Department of Homeland Security Daily Open Source Infrastructure Report
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"


The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

Weekly Summary


Week Ending: Friday, May 29, 2009


Daily Open Source Infrastructure Report for 26 May 2009



Could it happen here? How will you deal with it?


35. May 21, IDG News Service – (International) DNS attack downs Internet in parts of China. An attack on the servers of a domain registrar in China caused an online video application to cripple Internet access in parts of the country late on May 20. Internet access was affected in five northern and coastal provinces after the DNS (domain name system) attack, which targeted just one company but caused unanswered information requests to flood China’s telecommunications networks, China’s IT ministry said in a statement on its Web site. The incident revealed holes in China’s DNS that are “very strange” for such a big country, said the head of Kaspersky’s Virus Lab in China. Internet access returned to normal in the late night several hours later, according to the government statement. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133376&taxonomyId=17&intsrc=kc_top

Daily Open Source Infrastructure Report for 27 May 2009



Does your business depend upon mobile devices? If so, you best keep pace with the following!

38. May 26, National Science Foundation – (National) Viral epidemics poised to go mobile. While computer viruses are common, there have been no major outbreaks of mobile phone viral infection, despite the fact that over 80 percent of Americans now use these devices. A team headed by the director of the Center for Complex Network Research at Northeastern University set out to explain why this is true. The researchers used calling and mobility data from over six million anonymous mobile phone users to create a comprehensive picture of the threat mobile phone viruses pose to users. The results of this study, published in the May 22 issue of Science, indicate that a highly fragmented market share has effectively hindered outbreaks thus far. Further, their work predicts that viruses will pose a serious threat once a single mobile operating system’s market share grows sufficiently large. This event may not be far off, given the 150 percent annual growth rate of smart phones. This study builds upon earlier research by the same group, which used mobile phone data to create a predictive model of human mobility patterns. The current work used this model to simulate Bluetooth virus infection scenarios, finding that Bluetooth viruses will eventually infect all susceptible handsets, but the rate is slow, being limited by human behavioral patterns. This characteristic suggests there should be sufficient time to deploy countermeasures such as antiviral software to prevent major Bluetooth outbreaks. In contrast, spread of MMS viruses is not restricted by human behavioral patterns, however spread of these types of viruses are constrained because the number of susceptible devices is currently much smaller. Source: http://www.usnews.com/articles/science/2009/05/26/viral-epidemics-poised-to-go-mobile.html

Daily Open Source Infrastructure Report for 28 May 2009




Are you prepared for another worm attack?


28. May 25, SiliconRepublic.com – (International) ‘Gumblar’ virus could be bigger than Conficker worm. A new malware virus is on the loose and within days has become accountable for half the malware on the web. It is particularly vicious because it targets Google users in particular. The worm, also known as JSRedir-R, attacks computers through vulnerabilities in Adobe PDF reader and Flash player. By last week, more than half of all malware found on websites was identified as Gumblar, with a new webpage infected every 4.5 seconds. The worm redirects the user’s Google search results to sites that download more malware onto the machine or allow criminals to conduct phishing attacks to steal login details. It has begun to spread on sites where passwords or software have been previously compromised and visitors are infected without realizing it. It is believed the malicious worm draws its code from a webpage based in China. Once cybercriminals are in possession of a victim’s FTP credentials, any sites that the victim manages can also be targeted for compromise — a common malware propagation tactic, said IT security firm ScanSafe. Source: http://www.siliconrepublic.com/news/article/13025/cio/new-worm-to-rival-conficker

Daily Open Source Infrastructure Report for 29 May 2009



And you thought Twitter usage is harmless!

35. May 26, ZDNet – (International) Twitter API ripe for abuse by Web worms. A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks. The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as a researcher points out, it is much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter. The researcher, well-known for his research work on browser and Web application vulnerabilities, draws attention to the fact that a single vulnerability on any of the third-party services (Twitpic, etc.) that use the API can trigger the next Twitter worm. Source: http://blogs.zdnet.com/security/?p=3451

Department of Homeland Security Daily Open Source Infrastructure Report

Friday, May 29, 2009

Complete DHS Daily Report for May 29, 2009

Daily Report

Top Stories

 According to the Washington Post, a statewide SWAT team exercise at a firing range on the secured grounds of a nuclear power plant in Southern Maryland was halted this month after stray bullets shattered glass and struck a command center near the plant’s reactors, officials said on Wednesday. (See item 6)


6. May 28, Washington Post – (Maryland) Shots from range hit near Md. nuclear plant. A statewide SWAT team exercise at a firing range on the secured grounds of a nuclear power plant in Southern Maryland was halted this month after stray bullets shattered glass and struck a command center near the plant’s reactors, officials said on May 27. Reactor safety at the Calvert Cliffs plant in Lusby was never compromised, according to the U.S. Nuclear Regulatory Commission (NRC) and Constellation Energy Group, which operates the facility. But Constellation closed the range, a popular training site for local law enforcement agencies, pending investigations by plant security and the Calvert County Sheriff’s Office, which hosted the exercise. At least five bullets escaped the firing range and traveled more than a half-mile before striking buildings and a vehicle near the reactors, according to the NRC, Constellation and the sheriff’s office. One struck the plant’s “outage control center,” which is used as a command area to orchestrate refueling efforts. Another hit an employee’s sport-utility vehicle in the parking lot. Three others struck an office facility: Two of them hit the roof, and one shattered the outer pane of a first-floor window. Employees were working in both buildings at the time, said a Constellation spokeswoman. The bullets did not penetrate either structure, she said. Investigators are conducting ballistics tests to determine which officer fired the stray shots. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/27/AR2009052703405.html?hpid=moreheadlines


 The Poughkeepsie Journal reports that a standoff Wednesday at the Dutchess County, New York Sheriff’s headquarters shut down streets in Poughkeepsie for hours, with area police agencies responding to the crisis. Visitors to the Dutchess County jail, which is connected to the Sheriff’s Office, were evacuated from the jail. (See item 32)


32. May 28, Poughkeepsie Journal – (New York) Standoff in upstate NY ends with suspect’s suicide. A suspect in a rape case wrested a gun from a Dutchess County, New York sheriff’s detective during questioning and fatally shot himself three hours after he wounded a detective and then barricaded himself in an office at sheriff’s headquarters, the county sheriff said. The undersheriff said a bullet grazed the detective on the side of his head. He was treated at St. Francis Hospital and released. This standoff was apparently unprecedented, as local law enforcement officers with decades of experience could not recall a similar incident in Dutchess or Ulster counties. The incident shut down streets in the city for hours, with area police agencies responding to the crisis. Visitors to the Dutchess County jail, which is connected to the Sheriff’s Office, were evacuated from the jail. City of Poughkeepsie Police Department Mobile Command Unit, emergency services from the city and town of Poughkeepsie, as well as the sheriff’s emergency service unit were on the scene. Members of the FBI were seen, too. The undersheriff said the Sheriff’s Office was continuing its investigation of the incident. He said deputies had been trained to respond to such emergencies. “We have a protocol, and it was followed,” the undersheriff said. Source: http://lohud.com/article/20090528/NEWS05/905280401/-1/newsfront


Details

Banking and Finance Sector

12. May 27, BBC News – (National) Number of problem U.S. banks soars. The number of problem U.S. banks jumped 40 percent to a 15-year high in the first three months of the year, a government watchdog has warned. A total of 305 banks had financial woes in January-March, up from 252 in October-December, said the Federal Deposit Insurance Corporation (FDIC). The increase came as banks continued to grapple with bad mortgage and credit card debt amid the recession. At the same time, industry-wide banking profits also rose in January-March. The FDIC said profits across the industry hit $7.6 billion in the first quarter of 2009, led by higher revenues at the biggest banks as their trading performance recovered. This profit compares with a record loss of $36.9 billion for October-December, but is still down 61 percent on the $19.3 billion profit record for January-March last year. Source: http://news.bbc.co.uk/2/hi/business/8070557.stm


13. May 26, Ashville Citizen-Times – (North Carolina) Area ASB customers targeted in phone scam. Asheville Savings Bank has been made aware of a phone scam targeting area residents to gain personal information. The phone scam has several variations and uses both a live person and automation. Customers have been told their account has been compromised and additional information such as debit card numbers and other personal information is needed. ASB advises consumers to avoid providing these callers with any information. Supplying this information can lead to identity theft. The amount of information they currently have is not enough to do any harm. If you have received one of these phone calls and gave out your information please contact your bank. Criminals using phone scams are looking for unsuspecting individuals who will give them important information such as Social Security Numbers, dates of birth, credit card numbers or bank account numbers. Once they have your information, they use it to make fraudulent purchases, obtain credit or access bank accounts. Source: http://www.citizen-times.com/apps/pbcs.dll/article?AID=/20090526/NEWS01/90526033/1009


14. May 26, WMGT 41 Macon – (Connecticut) Phone scam targets all 22,000 residents of Connecticut town. An entire Connecticut town has found itself the target of phone scammers. The calls started coming on May 24. Police in Guilford, Connecticut believe by the time they were done every land line telephone in the town of 22,000 residents received a call. The automated call is a female voice claiming to be from Guilford Savings Bank. It prompted those on the other end of the line to enter bank card and PIN numbers, along with their card’s expiration date. So far, police and bank officials aren’t aware of anyone who entered their personal information. Guilford police said this appears to be a complex scam that involves hacking into various business telephone lines from across the country. The calls appear to be generated from companies, but the businesses are not involved in the fraud, police said. The bank is encouraging anyone who offered personal information over the phone to contact them immediately. Source: http://wmgt.com/index.php?option=com_content&task=view&id=1316&Itemid=2


Information Technology


34. May 28, SearchSecurity.com – (International) RIM patches serious BlackBerry Attachment Service flaws. Research In Motion issued an update to the BlackBerry Enterprise Server correcting serious PDF handling flaws. The flaws could be found in BlackBerry Enterprise Server software version 4.1.3 through 5.0. and BlackBerry Professional Software 4.1.4. The vulnerabilities are potentially very serious. They carry a Common Vulnerability Scoring System (CVSS) score of 9.3, RIM said. Security update 4 has been released. For BlackBerry Enterprise Server version 4.1x and 5.0 users. A separate security update has been released for affected BlackBerry Professional Software versions. RIM has had ongoing security issues with its PDF distiller. The smartphone maker issued an update correcting flaws in the BlackBerry Attachment Service in April. Separate updates were released in January and in July 2008 to correct flaws. Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1357385,00.html#


35. May 26, ZDNet – (International) Twitter API ripe for abuse by Web worms. A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks. The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as a researcher points out, it is much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter. The researcher, well-known for his research work on browser and Web application vulnerabilities, draws attention to the fact that a single vulnerability on any of the third-party services (Twitpic, etc.) that use the API can trigger the next Twitter worm. Source: http://blogs.zdnet.com/security/?p=3451

Communications Sector

36. May 27, Dow Jones Newswires – (National) AT&T: Smartphones choke networks. AT&T’s Chief Executive said on May 27 that U.S. wireless networks are not prepared for the surge in Smartphone use that has already shown signs of choking their networks. He defended his company’s wireless network’s performance, though, which has come under fire for not being prepared for the popularity of Apple Inc.’s (AAPL) iPhone, which the company sells on an exclusive basis in the U.S. Wireless capacity is an increasingly tough issue that carriers must wrestle with, particularly as their subscribers clog the network by surfing the Web, downloading video and texting on their Smartphones. On May 27, AT&T laid out plans to upgrade the speed and capacity of its wireless network, which includes adding cellular sites, bolstering the underlying ground infrastructure, and tapping into more powerful wireless spectrum. Last year, it spent more than $9 billion to further stockpile spectrum. AT&T plans to begin the improvements later this year and finish in 2011. The Dallas carrier also said it would hold trials for fourth-generation, or 4G, wireless technology in 2010, with deployments slated for the following year. Source: http://www.smartmoney.com/breaking-news/on/?story=ON-20090527-000800-1428

Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, May 28, 2009

Complete DHS Daily Report for May 28, 2009

Daily Report

Top Stories

 According to the Bucks County Courier Times, a 35-ton concrete silo crashed through the roof of the CGM Concrete business in Bensalem, Pennsylvania on Monday. (See item 8)


8. May 27, Bucks County Courier Times – (Pennsylvania) Silo crashes through building. A 35-ton concrete silo crashed through the roof of a Bensalem business on May 25 and could lead to the building’s demolition on May 27. The business was closed and no one was injured. Officials said the silo, which collects concrete dust atop the CGM Concrete business, crashed through the roof about 7:30 p.m. It nearly sheared through one steel I-beam and severely twisted two others on its way to the ground, fire officials said. A wall was cracked and leaning outward on May 25. A gas line and water line inside the building were ruptured, however, PECO workers and firefighters were able to shut down the gas and water supply, the fire investigator said. Inspectors were at the scene and officials planned to have engineers look at the building before deciding if the entire building would be demolished. Source: http://www.phillyburbs.com/news/local/courier_times/courier_times_news_details/article/28/2009/may/26/silo-crashes-through-building.html


 KAKE 10 Wichita reports that 110 employees were evacuated from Horizon Mill elevators inside the Cargill plant in Wichita, Kansas on Tuesday after a small fire broke out in the west grain bin. Firefighters blocked off surrounding streets due to the threat of explosion. (See item 16)


16. May 26, KAKE 10 Wichita – (Kansas) Wichita fire crews extinguish grain bin fire. Firefighters were dispatched to Horizon Mill elevators, inside the Cargill plant in Wichita, shortly after 8 a.m. on May 26. The business reported a small fire in the west grain bin. Upon arrival, crews encountered fire and smoke. About 40 firefighters were on scene. Investigators told KAKE news they evacuated the building and surrounding areas for safety precautions. About 110 employees were evacuated from the business. Around 1:45 p.m., those evacuated were being let back in. Officers had blocked off the area between 10th and 13th Streets from Saint Francis to Washington. Firefighters used an unmanned mercury monitor as a water delivery system to battle the fire. Fire officials said they used the monitor because of an explosion threat. Crews are maintaining a perimeter around the fire and continued to use the monitor system until the fire was extinguished. Source: http://www.kake.com/home/headlines/46085077.html


Details

Banking and Finance Sector

10. May 27, Salt Lake Tribune – (Utah) Alpine man accused of widespread investment scam. Federal prosecutors on May 26 accused an Alpine man of defrauding investors in a multimillion dollar real estate scheme. A U.S. attorney said the defendant collected more than $100 million from investors. The three-count indictment was announced on May 26. The number of victims, most of whom live in Utah, could be in the hundreds, said the U.S. attorney. The indictment says the defendant held seminars beginning in 2004 and told potential investors they could make substantial amounts of money through a program named the Equity Mill. The investments allegedly were to be used by Founders Capital to make loans to its associated entities, including Hill Erickson LLC and New Castle Holdings LLC, so they could buy real estate. The indictment alleges that Founders Capital and Franklin Squires Investments, another Koerber company, never made a profit. The indictment says the defendant used more than $50 million to make “Ponzi” payments to keep his scheme going. Source: http://www.sltrib.com/news/ci_12451772


11. May 27, Rutland Herald – (Vermont) Police warn of credit union phone scam. Rutland police are investigating a phone scam targeting Heritage Family Credit Union and its membership. Police said the scam operates through automated phone calls to city residents who have claimed that the residents’ accounts at the credit union were deactivated due to suspicious activity. The automated call asks for credit card information and pin numbers to reactivate the accounts. City police are asking anyone who receives the calls to report them to their credit union and to their local police agency. Source: http://www.rutlandherald.com/article/20090527/NEWS01/905270317/1002/NEWS01


12. May 26, WLUC 6 Marquette – (Michigan) Beware of phone scams. Phone scams are starting to hit parts of the Upper Peninsula and Wisconsin again. Calls have been coming in requesting information such as account and credit card numbers. Customers of both institutions received phone calls soliciting information. Individuals who received the calls reported that they were coming from Forward Financial Credit Union in Niagara, Wisconsin and the River Valley Bank in Iron Mountain. It is a scam that could be spreading. Two financial institutions so far have been affected by the scam. Officials warn that once something like this starts, it generally sweeps the area. If a call is received asking for credit card or banking information, it is suggested that the person who received the call to notify their bank or credit union. Source: http://www.uppermichiganssource.com/news/news_story.aspx?id=304723


Information Technology


27. May 27, IDG News Service – (International) Twitter gets targeted again by worm-like phishing attack. Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts. The culprit is a Web site called TwitterCut. Some Twitter users began getting a message that appeared to be from one of their friends and included a link to the TwitterCut Web site. The message implied they could gain more Twitter contacts by following the link. At one time TwitterCut looked quite similar to the real Twitter login page, said the chief research offer for the security vendor F-Secure. If a person entered their login details, TwitterCut would then send the same message via Twitter to all of the victim’s contacts, a kind of phishing attack with worm-like characteristics. No malicious software is installed on a user’s machine, he said. Although TwitterCut probably holds the login details for many accounts, it doesn’t appear those accounts have been used to spam out links to more dangerous Web sites. TwitterCut’s Web site has been reported to services that blacklist potentially harmful Web sites, although it is still active. Source: http://www.pcworld.com/businesscenter/article/165561/twitter_gets_targeted_again_by_wormlike_phishing_attack.html


28. May 25, SiliconRepublic.com – (International) ‘Gumblar’ virus could be bigger than Conficker worm. A new malware virus is on the loose and within days has become accountable for half the malware on the web. It is particularly vicious because it targets Google users in particular. The worm, also known as JSRedir-R, attacks computers through vulnerabilities in Adobe PDF reader and Flash player. By last week, more than half of all malware found on websites was identified as Gumblar, with a new webpage infected every 4.5 seconds. The worm redirects the user’s Google search results to sites that download more malware onto the machine or allow criminals to conduct phishing attacks to steal login details. It has begun to spread on sites where passwords or software have been previously compromised and visitors are infected without realizing it. It is believed the malicious worm draws its code from a webpage based in China. Once cybercriminals are in possession of a victim’s FTP credentials, any sites that the victim manages can also be targeted for compromise — a common malware propagation tactic, said IT security firm ScanSafe. Source: http://www.siliconrepublic.com/news/article/13025/cio/new-worm-to-rival-conficker

Communications Sector

29. May 26, CNET News – (International) First commercial 4G base station being tested in Sweden. The Swedish national incumbent telecommunications operator Telia announced the world’s first radio base station in a commercial 4G network has been deployed in Stockholm, Sweden. Telia is among a handful of mobile operators worldwide building next-generation networks for mobile broadband with 4G or LTE (Long Term Evolution) technology. The largest is Verizon, identified as a world leader by Ericsson’s CEO. “The U.S. is back in the driver’s seat and Verizon has taken the lead in rolling out LTE,” he said. Though Telia says it has connected the 4G base station to its IP network and to a test network belonging to Swedish telecom vendor Ericsson, commercial launch of the network is not expected until 2010, when modems will be available. Verizon has announced the same time frame. Expected speeds are “10 times faster than the speeds customers enjoy today with mobile broadband in 3G networks,” according to Telia. That would mean between 60 megabits and 100 megabits per second, given that today’s 3G networks with HSPA (High Speed Packet Access) technology can attain 6Mbps to 10Mbps, depending on the version deployed. Source: http://news.cnet.com/8301-1035_3-10249578-94.html?part=rss&tag=feed&subj=News-Wireless