Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, September 3, 2009

Complete DHS Daily Report for September 3, 2009

Daily Report

Top Stories

 The Spokane Spokesman-Review reports that downtown Priest River, Idaho was evacuated for several hours Tuesday after a leak was discovered in a tank containing chlorine gas at the town’s water treatment plant. (See item 26)

26. September 1, Spokane Spokesman-Review – (Idaho) Chlorine leak sealed, Priest River evacuation ended. Downtown Priest River, Idaho, was evacuated for several hours Tuesday after a leak was discovered in a tank containing chlorine gas at the town’s water treatment plant. The leak was discovered about 4 p.m., after a chlorine alarm went off at the Priest River water filtration plant near the corner of Treat and Montgomery streets, said the police chief. Crews discovered the alarm was due to a leaky tank, and as a precaution residents and businesses within a half-mile of the plant were evacuated. Hazardous materials crews from Sandpoint and Coeur d’Alene were called in to seal the tank, he said. By 9 p.m. evacuees were allowed to return, and the tank was being loaded onto a truck back to a supply company in Washington. Source:

 According to the Associated Press, military officials said it could take a week to clear a site near Berthold, North Dakota where a semitrailer carrying missile parts from the Minot Air Force Base overturned Monday afternoon. The semitrailer also carried two 14-gallon tanks of liquid rocket fuel, but it was not in danger of exploding or leaking. (See item 34)

34. September 1, Associated Press – (North Dakota) Semitrailer carrying missile parts overturns in ND. Military officials said Tuesday it could take a week to clear a site in north central North Dakota where a semitrailer carrying missile parts from the Minot Air Force Base overturned. An Air Force spokeswoman said the semitrailer overturned Monday afternoon on a gravel road. It carried rocket engine parts for intercontinental ballistic missiles but no nuclear material, she said. The shipment also contained two 14-gallon tanks of liquid rocket fuel, but it was not in danger of exploding or leaking, the spokeswoman said. Liquid rocket fuel, if released into the atmosphere, “has about the same potential as anhydrous ammonia,” the spokeswoman said. Anhydrous ammonia, which is used by farmers to help fertilize crops, can be lethal if exposure is great enough. “We are confident there are no leaks and there is no danger to the public,” Arellano said. “We know the worst-case scenario is not going to happen.” The Air Force said the payload transporter from base’s 91st Missile Wing overturned about 10 miles northwest of Berthold in Mountrail County. The spokeswoman said the driver of the truck and its passenger were not injured. The cause of the crash is under investigation, she said. Source:


Banking and Finance Sector

16. September 2, Agence France Presse – (International) Bomb hits Athens stock exchange. A powerful van bomb caused major damage on September 2 to the Athens stock exchange and injured a woman in one of two attacks suspected to have been carried out by far-left militants. The dawn bomb destroyed six cars, tore through windows on the side of the stock exchange building and caused widespread damage inside, but the Athex bourse opened for business after a hurried cleanup operation. A second bomb hidden in a cooking pot exploded near a government building in the city of Salonika causing some damage but no injuries. Phone warnings were made before both of the latest attacks in a series that has targeted financial institutions and government buildings. A bourse spokesman said the blast caused widespread destruction inside roughly half the building. “Desks, workstations, cubicles and even ceiling panels were completely destroyed from the ground floor to the fifth on the side of the building facing the explosion,” he told AFP. Despite the fact that police had sealed off the area after the phoned warning, one woman outside the building was slightly injured. The device was detonated in a stolen van at about 5:30 a.m. just outside the stock exchange building on an avenue in the west of the Greek capital. The explosion also damaged two nearby car dealerships. The smaller bomb in the northern city of Salonika went off in a disused phone relay station behind a government building. Given the force of the Athens blast, Greek media said suspicion immediately fell on the Revolutionary Struggle group, but officially, police would not be drawn on the question. This year Revolutionary Struggle claimed responsibility for a powerful car bomb placed outside the Athens headquarters of U.S. banking group Citibank that was defused by police. A month later, it exploded a bomb outside a Citibank branch in the Athens suburb of Psychiko that caused significant damage. Source:

17. September 2, Bloomberg – (International) Oldest Swiss bank tells clients to sell U.S. assets or leave. Wegelin&Co., Switzerland’s oldest bank, is telling wealthy clients to sell their U.S. assets, or switch banks, because of concerns new rules will saddle investors with tax obligations in the world’s biggest economy. U.S. proposals to extend reporting requirements for banks whose clients buy American stocks and bonds coupled with estate tax liabilities that may be inherited by the heirs of people who have such holdings prompted the advice from the St. Gallen, Switzerland-based bank, said the managing partner. “We came to the conclusion that it’s a threat to our clients,” the managing partner, who is also president of the Swiss Private Bankers Association, said in an interview yesterday in Zurich. “It’s also a threat to us as a bank because as a custodian we are an executor to the estate. We find this aspect discomforting, so we recommend selling all American securities whatsoever.” The managing partner said he plans to raise the subject today at a meeting of the Private Bankers Association, which counts Pictet & Cie., Lombard Odier & Cie. and Mirabaud & Cie. among its members. Swiss banks, which manage $2 trillion, or 27 percent, of the world’s privately held offshore wealth, are struggling to protect bank secrecy after the government agreed to hand over the names of 4,450 UBS AG clients to U.S. tax authorities. The managing partner said he will not ask every member of the association to follow Wegelin’s lead. Wegelin, founded in 1741, manages more than 20 billion Swiss francs ($18.7 billion) in client assets. “Every member is free to decide and act on their own,” he said. Source:

Information Technology

39. September 1, Dark Reading – (International) Flaw in Sears website left database open to attack. A newly discovered vulnerability on could have allowed attackers to raid the retail giant’s gift card database. The owner of Merge Design and a researcher this week revealed a major security hole on that could allow an attacker to easily steal valid gift cards, a heist he estimates could be worth millions of dollars. He says he alerted Sears about the flaw, and that Sears has since “plugged” the hole by removing the feature that let customers verify and check their gift-card balances. The vulnerability was a business logic flaw in a Web application that handles gift card account inquiries; the owner was able to stage a brute-force attack that could grab all valid, active Sears and Kmart gift cards from the company’s database. The owner says the site wasn’t auditing verification requests, which allowed him to verify gift card and PIN combinations using a homegrown PHP script that automatically submitted the requests. “I wrote a PHP script to hammer their verification server. It happily replied with thousands of verification responses per minute,” he says. The Sears application relied on client-side cookies to halt brute-force verification attempts, which the owner says was not effective. “They should know where the verification requests come from, log them all, and be able to disable the verifications when they have a malicious attack,” he says. “It doesn’t appear to me that they had any server-side control over how many verifications were done.” The discovery came on the heels of reports of multiple cross-site scripting (XSS) vulnerabilities on Sears’ Web pages that were abused by an attacker to deface the Website. “I thought this was notable with Sears being a Fortune 50 company,” the owner says. “I have not tested many other large retailers, but I would hope most of them take better care than this. For smaller sites that write their own gift-card verification code, I’d expect just as many are vulnerable.” Source:

40. September 1, SCMagazine – (International) Microsoft mandates Messenger upgrade for security flaws. Users of Microsoft’s Windows Live Messenger instant messaging software soon will be required to upgrade to the latest version to close vulnerabilities that could enable an attacker to execute remote code. On September 1, Microsoft pushed out the newest version, Windows Live Messenger 14.0.8089. The upgrade addressed vulnerabilities in Microsoft’s Active Template Library (ATL), used in the development of the IM program, the company said in a blog post on August 27. Microsoft is not aware of any attacks currently targeting the ATL vulnerability in Live Messenger, a Microsoft spokesperson told on September 1. Beginning in the middle of this month, users of Messenger versions 8.1, 8.5 and 14.0 must upgrade, with a deadline of the end of October. Users will be prompted to install the new version when they sign into one of the vulnerable versions of Live Messenger, Microsoft said. If users do not upgrade, they may not be able to connect to the IM service. “It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks,” Microsoft said. Users of Live Messenger version 14.0 will not see any visible changes with the upgrade. But for users of Windows Live Messenger versions 8.1 or 8.5, the update also includes additional non-security features, Microsoft said. The vulnerabilities in ATL affect not only Live Messenger but numerous programs developed with ATL. In late July, Microsoft issued two out-of-band security patches to address the ATL bugs in

41. September 1, Network World – (International) Spam’s hidden victims: mobile users. Spam costs organizations $712 per employee/per year, according to Nucleus Research. However, these staggering numbers don’t even take into consideration one of spam’s latest victims: enterprise mobile users. Spam targeted at smart phones is on the rise and becoming a growing security and productivity concern. Protecting the inboxes of Blackberries, iPhones and other mobile devices requires new thinking. Spam, viruses and phish getting through to a desktop inbox is troublesome enough, but on a mobile device these threats present a unique set of security concerns and consequences, some of which are only just beginning to surface. Here are the problems and measures IT managers can take to combat them. Spam in a mobile environment presents users with a significant productivity problem. Mobile users’ time on-the-go is precious. While a user can argue it’s acceptable for desktop users to spend time weeding out the spam the corporate e-mail security solution allows through (typically five to twenty percent of all email), or tracking down false positives, the argument can’t fly for mobile users. Viewing, sorting and deleting messages takes significantly more time and effort on a small mobile device than on a traditional desktop. Screen space, storage and user time is too valuable in a mobile environment to dedicate any amount to spam. Compounding matters, the traditional tools used to deal with false positives (e.g., access to quarantine) will often not be available or will not be easy enough to use on mobile devices, leading to calls to IT which waste the time of several people. So, while some number of false positives may have been deemed acceptable for desktop users, the same number can cripple the average mobile user and present a significant distraction to the organization. Source:

42. September 1, Softpedia – (International) New Koobface variant drops scareware and click fraud malware. A new Koobface variant has been detected spreading in the wild and has been analyzed by security researchers from the University of Alabama at Birmingham (UAB). The analysis revealed that illegal money schemes used by its creators include scareware distribution and click fraud via rogue affiliate advertising programs. Koobface is a social networking worm that spreads on websites such as Facebook, MySpace, Bebo, hi5, Tagged, Netlog or Twitter by posting malicious messages from hijacked accounts. Computers infected with this malware join together to form a botnet, which is currently estimated to be one of the largest in the world, comprising over 2.9 million compromised computers in the U.S. alone. This new Koobface variant does not differ much from its past versions, at least as far as the social engineering component is concerned, suggesting that it is still a successful technique and that users are not educated enough. Spam messages posted on social networking sites from compromised accounts have links to pages allegedly containing videos. These fake pages ask unwary visitors to install a Flash Player update in order to view the video, which is actually the worm’s installer. In order to make money using Koobface, its creators employ it as an installation platform for other malware, such as rogue security applications. These programs, also known as scareware or rogueware display bogus security alerts that inform the computer owner that his machine is infected, and in order to clean it, they have to acquire a license for the fake antivirus. One interesting aspect is that all these redirects occur through a list of predefined IP addresses and host names, including fire[expletive] and [expletive] These two domain names are direct references to a Washington Post journalist, who maintains the Security Fix blog, and the security research company FireEye. A message hidden inside a July variant of the worm ironically read “We express our high gratitude to a security consultant for the help in bug fixing, researches and documentation for our software.” This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations. Source:

43. September 1, The Register – (International) Spyware ad-on targets Firefox fans. Miscreants have created an item of spyware targeted at Firefox users. The malware poses as an Adobe Flash Player update but in reality its designed to log a user’s browsing history, in particular their Google search queries within Firefox. This information is uploaded to a hacker-controlled server. EBOD-A also has the capability to inject ads into the user’s Google search results pages, Trend Micro warns, which adds that the malware appears to be spreading via forum posts. The spyware creates a Firefox add-on called “Adobe Flash Player 0.2”, which has nothing to do with either Adobe or Mozilla. More on the threat can be found in a write-up by Trend, which includes screenshots. Malware targeting Firefox users is rare but not unprecedented. Strains of malware that latch onto Internet Explorer, Microsoft’s Swiss-cheese browser, are much more commonplace. Common IE-related malware trickery involves exploiting unpatched security vulns to download malware onto vulnerable machines via drive-by download attacks. Source:

44. September 1, The Register – (International) Malware thrown on California bush fires. California bush fires that have destroyed 50 homes and ten commercial buildings, and claimed the lives of two firefighters, have become the latest lure for malware scams. Surfers searching for information about fires in the Auburn area using terms such as “auburn fire map” are presented with a list that includes pointers to sites harbouring malware. Sophos confirmed that it found fake anti-virus software (detected as FakeAV-ZJ Trojan) on the sites. The infected websites are also spreading Mac malware, specifically Jahlav-C. “Users would be wise to rely on well-known news outlets for updates on the latest breaking stories, as tasteless hackers are never slow to leap on an opportunity like this,” a senior technology consultant at Sophos said. The incident is the latest example of profit-motivated VXers taking advantage of tragedies and natural disasters to distribute malware. Malware attacks also accompanied the recent death of a famous pop singer, Hurricane Katrina and the outbreak of swine flu, to cite just a few examples among many. More recently, trendy topics on Twitter have acted as the input for black-hat search engine manipulation. Cybercriminals use a battery of automatically registered Twitter accounts to submit updates containing hashtags related to hot conversation topics. These messages also contain pre-defined Tinyurl links, leading to sites offering malware in the guise of codecs supposedly needed to view online video clips. Source:

Communications Sector

45. September 2, FOX News – (International) Gmail outage caused by server overload, Google says. Google’s Gmail suffered a worldwide crash for nearly two hours on September 1 after it took some servers offline for maintenance, a widespread outage the California-based company called a “Big Deal” in a blog explaining the service failure. “We know how many people rely on Gmail for personal and professional communications, and we take it very seriously when there’s a problem with the service,” wrote the vice president of engineering for Gmail, in a blog post on September 1. Google said the outage occurred when it took some of its mail servers offline for routine maintenance. Recent structural changes were already placing a heavy load on its routing servers, which direct Web queries to the right Gmail servers for response, and the extra burden caused an overload. The outage was traced “within seconds,” the vice president wrote, but the 100 minutes of downtime was an enormous inconvenience for Gmail’s approximate 150 million users, who were shut out of the service beginning at about 1 p.m. EDT. Google apologized for the problems, saying “we’re committed to keeping events like today’s notable for their rarity.” The popular mail service was hit with similar problems in February, March, April and May. Source:,2933,545571,00.html?test=latestnews

46. September 2, Bloomberg – (California) Los Angeles broadcast, mobile-phone towers threatened by fire. The fire burning in the mountains northeast of Los Angeles threatens broadcast and mobile-phone towers that serve the region and may knock out service to some customers. American Tower Corp., the second-largest U.S. operator of mobile-phone towers, said the fire is menacing seven of its sites and could shut down local television to homes that rely on antennas. “The fires are closely approaching these sites and there’s a threat that the power grids could go out,” the director of investor relations for the Boston-based company, said on September 1 in an interview. “If that happens we have back up generators, but only for a period of time.” The Station fire, which threatens more than 12,000 homes, moved toward Mount Wilson, 20 miles (32 kilometers) northeast of downtown. The mountain is home to dozens of mobile-phone, TV and radio transmission towers. Loss of the towers would endanger broadcasts for the estimated 12 percent of Los Angeles-area TV households that rely on over-the-air reception, said a vice president with the California Broadcasters Association. Source:

No comments: