Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, January 22, 2009

Complete DHS Daily Report for January 22, 2009

Daily Report


 According to the Washington Post, a data breach last year at Princeton, New Jersey payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said on Tuesday. (See item 7)

See item 7 in the Banking and Finance Sector below in Details.

 Reuters reports that three executives at News Corp.’s Dow Jones & Co. headquarters in New York received envelopes containing white powder on Wednesday, and 10 more were discovered in the mailroom, prompting evacuations of two floors of the building. (See item 11)

11. January 21, Reuters – (New York) Dow Jones executives get white powder mail. Three executives at News Corp.’s Dow Jones & Co. headquarters received envelopes containing white powder on Wednesday, and 10 more were discovered in the mailroom, prompting evacuations of two floors of the building. The building contains Dow Jones as well as its Wall Street Journal daily business newspaper. The New York Police Department and New York Fire Department’s Hazmat teams are investigating. The envelopes were found on the 11th floor, a Wall Street Journal spokesman said. The 11th floor was evacuated, as was the ninth floor where the mailroom is located. The envelopes bore a Knoxville, Tennessee return address. It is unknown what the postmark says on the envelopes or whether they contained notes. Source:


Banking and Finance Sector

7. January 20, Washington Post – (National) Payment processor breach may be largest ever. A data breach last year at Princeton, New Jersey, payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said on January 20. If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported. The Heartland’s president and chief financial officer said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments. The president said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But the president said it was not until last week that investigators uncovered the source of the breach: a piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients. The president said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates. Source:

See also:

8. January 20, CNNMoney – (National) U.S. asks banks for data on loans, securities. The U.S. Treasury Department has asked big banks receiving government bailout funds to provide more details about lending activity in a monthly report, a Treasury official said on January 20. The Treasury wrote on January 16 to 20 banks getting funding under the Troubled Asset Relief Program asking for more information about business and consumer loans. The government also asked for data on mortgage-backed securities and asset-backed securities purchases. Banks receiving the letter included Citigroup, Bank of America, JPMorgan Chase, Wells Fargo, Goldman Sachs, and Morgan Stanley. “The purpose of this snapshot is to provide insight into the lending and financial intermediation activities of the largest recipients of the CPP (Capital Purchase Program),” the head of the TARP program wrote in a letter obtained by Reuters. The Treasury is using up to $250 billion from the first half of a $700 billion rescue package to buy equity stakes in banks to strengthen them and restore lending to consumers and businesses. Source:

Information Technology

25. January 21, The Register – (International) New OS X research warns of stealthier Mac attacks. A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple’s OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using current forensics practices. The technique, which an Italian researcher plans to detail at the Black Hat security conference in Washington in February, makes it possible to carry out stealthy Mac attacks that until now have not been possible. The in-memory injection approach allows unauthorized software to be installed on a Mac without leaving traces of the attack code or other tell-tale signs that the machine has been compromised. Similar stealth techniques have existed for more than two years for infecting Windows and Linux machines, but until now, researchers knew of no reliable way to cover their tracks when attacking Macs. It is likely only a matter of time until malware developers begin using the method in the wild, said a researcher who has reviewed the Italian researcher’s work. “The importance is it makes forensics much harder,” the researcher wrote in an email to The Register. “In the past, you could rely on seeing the trail of the bad guy on the disk, even if they tried cleaning up and deleting their files. This provides a practical method to eliminate that evidence.” Source:

26. January 20, Computerworld – (International) Google shuts off antiphishing feature in Firefox 2.0. Google Inc. will turn off the antiphishing service used by Firefox 2.0 today, a Mozilla Corporation executive said on January 19. Although the two most-recent builds of Firefox 2.0, labeled and, have omitted the defense, earlier editions of the browser were still able to query Google for a list of sites suspected of hosting identity theft scams. But Google is now shutting down the blacklist, said the director of Firefox. “If you are using a previous version of Firefox 2, even though the feature is enabled in your browser, as of January 20 no new data will be sent to your computer,” the director said in a post to the Mozilla developer center blog January 19. Mozilla had warned users in December that Firefox 2.0, which was slated to be dropped from support, would soon lack antiphishing protection because Google wanted to discontinue the obsolete blacklist protocol that served the aged browser. Source:

27. January 19, MX Logic – (International) Cybercriminals avoid attacking their homeland. Some cybercriminals appear to be avoiding conducting malware or phishing attacks in their homeland to thwart the authorities. Launching attacks overseas and across borders also allows cybercriminals to operate under a seemingly protective cloud, making it difficult for foreign countries to police them, reports. This is a recent trend noticed by security officials tracking the activity of two malware operations, Swizzor and Conficker, according to the article. The officials found the two malware attackers had stopped infecting machines close to where the authors were operating. Swizzor, which has been around for approximately two years, stopped infecting Russian machines, which means users running a Russian version of Windows will now be free of the bug, states Conficker, also known as Downadup, has been reportedly spreading quickly through corporate PCs with no clear motive or goal. The earliest version of the bug was avoiding Ukraine targets, though the more evolved attack out now has been less discriminatory on which machines it infects. Though it may not yield an exact location of a cybercriminal, security officials have taken notice and appear to be using the trend to at least focus their search area for the hackers. Source:

Communications Sector

28. January 20, Computerworld – (District of Columbia) Update: Internet, wireless hold up despite deluge of inaugural video streaming. Streaming Internet video of the inauguration of the U.S. President jammed Internet links and news Web sites Tuesday, and wireless carriers reported a deluge of calls, but problems seemed to be minor. Some news sites encountered performance slowdowns while broadcasting live pictures, video and blogs of the inauguration, said the director of operations at Keystone Systems Inc., a mobile and Internet test and measurement company in San Mateo, Calif. A major investment by wireless carriers in the Washington area infrastructure seems to have paid off, although some minor glitches were reported. The carriers had invested millions and prepared for months to boost network capacity around the National Mall, but given the millions of people in attendance at the inauguration, some delays or dropped calls were inevitable, they said. Source:

See also:

29. January 20, Reading Eagle – (Pennsylvania) Phone service returns to Frontier customers following cable break. Frontier Communications has restored phone service that was disrupted by a major fiber-optic cable break and affected some customers in Berks County. The Berks County Department of Emergency Services reported today that the break occurred in the Douglasville area and affected about 13,000 customers served by Frontier Communications. Customers with 610 and 484 area codes with the telephone exchange prefixes of 916, 926, and 248 were among those affected. Some of those affected lost the ability to make long-distance calls and 911 calls and lost Internet service. Some could make calls only to other Frontier customers. The cable break also impacted the system in Wyomissing Borough Hall and the borough police department’s ability to receive incoming calls. Source: