Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, November 5, 2009

Complete DHS Daily Report for November 5, 2009

Daily Report

Top Stories

 Occupational Health and Safety reports the California Nurses Association/National Nurses Organizing Committee and Catholic Healthcare West hospital chain have reached a settlement that organizers say sets a national benchmark for protecting workers as well as patients and containing the spread of pandemics such as H1N1 on November 3. (See item 36)

36. November 3, Occupational Health and Safety – (California; Nevada) Nurses, hospital reach ‘historic agreement’ on pandemic protection. In what is being hailed as an “historic agreement,” the California Nurses Association/National Nurses Organizing Committee (CNA/NNOC) and Catholic Healthcare West hospital chain have reached a settlement that organizers say sets a national benchmark for protecting workers as well as patients and containing the spread of pandemics such as H1N1. The settlement, which averted a strike that had been set for October 30, covers 13,000 registered nurses in 32 CHW facilities in California and Nevada. According to the agreement, the hospital chain will ensure safe staffing standards, reduce the assignment of RNs to areas outside their clinical expertise or orientation, and prevent management’s proposed reduction in nurses’ health care coverage. Importantly to CAN/NNOC, the agreement also creates a new system-wide emergency task force, comprised of CNA/NNOC RNs and hospital representatives following the declaration of pandemic emergencies. The task force set up by the settlement will monitor system-wide preparedness and set uniform standards on full implementation of federal, state, and local guidelines, availability of on-site protective safety equipment, communication and training policies for all hospital personnel, and other needed steps, such as consideration of off-site emergency triage and treatment. Source:

 According to the Associated Press, an Army Special Forces soldier has been arrested following the discovery of about 100 pounds of explosives outside his Tennessee home. Federal and military officials searched his home on November 2 after a pair of hunters found the C-4 plastic explosive in a field by the house. (See item 41)

41. November 2, Associated Press – (Kentucky; Tennessee) Soldier arrested on explosives charge. An Army Special Forces soldier has been arrested following the discovery of about 100 pounds of explosives outside his Tennessee home. Federal and military officials searched his home early Monday morning after a pair of hunters found the C-4 plastic explosive in a field by the house outside Clarksville. The house is near Fort Campbell, a sprawling Army post on the Tennessee-Kentucky border where the soldier is based. A spokeswoman for Army Special Forces at Fort Campbell, said the soldier, who was not identified, is currently being held in the county jail. The spokeswoman said the search was conducted by agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives, the FBI and U.S. Army criminal investigators. A spokesman for the Montgomery County sheriff, said the explosives found late Sunday evening appeared to be military ordnance. Another Fort Campbell soldier was arrested in October and charged with selling four stolen hand grenades and a stolen anti-tank rocket to an undercover officer in Tennessee. Source:


Banking and Finance Sector

17. November 4, New York Times – (New York) S.E.C. taps hedge fund counsel to lead unit. Amid continuing reports of insider trading and Ponzi schemes linked to hedge funds, the Securities and Exchange Commission said Tuesday it had named a hedge fund general counsel to lead its New York examinations group. The general counsel, who assumes in the post in in January, will head up a staff of approximately 100 accountants and examiners responsible for the inspections of investment advisers and hedge funds in the New York region, the S.E.C. said Tuesday. Source:

18. November 4, Insurance and Financial Advisor – (California) Organizer of $64 million California Ponzi scheme gets 25 years in jail. A California man who orchestrated a $64 million Ponzi scheme promising huge returns to investors through a bond-trading program and life insurance pool to aid local churches will spend the next 300 months in a federal prison. A 41 year-old man, formerly of Westlake Village, California, was sentenced following a two-day hearing in a U.S. District Court in Los Angeles. He pleaded guilty last year to 19 felony counts, including conspiracy, wire fraud and money laundering. The convicted schemer, originally indicted in 2006, must also pay $44 million in restitution, according to the U.S. States Attorney’s Office for the Central District of California. The judge said the man’s 25-year prison term was warranted because of the danger he poses to the community, his unwillingness to accept responsibility for the fraud scheme and the deterrent effect the lengthy prison term would have on others. Source:

19. November 3, CNET – (National) Corporate bank accounts targeted in online fraud. Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday. “Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts,” the agency said in a statement. The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release. A reporter for The Washington Post’s Security Fix blog said last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. He is keeping a running list of businesses who have been victims of online theft and detailing the attacks. Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to the chief technical officer of browser security vendor Trusteer. Source:

20. November 3, The Examiner – (New Jersey) New Jersey criminal corruption sting largest in history. A FBI informant turned witness for the federal government in the largest New Jersey criminal corruption sting in its history emerged recently from the federal protection program long enough to plead guilty to a $50 million bank fraud. The 37 year-old man pleaded guilty in federal court in Newark to one count each of money-laundering and bank fraud, charges that can put him in prison for up to 11 years. As the man stood before a U.S. District Judge in Newark in his less than 30-minute appearance he entered pleas to separate counts of bank fraud and money laundering in connection with two bogus checks totaling more than $50 million that he tried to deposit at the PNC Bank. “I am guilty your honor,” he declared, firmly and without hesitation. Later in Monmouth County, the scene was repeated before a Superior Court Judge in Freehold, where he pled to similar state charges. Source:

21. November 3, Associated Press – (Florida) More than 100 arrested for mortgage fraud, feds say. A federal prosecutor says a crackdown on organized mortgage fraud this year has yielded 105 arrests from Jacksonville to Fort Myers. The U.S. attorney for Florida’s middle district announced the results of the nine-month investigation at news conferences Tuesday in Fort Myers and Tampa. He said the fraudulent loans totaled more than $400 million and involved more than 700 properties. Defendants include mortgage brokers, Realtors, lenders, sellers and buyers. He called the problem an “epidemic.” Florida’s middle district includes a swath that extends from Jacksonville to Fort Myers and includes the Orlando and Tampa areas. Source:,2933,571516,00.html

Information Technology

43. November 4, The Register – (International) Newfangled cookie attack steals/poisons website creds. A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set. The weakness stems from RFC 2965, which dictates that browsers must allow subdomains, such as, to set and read cookies for their parent ( The specification also states that if a cookie for a subdomain does not already exist, the browser should use the cookie belonging to the parent instead. The arrangement makes it possible for attackers to steal or even alter the cookies that websites use to authenticate their users. Attackers would first have to identify an XSS, or cross-site scripting, bug in some part of the site they are targeting. But because virtually any subdomain will suffice, the scenario is not unrealistic, two web security experts said. “Most websites actually will store session IDs in a cookie and that’s actually how they keep track of users throughout the use of their website,” said a senior researcher for Foreground Security who first documented the flaw at last month’s Toorcon hacker conference. “Using the same techniques to attack those cookies, I can really damage sessions and cause some problems.” The researcher’s paper goes on to demonstrate how he used the technique to bypass a feature Google recently implemented to beef up security on Gmail and other properties. By exploiting a minor vulnerability in, he was able to falsify the contents of his global Google cookie. Google has since fixed the XSS hole in the subdomain. Source:

44. November 4, IBTimes – (International) Illegal file-sharing growth has led to spurt in cyber crimes: McAfee. Attempts to bring internet pirates to justice have only resulted in growth of cyber crimes, internet and network security services provider McAfee Inc. has warned. In August, when Swedish authorities tried to shut down The Pirate Bay, a torrent site that provided internet links of sites hosting unauthorised, copyrighted content, it only prompted Pirate Bay users to look for a new place to download the copyrighted material, prompting several The Pirate Bay-like sites to be launched. “Once it was temporarily shut down, those people still wanted the torrents so they went elsewhere, and that meant lots of other sites popped up to take advantage – we saw a 300 percent increase in sites hosting and distributing movies and software,” PC Pro quoted a McAfee security analyst, as saying. “This was a true ‘cloud computing’ effort,” McAfee said in its Threats Report for the third quarter. “The masses stepped up to make this database of torrents available to others. The Pirate Bay example shows how difficult it is to ‘stop’ data once it is on the web,” the report said. “A website can be shut down, but anyone who has accessed the content may still be able to redistribute it.” Though the news that state authorities are fighting a losing battle against internet piracy may be welcomed by torrent users, the surge in such users have also helped cyber criminals to increase their attacks on unsuspecting victims, McAfee warned. With the increase in torrent sites, cyber criminals are also putting up look-alike malware-infested sits on the internet “to trick users looking to download copyrighted material into downloading malicious programmes.” “Many of these (malicious) sites sprang up to scam users of The Pirate Bay who were looking for a new place to download copyrighted material,” McAfee said, adding that the number of such sites will increase during the fall and the Oscar season. McAfee has also noticed that cyber criminals have become smarter and are “getting increasingly effective at utilizing SEO techniques to drive traffic to these bad sites.” Source:

45. November 3, DarkReading – (International) Researchers create hypervisor-based tool for blocking rootkits. Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine’s own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits. Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks “hooks” in the operating system — basically the control data in the kernel used to augment or extend the features of an OS — in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system’s data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system. The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they are easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits. HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance. Source:

46. November 3, – (International) Symantec uncovers new type of Facebook Trojan. A command and controlserver is used by a botnet - a cluster of malware infected PCs which communicate across the internet - as a means of controlling the botnet swarm. Communications are usually relayed between the infected PCs and the server through the use of internet relay chat channels. The Facebook-enabled trojan is called Whitewell and is being spread via email using infected documents (PDF or MS-Office format) that contain exploits for known vulnerabilities. According to a security analyst with the Symantec Security Response operation, the trojan works by contacting the mobile version of Facebook and using its Notes section. In the analyst’s blog, he said that, by analyzing the trojan’s code, Symantec’s researchers have concluded that the malware appears to perform four different actions, depending on the notes’ titles that are found. “The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere”, said the analyst in his blog. “However... one could (also) use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it.” Infosecurity notes that, while this is not the first time a social networking site has been used to assist in the control of malware and a botnet - a Twitter botnet, for example, was spotted back in August - it is the first time that a trojan infection has been structured to allow Facebook itself to act as a command and control server. Source:

47. November 3, Computerworld – (National) Put cybersecurity chief in DHS not the White House, Senator says. Five months after the U.S. President announced the need for a White House-appointed coordinator to oversee national cybersecurity affairs, the debate continues in Washington over whether such a coordinator would be more effective if outside the White House. The Ranking Member of the Senate Homeland Security and Governmental Affairs Committee raised the issue most recently. Delivering a speech on cybersecurity issues at George Washington University on November 2, the senator rejected the idea of a White House led cybersecurity effort and insisted the leadership would have to come from the U.S. Department of Homeland Security (DHS). “Effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House,” the senator said in her speech. She said that while the National Security Agency and other intelligence agencies have the needed cybersecurity resources, “privacy and civil liberties” issues preclude them from taking leadership. As a result, any effort to secure civilian government and critical infrastructure against cyber threats needs to be led by the DHS, the senator said. Only the DHS has the ability to provide the aggressive oversight and continuous real-time security monitoring and analysis that is needed, she said. Source:

48. November 3, The Register – (International) Bug in latest Linux gives untrusted users root access. A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the Red Hat Enterprise Linux (RHEL) distribution, does not properly implement that protection, a developer at grsecurity who discovered the bug in mid October, told The Register. Many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine. On October 22, the developer wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel. In July, the developer published a separate Linux exploit that drew considerable notice because it worked even when fully patched versions were running security enhancements. It targeted a separate null pointer dereference bug that was spawned when the OS was running SELinux, or Security-Enhanced Linux. The developer at the time criticized Linux’s principal developer for failing to take responsibility for the the critical issue, citing online comments. He has also taken the Linux kernel developers to task for failing to fully disclose the extent of security bugs when they are patched. The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, he said. “They’re putting their users at risk,” he said. “They’re basically the only distribution that’s still vulnerable to this class of attack.” A Red Hat spokeswoman said patches for the versions 4 and 5 of RHEL and MRG are available here. An update for RHEL 3 is in testing and should be released soon. He said many other Linux users are also vulnerable because they run older versions or are forced to turn off the feature to run certain types of applications. Source:

Communications Sector

49. November 4, The Register – (International) Whitehall plans ‘White Noise’ phone network collapse. The British government will simulate a shutdown of the national phone network next week in an exercise involving hundreds of government and industry players. The exercise - codenamed “White Noise” - is designed to simulate a catastrophic nationwide communications failure, will take place over Wednesday 11 November and Thursday 12 November. It will be the first time the U.K. has conducted such a large scale exercise the head of communications security in the Department for Business told a Lords committee November 4. White Noise will simulate a total national collapse of the traditional Public Switched Telephone Network. There will be no impact on those not involved in the exercise. Such a scenario could be caused by a cyber or physical attack, or a natural disaster. Officials will monitor the government’s ability to respond in a coordinated way, including keeping Parliament and the public informed. Data and mobile communications will remain intact throughout the exercise. Source:

50. November 4, Money Times – (National) T-Mobile hit with second outage in two months. In yet another outage, T-Mobile was inaccessible Tuesday, thus leaving nearly its 1.7 million users without access to calls or data on their cell phones. As the service carrier had been working to restore the data for its Sidekick users, it has encountered another glitch. Immediately after the outage, the service carrier posted the statement saying, “T-Mobile customers may be experiencing service disruptions impacting voice and data. Our rapid response teams have been mobilized to restore service as quickly as possible. We will provide updates as more information is available.” The outage lasted for nearly eight hours, and the company apologized for the inconvenience after it restored the services. It updated its statement saying, “T-Mobile confirms it has fully restored voice and text/picture messaging services for customers affected by intermittent service disruptions on Tuesday.” The company further stated that its focus has been to restore full services and it would now be working to investigate what led to the incident. Source:

No comments: