Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 13, 2009

Complete DHS Daily Report for February 13, 2009

Daily Report


 According to the Associated Press, the Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were stolen last year. No classified information has been lost, a lab spokesman said. (See item 5)

5. February 11, Associated Press – (New Mexico) 69 computers missing from nuclear weapons lab. The Los Alamos nuclear weapons laboratory in New Mexico is missing 69 computers, including at least a dozen that were stolen last year, a lab spokesman said. No classified information has been lost, a spokesman said. The watchdog group Project on Government Oversight on Wednesday released a memo dated February 3 from the Energy Department’s National Nuclear Security Administration that said 67 computers were missing, including 13 that were lost or stolen in past 12 months. The lab was initiating a month-long inventory to account for every computer, the spokesman said. The computers were a cybersecurity issue because they may contain personal information like names and addresses, but they did not contain any classified information, he said. Also missing are three computers that were taken from a scientist’s home in Santa Fe, New Mexico, on January 16, and a BlackBerry belonging to another employee was lost “in a sensitive foreign country,” according to the memo and an e-mail from a senior lab manager. Source:

 The Associated Press reports that two big communications satellites collided 500 miles over Siberia in the first-ever crash of its kind in orbit. The collision involved an Iridium commercial satellite and a Russian satellite believed to be nonfunctioning. (See item 28)

See details in Communications Sector below.


Banking and Finance Sector

6. February 12, Associated Press – (National) Fugitive financier arrested at U.S. border. An American fugitive accused in a $100-million mortgage fraud was caught at the Canadian border after taking a taxi from Toronto with $1-million in Swiss bank certificates and $70,000 stuffed in his shoes, authorities said yesterday. Authorities said the suspect also was carrying four ounces of platinum valued at more than $1,000 an ounce when he was arrested entering the United States at Buffalo, New York, on February 11. The suspect is the second of three fugitives to be caught in the investigation of Loomis Wealth Solutions, an investment company based in Roseville, California, and several related companies. Court documents say they had defrauded investors and mortgage companies of $100-million since 2006. The deals involved 500 homes and condominiums in California, Florida, Nevada, Illinois, Colorado and Arizona, Internal Revenue Service affidavits said. The suspect admits his guilt in an essay appearing online, and blames himself and his colleagues for helping to cause the U.S. financial meltdown by creating hundreds of millions of dollars in fraudulent mortgages that went bad. Until recently, the 27-year-old Sacramento man had been co-operating with investigators. But after posting the essay in which he admits his guilt on the Web site of a new mortgage-banking operation he was promoting called Triduanum Financial, the suspect fled. Source:

7. February 11, Computerworld – (International) Web site: More than 150 banks affected by Heartland data breach thus far. The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the news portal. The Web site on February 11 published a list containing the names of 157 institutions that it said have publicly disclosed to customers that they were victimized as a result of the breach at Heartland, a large payment processor in Princeton, New Jersey. The list includes two banks in Bermuda, plus one each in Canada and Guam. A Heartland spokesman said on February 11 that while he had seen the report on, he was unable to verify whether the numbers cited by the Web site were correct. Meanwhile, in another indication of the fallout from the breach, 83 percent of the 512 banks that responded to an informal “quick poll” survey conducted in late January by the Independent Community Bankers of America (ICBA) trade group said that credit or debit cards they had issued were compromised in the incident at Heartland. Another 12 percent said they didn’t know yet if they had been affected, while just 4 percent said they hadn’t been, according to the ICBA, which has more than 5,000 member banks from around the United States. For the most part, the banks on the list compiled by appear to be mostly smaller institutions — although there are a handful of larger ones, such as Sovereign Bank. Source:

8. February 11, Reuters – (National) FDIC to extend bank debt backstop through October. The Federal Deposit Insurance Corp (FDIC) will extend a guarantee program for about $1.4 trillion in bank debt and up to $500 billion in transaction deposit accounts through the end of October, U.S. regulators said. The Temporary Liquidity Guarantee Program, launched in October, 2008, to help boost confidence in U.S. credit markets, was due to expire at the end of June. In an interagency statement by regulators on February 11 following the announcement of the U.S. Treasury’s revamped financial rescue plan, banking regulators said the FDIC would make the program available to banks for an additional four months in exchange for another premium. “The FDIC’s Temporary Liquidity Guarantee Program has contributed importantly to the gradual easing of liquidity strains on our financial institutions,” the regulators said in a statement. “Though funding conditions have eased somewhat, this temporary program will be extended for an additional four months to provide liquidity to our banks as part of this overall strategy to move our economy forward.” Source:

Information Technology

26. February 11, CNET News – (International) Hacker site claims breach of third security firm Web site in a week. A Romanian hacker site said on February 11 it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies recently. F-Secure is “vulnerable to SQL Injection plus Cross Site Scripting,” an entry on the HackersBlog site said. “Fortunately, F-Secure doesn’t leak sensitive data, just some statistics regarding past virus activity.” An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and had no sensitive or customer data on it, just statistical data for marketing purposes. HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on February 7 and the Portugal site of BitDefender on February 9 using the same attack techniques. Source:

27. February 11, DarkReading – (International) New and improved Storm botnet morphing Valentine’s malware. The botnet formerly known as Storm is ramping up its ability to evade detection by automatically generating thousands of different variants of its malware each day as it spreads and recruit more bots. Waledac, the new and improved Storm, is using its favorite holiday, Valentine’s Day, to spread the love with signature phony greeting cards and romance-themed email that Storm so infamously spread in the past. “Over the last 24 hours, we’ve seen over 1,000 new variants [of Waledac code],” said a senior researcher with Eset, which expects Waledac to eventually pump out thousands of variants a day. “It was a bit lower than what we are expecting. It may not have reached many of our clients yet.” That said, it’s still a big jump from the around 10 new versions a day Eset had seen the botnet creating, he adds. One of Waledac’s latest attacks comes in the form of a puppy love e-card with a Valentine’s-related link, as well as other warm and fuzzy-looking email. Subject lines include the usual “a Valentine card from a friend” and “you have received a Valentine E-card,” but once you click the URL to retrieve the message, Waledac’s malware is downloaded onto your machine. Another attack uses a phony pop-up that appears to be from Microsoft stating the machine is infected with spyware. That leads to a fake antispyware site that not only infects the machine, but also tries to sell the victim its scareware, according to the director of product management for Marshal8e6. Source:;jsessionid=OSFS5MKSLIVSOQSNDLRSKH0CJUNN2JVN?articleID=213403915

Communications Sector

28. February 11, Associated Press – (International) Satellites collide 500 miles over Siberia. Two big communications satellites collided in the first-ever crash of its kind in orbit, shooting out a pair of massive debris clouds and posing a slight risk to the international space station. NASA said it will take weeks to determine the full magnitude of the crash, which occurred nearly 500 miles over Siberia on February 10. “We knew this was going to happen eventually,” said an orbital debris scientist at Johnson Space Center in Houston. NASA believes any risk to the space station and its three astronauts is low. It orbits about 270 miles below the collision course. There also should be no danger to the space shuttle set to launch with seven astronauts on February 22, officials said, but that will be re-evaluated in the coming days. This was the first high-speed impact between two intact spacecraft, NASA officials said. The collision involved an Iridium commercial satellite, which was launched in 1997, and a Russian satellite launched in 1993 and believed to be nonfunctioning. The Russian satellite was out of control, the scientist said. Iridium Holdings LLC has a system of 65 active satellites that relay calls from portable phones that are about twice the size of a regular mobile phone. It has more than 300,000 subscribers. The U.S. Department of Defense is one of its largest customers. The company said the loss of the satellite was causing brief, occasional outages in its service and that it expected to have the problem fixed by February 13. Source:

29. February 11, DarkReading – (International) New vulnerability found in BlackBerry’s Web application loader. BlackBerry maker Research In Motion this week is warning users about a newly discovered vulnerability that could potentially enable an attacker to gain remote control of the device or crash its browser. The flaw was found in the BlackBerry’s Web Application Loader, an ActiveX feature that enables the handheld to load new applications via the Internet Explorer browser. RIM says that “an exploitable buffer overflow” exists in the BlackBerry Application Web Loader ActiveX control. According to an advisory issued by US-CERT, the flaw may be exploited by phishers or other attackers. “By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user,” the advisory says. “The attacker could also cause Internet Explorer to crash.” US-CERT says the vulnerability has been assigned a Common Vulnerability Scoring System rating of 9.3 on a 10-point scale, which means the vulnerability is highly dangerous and potentially easy to exploit. RIM says users can eliminate the vulnerability by uploading the current, patched version of Web Application Loader, which does not have the flaw. Users can also disable the ActiveX control in their current browsers, the company says. Source: