecurity incidents that affected 703 computers to its Computer Incident Advisory Capability, which monitors network security. That was an increase of about 45 percent from the prior year. Source:

 According to Reuters, a suicide bomb attack that killed 53 people at the Marriott Hotel in Islamabad, Pakistan, on Saturday bore the hallmarks of an operation by al Qaeda or an affiliate, Pakistani and U.S. intelligence officials said. (See item 34)

34. September 22, Reuters – (International) Al Qaeda suspected of Pakistan’s Marriott bombing. A suicide bomb attack that killed 53 people at the Marriott Hotel in Islamabad, Pakistan, bore the hallmarks of an operation by al Qaeda or an affiliate, Pakistani and U.S. intelligence officials said on Sunday. Teams combing the burnt shell of the hotel found more charred bodies after the blast on Saturday evening ignited a blaze that swept through the hotel, part of a U.S.-based chain and a favorite haunt of diplomats and wealthy Pakistanis. Four foreigners were killed including the Czech ambassador, his Vietnamese partner, and two members of the U.S. armed forces assigned to the U.S. embassy. Denmark’s security service said one of their staff, attached to the Danish mission in the capital, was missing, presumed dead. An American State Department employee was also missing, a spokesman said. The Interior Ministry said 266 people were wounded, 11 of them foreigners, after the bomber blew up a truck packed with 600 kilograms (1,320 pounds) of explosives including artillery shells, mortar bombs, and shrapnel. The attack will be a big blow for foreign investment and will lead to further weakening of the rupee which is already trading at a record low, dealers and analysts said. Source:


Banking and Finance Sector

12. September 22, Orange County Register – (California) WaMu loaned millions to California home flippers convicted in fraud scheme. Records show Washington Mutual, America’s largest savings and loan, financed at least 43 mortgages worth $24.5 million on properties bought and sold by members of a single family since 2007. Of the 22 homes sold in that period, at least six have become problems for Washington Mutual: Four were foreclosed, one received a notice of default, and another was listed for sale at a $260,000 loss. Total value of Washington Mutual’s mortgages on the troubled properties: $2.7 million. Source:

13. September 22, CNN Money – (National) $700B bailout: The latest. The current presidential administration has proposed a $700 billion plan to bailout the nation’s banking system. The plan is aimed at stemming the credit crisis roiling Wall Street and threatening the global markets. According to the administration’s proposal, the federal government would buy up as much as $700 billion of illiquid mortgage assets at a deep discount from banks. The Treasury Department would run the program directly, unlike the savings and loan crisis of the 1990s when Congress created the Resolution Trust Company to spearhead a financial bailout. What remains to be seen is how the Treasury Department will structure the purchases and what price they will pay. The timing and scale of purchases would be at the government’s discretion. The price would be established through “market mechanisms.” One method that Treasury has suggested is a reverse auction to set the discount at which the assets would be picked up. The window for the government to purchase the bad assets closes after two years. Private money managers would oversee the assets while they are in the government’s possession. Source:

14. September 21, Associated Press – (National) Fed boosts support for Goldman and Morgan. The Federal Reserve said Sunday it had granted a request by the country’s last two major investment banks – Goldman Sachs and Morgan Stanley – to change their status to bank holding companies. The Federal Reserve announced that it had approved the request of the two investment banks. The change in status will allow them to create commercial banks that will be able to take deposits, bolstering the resources of both institutions. The change continued the biggest restructuring on Wall Street since the Great Depression. Shares of both institutions had come under pressure ever since the bankruptcy filing last week by investment bank Lehman Brothers and the forced sale of investment bank Merrill Lynch to Bank of America. Investors feared that the last remaining independent investment banks would be unable to survive in their current form. There had been speculation that both firms would be acquired by commercial banks, whose ability to take deposits would give them a stable source of funding. Source:

Information Technology

32. September 22, CNet News – (National) Survey: Web-based malware puts corporations at risk. A new study by security firm Webroot found that 85 percent of malware is being distributed through Web applications, which is creating a growing threat for corporations as employees increasingly do online social networking, video watching, and personal e-mail at work. The findings also indicated a more than 500 percent increase in malware in 2007. Also, results showed that one-quarter of companies report that data has been compromised by a Web-based threat, nearly one-third say their Web security was compromised as a result of employees using computers at work to access social networks, Web-based e-mail, and video sites, and only 15 percent enforce Internet usage policies. About 650 information technology administrators in English-speaking countries were surveyed this summer for the study. Source:

33. September 19, Computerworld – (National) Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack. Google Inc.’s Gmail, Microsoft Corp.’s Windows Live Hotmail, and Yahoo Inc.’s Mail all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question, according to quick tests run by Computerworld. Computerworld reporters and editors were able to “break” into their own and colleagues’ accounts on all three services, then reset passwords armed only with the account’s username and the correct response to one of a limited number of common security questions, such as mother’s maiden name, the name of a favorite pet, or the make of a first car. Some of the personal information that would provide answers to the security questions may be easily found by searching social networking sites or the Internet. Hackers who know the username of an account – which is often identical to the part of the e-mail address that precedes the “@” symbol – and correctly type the distorted “CAPTCHA” characters are faced with only a security question before being allowed to change the account password. Source:

Communications Sector

Nothing to Report