Department of Homeland Security Daily Open Source Infrastructure Report

Friday, December 5, 2008

Complete DHS Daily Report for December 5, 2008

Daily Report

Headlines

 The Jersey Journal reports that Kuehne Chemical in Kearny, New Jersey, has been cited and fined by the U.S. Occupational Safety and Health Administration for 33 worker safety and health violations, OSHA officials confirmed Tuesday. (See item 4)

4. December 3, Jersey Journal – (New Jersey) Kearny chemical firm fined for safety violations. Kuehne Chemical in Kearny has been cited and fined by the U.S. Occupational Safety and Health Administration (OSHA) for 33 worker safety and health violations, including lapses that could lead to a toxic chlorine release, an advocate group and OSHA officials confirmed Tuesday. On November 10 and 14, OSHA issued citations to Kuehne for violating federal standards and assessed total penalties of $48,650, said officials with the New Jersey Work Environment Council (WEC), an alliance of 70 labor and community organizations. WEC has characterized Kuehne, which sits across the Hackensack River from Jersey City, as “the nation’s most potentially hazardous chemical plant.” The OSHA violations include Kuehne’s failure to: secure one-ton containers of liquid chlorine on forklift trucks to prevent them from falling off; accurately map potentially hazardous processes involving chlorine; assess the potential of pipe erosion/corrosion, which could cause a chlorine leak; and evaluate potential health effects on employees due to control failure. Source: http://www.nj.com/hudson/index.ssf/2008/12/kearny_chemical_firm_fined_for.html

 According to Newsday, a virus attack crippled computer systems in Islip Town offices and at Long Island MacArthur Airport in New York for more than a week in November but did not compromise operations or security at the airport, officials said Monday. (See item 10)

10. December 2, Newsday – (New York) Virus hits Islip Town, MacArthur Airport computers. A virus attack crippled computer systems in Islip Town offices and at Long Island MacArthur Airport for more than a week but did not compromise operations or security at the airport, officials said Monday. The disruption, which began November 20 and affected e-mail, individual hard drives, and town-wide servers, should be resolved December 2, the town information management director said. The attack, which officials estimate cost the town more than $50,000, underscored the need to upgrade the town’s outdated technology, the Islip supervisor said. The computer systems “were someplace back in the late ‘70s when we came into office” in 2006, the supervisor said. “This year we’re furiously advancing our systems to bring us at least into the 1990s.” A new $270,000 operating system was in the testing phase when the virus hit, and its adoption may be delayed by the attack, the town information management director said. The Sality virus disabled virus protection software, then raced through the town’s systems, shutting down 50 servers and infecting computers at facilities including Town Hall, Brookwood Hall, and MacArthur Airport. Within a day, it disrupted such activities as tax collection, code enforcement, and the issuing of permits and licenses. MacArthur was up and running Monday, the director said. Islip has reported the attack to Suffolk police and the district attorney’s office, the Islip supervisor said, and the town’s technology staff has been installing new security measures. MacArthur Airport is managed by the town and operates on two networks: one shared with Islip and one that is independent. The virus struck both, but technology staff managed to disconnect the independent network before much damage was done, the Islip supervisor said. No server data were lost, he said, although some individual hard drives lost files. Source: http://www.newsday.com/news/local/suffolk/ny-limaca025949156dec02,0,1644211.story

Details

Banking and Finance Sector

6. December 4, Merced Sun-Star – (California) Feds arrest four on bank-fraud accusations. Federal agents descended upon a used auto dealer in Merced, California, early Wednesday, making arrests and serving a search warrant linked to a bank fraud investigation. A combined force of nearly a dozen FBI and Immigration and Custom Enforcement agents raided Auto Expo USA, said a FBI special agent. Agents arrested four suspects according to a five-page federal indictment. The suspects operated a scheme to enable customers to obtain financing, even if they did not qualify, by preparing false financial documents and forwarding them to Valley First Credit Union. Federal investigators believe the suspects entered fictitious information on loan applications, including the names of employers for whom the customers did not work. The men also inflated the earning amounts of customers, in addition to creating fictitious earnings statements to reflect payments of wages by businesses that never employed the customers. Once the loan application and supporting documents were completed, they were submitted to Valley First by either the suspects or the customers, the indictment said. Source: http://www.mercedsunstar.com/167/story/578067.html

7. December 3, Associated Press – (New Jersey) NJ man gets 12 years in bank fraud scheme. A New Jersey man has been sentenced to 12 years in federal prison for his role in a scheme involving millions of dollars in fraudulent home equity and business lines of credit. At a sentencing hearing on Wednesday a U.S. District Judge also ordered the defendant of Palisades Park to make restitution of nearly $10.5 million. That amount represents the verifiable losses sustained by banks in northern New Jersey that did business with the defendant between February 2004 and November 2005. The defendant, who was president of American Macro Growth (AMG) in Palisades Park, was indicted in June 2007 along with four AMG employees and eight clients of the company. He was a fugitive until May of 2008, when he was arrested in Queens, New York. Prosecutors say the defendant and his employees conspired to defraud at least 16 different lenders, partly by submitting falsified income tax returns on behalf of clients. The defendant pleaded guilty in July to conspiracy to commit bank fraud. Source: http://www.nj.com/newsflash/index.ssf?/base/news-35/1228342456120040.xml&storylist=jersey

Information Technology


21. December 4, VNUNet – (International) Sun and VMware issue vital updates. Users are being advised to update their software after Sun Microsystems and VMware posted software fixes Wednesday. The patch from Sun addresses security and stability problems in Java, fixing 18 flaws covering stability, data corruption, and security vulnerabilities. Sun did not provide details on the exact nature of the security flaws, but the U.S. Computer Emergency Response Team has advised users and administrators to install the Java update immediately. The VMware patch, meanwhile, addresses two security flaws in a number of the company’s virtualisation products. The fix applies to VMWare Workstation versions 5 and 6, VMWare Player versions 1 and 2, and VMWare Server version 1.0.9 and earlier, as well as the company’s ESX offering. The first of the two flaws addresses a problem which could allow an attacker to remotely cause a memory corruption issue. If exploited, the attacker could cause the target system to crash and gain the ability to write code to memory. The second addresses a previously patched flaw in the bzip2 library on ESX systems. If exploited, the vulnerability could be targeted by an attacker to crash the system while decompressing a specially-crafted archive file. Source: http://www.vnunet.com/vnunet/news/2231942/sun-vmware-issue-updates


22. December 4, VNUNet – (International) Secunia study finds 98 percent of PCs vulnerable. A survey of computer users has shown that almost every PC is running at least one unpatched application, according to vulnerability testing firm Secunia. Secunia gathered reports from over 20,000 computer users who had downloaded its Personal Software Inspector tool, and found that over 98 percent have at least one application running that is vulnerable to attack. The company warned that the results are even more worrying since the tool is likely to have been downloaded predominantly by more security aware computer users. “Has the world improved since the last look at the numbers? The short answer is no. Nearly every PC continues to run with several insecure programs. If anything, these numbers are worse than [11 months ago] when we generated them initially,” said Secunia. “The total number of PCs/users included in these numbers is 20,000, and 98.09 per cent have one or more insecure programs installed on their PC. Hence 98 out of 100 PCs that are connected to the internet have insecure programs installed.” Another shocking figure from the research is that nearly 50 percent of PCs have 11 or more unsecured programs running on their computers. Secunia warned that antivirus software is largely ineffective at protecting against such vulnerabilities. Source: http://www.vnunet.com/vnunet/news/2231922/secunia-study-finds-per-cent


23. December 4, DarkReading – (International) Popular home DSL routers at risk of CSRF attack. Researcher demonstrates ease of hacking home routers with insidious cross-site request forgery (CSRF) attack. A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT&T’s DSL service. A consultant and founder of security think-tank Hexagon Security Group discovered a CSRF vulnerability in the Motorola/Netopia 2210 DSL modem that, among other things, could let an attacker insert malware onto the victim’s computer or recruit it as a bot for a botnet. “CSRF is one of the only vulnerabilities that can be either completely innocuous or completely devastating,” he says. The vulnerability is not isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don’t require authentication to access their configuration menu, he says. “I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks,” he says. The attack uses HTTP POST and GET commands on the modems, he says. CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml;jsessionid=DQEKHUYSQKAMSQSNDLPSKHSCJUNN2JVN?articleID=212201777


Communications Sector



Nothing to report

Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, December 4, 2008

Complete DHS Daily Report for December 4, 2008

Daily Report

Headlines

 According to the Knoxville News Sentinel, a new report by the U.S. Department of Energy’s Inspector General criticized three sites where protective force officers were not trained to use their 40 mm grenade launchers under reduced visibility. (See item 9)

9. December 1, Knoxville News Sentinel – (National) Y-12 security not on IG’s hit list. A new report by the Department of Energy’s Inspector General criticized three sites (two National Nuclear Security Administration [NNSA] and one non-NNSA) where protective force officers were not trained to use their 40 mm grenade launchers under reduced visibility (night conditions). The IG report did not name the sites for security reasons. However, a federal spokesman at the Y-12 nuclear weapons plant said Y-12 was not in the wrong, saying “SPOs (security police officers) protecting Y-12 train under all conditions, including low-light situations.” A spokeswoman for security contractor Wackenhut Services said the Oak Ridge team is “fully compliant” for training regulations associated with the grenade launchers. Wackenhut Services provides protective services at all of the Oak Ridge sites under two contracts (one for Y-12, one for the other DOE sites). She said she could not discuss which weapons are deployed at which sites, but said the contractor was in full compliance on this training issue. Source: http://blogs.knoxnews.com/knx/munger/2008/12/y12_not_on_igs_hit_list_this_t.htm

 WFTV 9 Orlando reports that Social Security numbers for 250,000 people were accidentally posted online by the Florida Agency for Workforce Innovation in October. (See item 29)

29. December 2, WFTV 9 Orlando – (Florida) Agency accidentally posts 250,000 SS numbers online. Social security numbers for 250,000 people were posted online by mistake, and a state agency is facing serious questions about why it was so careless with the information. The Agency for Workforce Innovation accidentally posted the sensitive information for people looking for work. All those numbers were left online for at least 19 days. Potential victims do not even know it yet. When thousands of Floridians went to a career center, their personal information was forwarded to the state. Then, by mistake, that information ended up on a state website visible to anyone with Internet access. Local jobseekers’ identities have been compromised. Names, social security numbers, and employment information of more than 250,000 people who sought state help was accidently posted online. The Washington D.C. based Liberty Coalition spotted the error. “This is obviously a case of gross negligence,” said a spokesman for the Liberty Coalition. The Florida Agency for Workforce Innovation made the mistake in October when setting up a computer server. Somehow information that should have been kept private became public, available by an online search. It has since been taken down. The security breach affects people who went to a career service center between 2002 and 2007; even the identities of some their children were posted online. The Florida Agency for Workforce Innovation says it will send out a letter to all the people affected by the breach. Source: http://www.wftv.com/news/18190154/detail.html#-

Details

Banking and Finance Sector


10. December 3, KXII 12 Sherman – (Texas) Bank links over 400 identity theft cases to Gainesville restaurant. Gainesville police say there have been over 30 cases of identity theft in just the past month, and one restaurant in Gainesville has put about 400 customers in danger of being victims of identity theft. One Gainesville bank official says Golden Chick has put 400 of its customers were in danger of identity theft between October and mid-November. First State Bank in Gainesville received a number of phone calls from their customers about transactions they never made. It turned out they were victims of fraud. First State Bank investigated all of their customers’ accounts and found there were more people in danger than they expected. “We had a list of accounts that reported the fraud, so we pulled transactions back from an earlier point in time, and we noticed that a common denominator that all these customers went to Golden Chick,” a senior vice president at First State Bank of Gainesville says. Source: http://www.kxii.com/home/headlines/35421434.html


11. December 3, Register – (International) Online payment site hijacked by notorious crime gang. Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe. A regular reader reported receiving a bogus secure sockets layer certificate when attempting to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 91.203.92.63. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the U.S. and got the same result. “I managed to get through to a commercial customer support tech, and reported the problem,” the reader wrote in an email sent early Tuesday morning. “He was not aware of any problem.” The account is consistent with results of passive DNS search queries. Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Source: http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/


12. December 3, KOMO 4 Seattle – (Washington) Beware of phishing scams by crooks posing as banks. While banks work to clean up their money mess, con artists are working to clean out your account. They are focusing on customers of Washington Mutual and JP Morgan Chase, but every bank customer is a potential target. It is a new wave of email “phishing” that claims to be from Chase bank. One email promises $50 for answering an online banking survey. Click to answer and one gets what looks like an official survey from Chase bank asking for account information — it is a fake. Another email claims to be an account verification alert. Unlike previous imposter scams which claim there has been a security breach or technical problem, this latest version goes to extra lengths to tie in the economy, with an elaborate explanation about the financial crisis, and a threat, that unverified accounts will be shut down in three business days. By using the Chase name, scammers are reaching potentially millions of costumers of JP Morgan Chase, and recently acquired Washington Mutual. And, in what may be a first, the scammers are using the name of an actual Chase executive. The email is signed by the chief operations officer. In a statement, a bank spokesperson said, “It is definitely not a legitimate email, as you already know.” Source: http://www.komonews.com/news/consumer/35442584.html


13. December 3, CNNMoney.com – (National) AIG, Fed stemming insurer’s liquidity crisis. Troubled insurer American International Group moved another step closer to stabilizing its finances on Tuesday. The company announced that a financing entity — funded by the Federal Reserve Bank of New York and AIG — has purchased $46.1 billion in complex debt securities insured by AIG. As part of the deal, the insurance-type contracts, called credit default swaps, were terminated. The insurer also has agreements to purchase another $7.4 billion of these debt securities, called collateralized debt obligations or CDOs. The move stanches some of the bleeding at the insurer, which was on the verge of bankruptcy in September because of these CDOs. As the debt securities’ value declined, AIG was forced to post more collateral to prove to swaps holders it could pay them if the debt securities defaulted. Source: http://money.cnn.com/2008/12/02/news/companies/AIG/index.htm


14. December 3, Bank Technology News – (National) M&A surge jeopardizes sensitive data. The recent wave of bank mergers is making protecting data all the more difficult. It is hard to imagine a more likely time for security holes to open up than when two banks — rife with legacy systems, custom patches, and unique protocols — try to mesh it all together. To make matters worse, mergers usually result in layoffs, and disgruntled, soon-to-be ex-employees will be tempted to take advantage of any security lapse. The chief scientist at RedSeal Systems, a company that develops proactive security risk management software, refers to these as “toxic networks.” If an acquired company has a different approach to security “you could be taking on a problem every bit as bad as toxic assets...If you attach to a network that is unacceptably weak, now you are weak.” Each network needs to be reconstructed so IT personnel can have a complete view of all the networks to locate the best pathways to connect the networks, while securing assets and regulating who has access to which assets. As risky and intensive as linking networks is, the chief scientist and others note that IT personnel are under incredible pressure to “parachute in” and act fast. They must assess the risk, do it quickly, often examining an unfamiliar structure. Source: http://www.americanbanker.com/btn_article.html?id=20081202LQTUGON6


15. December 3, Oxford Press – (Ohio) FBI involved in Mason firm’s ID theft case. The FBI has become involved in an identity theft case involving a Mason, Ohio, eye wear retailer. The Federal Bureau of Investigation became involved Tuesday in the investigation of Luxottica’s computer servers after a hacker tapped into them, said a Hamilton Township lieutenant, who heads the Warren County Cyber Crimes Task Force. The hacker grabbed personal information from about 59,000 former employees, he said. He said he was called in by Luxottica’s technology staff in September, after they discovered the breach. The server contained information — such as Social Security numbers and addresses — for 59,419 employees of the Things Remembered retail chain, a subsidiary of Luxottica, whose retail headquarters is in Mason, he said. Investigators traced the breach to an IP address owned by a resident of the Glendale, Arizona, area. However, he was careful to note that person might not have been the one on the keyboard. Source: http://www.oxfordpress.com/hp/content/oh/story/news/local/2008/12/03/pjm120408luxottica.html


16. December 2, Computerworld – (International) Feds nab more members of alleged identity theft gang. Federal authorities say they have taken another step toward busting a multinational identity theft ring that is alleged to have used stolen personal data to withdraw millions of dollars from home equity line-of-credit accounts at dozens of financial institutions in the U.S., including some of the country’s largest banks. Four individuals were arrested last week in connection with the alleged scheme, which has resulted in more than $2.5 million being stolen from the affected financial institutions, according to law enforcement officials. Another $4 million worth of attempted withdrawals by the gang were unsuccessful, the U.S. attorney’s office in New Jersey said in announcing the arrests last Wednesday. Court documents filed in connection with the case described an operation that appears to have been highly sophisticated and global in nature. The identity theft gang operates in the United States as well as the United Kingdom, Canada, China, Japan, Vietnam, South Korea, and several other countries, the court documents said. Four other men already were charged with participating in the scheme after being arrested between August and October. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122121&intsrc=hm_list


17. December 2, ARS Technica – (National) Odd microtransactions may point to credit card breach. A wave of unauthorized microtransactions is currently sweeping the accounts of a number of U.S. credit card holders, though the size and scope of the fraud scheme have not yet been determined. Beginning on or around November 20, consumers apparently began to notice small charges—typically for 19-29 cents—appearing on their bank statements or online account information. These small withdrawals or deposits are typically test fees, sent to verify account authenticity. Paypal, for example, makes two small deposits in a user’s bank account in order to verify its authenticity. While legitimate companies will reverse the fee (or occasionally let you keep the extra quarter), thieves use the transactions to verify that a credit card number is good. If the deposits complete successfully, the hacker knows he has got a live card (or a live card number). The next step is usually to burn through the account’s balance as quickly as possible before anyone notices what is happening. Beginning on or about November 20, various card holders began complaining online about unauthorized microtransactions that were suddenly showing up on their accounts. The charges fit the model described above, and were labeled as coming from Adele Services. Adele Services appears to be a dummy corporation; the 1-800 number listed as the customer contact point is disconnected and there is no official website. The company may not officially exist, but that has not stopped it from continuing to test accounts. It is impossible to state how many card holders have been pinged in this manner, but the number of online reports is growing steadily. Theories on which company’s security was breached abound, although PayPal has been collectively ruled out, given the number of non-PayPal users affected. Amazon seems to be a current favorite, based on the fact that a number of the irate forum posters recently shopped there. Source: http://arstechnica.com/news.ars/post/20081202-odd-microtransactions-may-point-to-credit-card-breach.html


Information Technology


35. December 3, Heise Security – (International) Adobe admits Acrobat 9 passwords can be guessed more quickly. Adobe recently replied to the online discussion of Acrobat’s vulnerability to brute-force attacks. Adobe claims that the specification for the 256-bit AES encryption in Acrobat 9 provides greater performance than the 128-bit implementation in previous versions. It is this improved performance that allows Acrobat 9 to open protected documents much more quickly. Adobe has admitted that brute-force attacks and dictionary-based password cracks benefit from the program’s extra speed, because “fewer processor cycles are required” to test each password guess than with AES 128-encrypted documents. Adobe does not say how much faster attacks can be carried out, but Elcomsoft, a manufacturer of password-recovery tools, claims that passwords can now be cracked 100 times faster. To help mitigate dictionary attacks, Adobe advises customers to use long passwords or pass-phrases. Version 9 supports Unicode pass-phrases up to 127 characters in length. For even greater security, Adobe recommends using encryption based on the Public Key Infrastructure, although this requires the use of Adobe LiveCycle Rights Management. Source: http://www.heise-online.co.uk/news/Adobe-admits-Acrobat-9-passwords-can-be-guessed-more-quickly--/112138


36. December 3, Blackberry Cool – (International) BlackBerry Desktop Software contains critical security flaw. RIM has posted a knowledge base article describing a critical security flaw within the BlackBerry Desktop Software. The flaw has been confirmed by Secunia, a leading vulnerability intelligence provider. Here’s the problem as described by RIM: “The BlackBerry Desktop Manager includes the Roxio Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft Windows computer. The Roxio Media Manager includes a Microsoft ActiveX control used for retrieving and installing application updates. A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.” Source: http://www.blackberrycool.com/2008/12/blackberry-desktop-software-contains-critical-security-flaw/


Communications Sector


37. December 2, Space.com – (International) Russians track wayward U.S. spy satellite. The U.S. Air Force apparently has a malfunctioning Defense Support Program satellite on its hands. DSP-23 is one piece of a constellation of such Earth-staring satellites designed to detect missile launchings and nuclear detonations, and gather other technical intelligence. DSP-23 seems to be drifting out of its high-altitude slot — and might prove troublesome to other high-value satellites in that populated area. One person who has flagged the problem to a U.S. satellite tracking expert is a Russian space analyst — a project partner of the International Scientific Optical Network (ISON). He said ISON is monitoring the entire ring of objects in geostationary Earth orbit (GEO). The network tracks all operational satellites, as well as space debris, spent rocket bodies, dead spacecraft, operational fragments, and objects originating from satellite fragmentations that have appeared in geostationary orbit. “We have continuously tracked an object we have identified as DSP F23 since January 10, 2008,” he said. The spacecraft has strayed from its spot in space — moving along in geostationary orbit as a passive object. It is not clear from optical data alone just what the operational status of the satellite truly is at present, he added. Asked about the possibility of DSP-23 smacking into others satellites in GEO, he said that “it exists.” Sauntering willy-nilly through space, the classified satellite could have close encounters with many operational satellites, he said. Source: http://www.msnbc.msn.com/id/28023768/