Department of Homeland Security Daily Open Source Infrastructure Report

Friday, November 7, 2008

Complete DHS Daily Report for November 7, 2008

Daily Report


 The Associated Press reports that an airline passenger was charged with resisting arrest and interfering with the operations of a flight crew aboard United Airlines Flight 645, from Puerto Rico to Chicago. The airline crew says the passenger became unruly, forcing the flight to land in North Carolina. (See item 7)

7. November 5, Associated Press – (North Carolina) FBI: Airline passenger restrained with duct tape. An airline crew used duct tape to keep a passenger in her seat because they say she became unruly, fighting flight attendants and grabbing other passengers, forcing the flight to land in North Carolina. The woman, of Oswego, New York, is due in court Thursday, charged with resisting arrest and interfering with the operations of a flight crew aboard United Airlines Flight 645, from Puerto Rico to Chicago. She allegedly struck a flight attendant on the buttocks with the back of her hand during Saturday’s flight, FBI sources said in a criminal complaint filed in U.S. District Court in Charlotte. She also stood and fell onto the head of a blind passenger and later started pulling the person’s hair, the complaint stated. Ankle cuffs kept slipping off the woman, so the flight crew and two passengers were forced to use duct tape to keep her in her seat, the complaint states. Source:

 According to eWeek, Newsweek reported that both the Democratic and Republican presidential campaigns had their IT systems hacked and infiltrated in recent months. Newsweek’s sources speculated that the attacks were targeted attempts by foreign constituencies. (See item 21)

21. November 5, eWeek – (National) Campaign hacks highlight cyber-espionage. The security world is abuzz with news today that both the Democratic and Republican presidential campaigns had their IT systems hacked and infiltrated in recent months. As originally reported by Newsweek, “The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyber-attack by an unknown foreign entity, prompting a federal investigation.” The newsmagazine also reported that after taking a closer look at the incidents, Obama’s technical experts believed that the involved hackers were either Russian or Chinese. Newsweek’s sources speculated that the attacks were targeted attempts by foreign constituencies to study the potential policies that each candidate would propose to put into place. Source:


Banking and Finance Sector

5. November 5, Federal Reserve Bank of Dallas – (Texas) Dallas Fed establishes pilot bank advisory council. The Federal Reserve Bank of Dallas today announced the establishment of a pilot Bank Advisory Council at its San Antonio Branch to enhance communication and feedback with area financial institutions. The pilot program will build upon outreach efforts by the Dallas Fed and its branches to area financial institutions. The Council — composed of nine bankers — is a pilot program aimed at providing Dallas Fed officials with grassroots information from area bankers on a variety of topics, including banking and economic conditions, regulatory issues, and Federal Reserve services. During its first year, the Council will meet quarterly and brief the San Antonio Branch board. Source: See also:

6. November 5, WIRED News – (New York) Three plead guilty in $2 million Citibank ATM caper. Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges. The defendants are among 10 suspects charged earlier this year in connection with a breach of a server that processes ATM transactions from 7-Eleven convenience stores. Those ATMs are branded Citibank, but they are owned by Houston-based Cardtronics. Court records indicate a Russian hacker cracked the ATM server in late 2007 and monitored transactions from 7-Eleven cash machines long enough to capture thousands of account numbers and PINs. The Russian then farmed out the stolen data to mules in the United States, who burned the account numbers onto blank mag-stripe cards and withdrew cash from Citibank ATMs in the New York area for at least five months, sending 70 percent of the take back to Russia. Source:

Information Technology

24. November 6, IDG News Service – (International) Once thought safe, WPA Wi-Fi encryption is cracked. Security researchers say they have developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks. The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, a researcher will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router. To do this, the researcher and his co-researcher found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to the PacSec conference’s organizer. They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack Source:

25. November 6, Enterprise Security – (International) Fake site punts Trojanised WordPress. Fraudsters have set up a fake site featuring a backdoored version of the WordPress blogging application as part of a sophisticated malware-based attack. The fake site offered up what purports to be version 2.6.4 of the open source blogging tool. In reality all but one of the files are identical to the latest pukka (2.6.3) version of WordPress. The crucial difference comes in the form of a Trojanised version of pluggable.php, according to a Sophos virus researcher. Sophos detects the malicious code as WPHack-A Trojan. The issue came to light via a posting by a blogger who reports that he received a “High Risk Vulnerability Warning” from the spoofed WordPress domain when he logged into his admin account. It looks like sites which have not upgraded to 2.6.3 are being exploited in an way where a hacker, probably using an automated script, hacks into sites with the vulnerability and changes the settings of one of the dashboard modules to point to a different feed, encouraging people to go to a different site which offers a dodgy upgrade. The fake site attack represents a rare but not unprecedented attack on users of the open source blogging package. Source:

26. November 5, Government Technology – (National) Malware campaign uses Obama’s name. The polls have been closed for less than 24 hours, and already hackers are launching a new malware campaign. Using the president-elect’s name to draw people in, the e-mail messages contain subject lines such as “Obama win preferred in world poll” and claims to be from After the message is opened, there is a link that purports to take the user to news about the new president. Once the link is clicked, the user is prompted to download Adobe Flash 9 to view a video of Obama president making a speech. If the bogus Adobe Flash player is downloaded, a malicious Trojan horse infects the computer. SophosLabs identified this malware as Mal/Behav-027, and it has accounted recently for nearly 60 percent of malicious spam. Owners with infected computers will find that their data has been compromised, and they could potentially even have their identity stolen. Sophos experts said the malicious Trojan horse incorporates the following characteristics: The malware contains rootkit technology to conceal itself; it is designed to steal information from an infected computer; it has general “backdoor” functionality; it spies on user’s keyboard and mouse inputs and can take screenshots; it looks for passwords; and it submits the information it discovers to a Web server located in Kiev, Ukraine. Users of anti-virus products should check to see if updates have been made to protect against this new malware. Source:

Communications Sector

27. November 6, RCR Wireless – (National) Wireless providers protest backup-power reporting regs. The cell phone and tower industries urged the current administration to reject backup power reporting requirements, arguing that the Federal Communications Commission grossly underestimated time, operational and financial burdens placed on wireless providers. Indeed, wireless providers argue information collection guidelines associated with the eight-hour cell site backup power mandate could trigger unintended consequences that are at odds the government’s objective to maintain communications during and after major storms like Hurricane Katrina, which prompted FCC action. By FCC estimates it will cost each wireless carrier approximately $312,600 to adhere to backup power information collection requirements, the wireless industry predicts the financial hit would be exponentially greater. The administration could rule on the issue within days. Source:

28. November 5, IDG News Service – (National) Clearwire still sees challenges after FCC OK. The head of WiMax operator Clearwire said its work is just beginning after the U.S. Federal Communications Commission’s (FCC) approval Tuesday of the company’s joint venture with Sprint Nextel. The FCC voted on Tuesday to allow Clearwire and Sprint to form New Clearwire, a service provider that will combine the frequencies held by both entities and eventually build a national mobile broadband network. But the two carriers still only have one commercially available mobile WiMax network between them, in Baltimore, and the national infrastructure will have to be built from scratch in a harsh economic environment. Source: