Monday, February 23, 2009

Complete DHS Daily Report for February 23, 2009

Daily Report


 CNN reports that about 30 people were injured Friday when a Northwest Airlines flight suffered turbulence before landing at Japan’s Narita International Airport. There were 408 passengers and 14 crew members on the Boeing 747-400 flight from Manila, Philippines. (See item 14)

14. February 20, CNN – (International) Passenger: People were ‘flying’ around the plane. About 30 people were injured February 20 when a Northwest Airlines flight suffered turbulence before landing at Japan’s Narita International Airport, a Northwest spokesman said. Three people where seriously injured, fire officials said. Tokyo’s Kyodo news agency later put the number of overall injured at 47. There were 408 passengers and 14 crew members on the Boeing 747-400 flight from Manila, Philippines. An American passenger told Kyodo News that he heard screams around 30 minutes before the plane was scheduled to arrive as it suddenly fell, and then ascended. He added that several passengers were thrown into the cabin ceiling, hitting their heads and hurting their necks because they were not wearing their seatbelts. The plane eventually touched down east of Tokyo at Narita airport at around 12:20 p.m., the Kyodo quoted the land, infrastructure, transport and tourism ministry as saying. Source:

 According to IDG News Service, the criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates. The new variant, dubbed Conficker B++, was spotted February 16 by SRI International researchers. (See item 42)

See item 42 in the Information Technology Sector below.


Banking and Finance Sector

12. February 20, FINAlternatives – (Minnesota) Accused hedge fund fraudster hit with asset freeze. A federal judge has shut down a San Francisco hedge fund and frozen its assets. The U.S. District Judge in Minneapolis issued a temporary restraining order against Crossroad Capital Management, the principal defendant and its hedge fund, Paramount Partners. The Securities and Exchange Commission (SEC) sought the emergency order “to restrain them from continuing to engage in a fraudulent hedge fund scheme.” The defendant did not oppose the order, which also froze his assets, along with those of Crossroad and Paramount. Recently, the SEC sued the defendant, accusing him of lying to investors about the performance of his hedge fund, overstating its balance sheet to hide losses, defrauding investors of almost $16 million. The defendant has denied the charges. According to the complaint, the defendant collected some $10.8 million from 54 investors between 2001 and 2008. He allegedly claimed the fund was returning between 19 percent and 65 percent annually, and had “only one losing year, 2004, in which Paramount supposedly lost approximately 5 percent.” On December 31, 2008, Crossroad apparently sent investors documents claiming it managed $17 million. In fact, according to the SEC, the fund was worth just $5.3 million at the end of last year, and is now worth just $1.3 million. The regulator said the defendant showed it financial statements showing the missing $12 million in a brokerage account, but when it contacted the brokerage firm, the firm said the account had been closed in June. Source:

13. February 19, Bradenton Herald – (Florida) Tampa man convicted of bank fraud. A federal grand jury convicted a Tampa businessman of fraud on February 19 for his role in a nearly $83 million real-estate scheme in Manatee and Sarasota counties. Jurors deliberated less than six hours before finding the defendant guilty of six counts of conspiracy, bank fraud, money laundering, and making false statements to banks in connection with a loan. The U.S. District Judge set the defendants sentencing for June 15. The defendant faces up to 135 years in federal prison and a $4.5 million fine. The defendant attorney said he plans to appeal the convictions. The defendant was among four men charged with buying seven parcels of land for $43 million, selling them to each other for $117 million, and netting $82.8 million in bank loans. Two codefendants took plea deals and testified against the defendant, while the alleged mastermind has not yet been extradited from Jordan. Source:

Information Technology

41. February 20, Washington Post – (International) Attackers exploiting unpatched flaw in Adobe Reader, Acrobat. Hackers are exploiting an unpatched security hole in current versions of Adobe Reader and Acrobat to install malicious software when users open a booby-trapped PDF file, security experts warn. Adobe issued an advisory on February 19 warning that its Reader and Acrobat software versions 9 and earlier contain a vulnerability that could allow attackers to take complete control over a system if the user were to open a poisoned PDF file. Adobe said it does not plan to issue an update to plug the security hole until March 11. Meanwhile, the folks at, a volunteer-led security group, said it has seen indications that this vulnerability is being used in targeted attacks. Shadowserver warns that this exploit is likely to be bundled into attack kits that are sold to cyber crooks who specialize in seeding hacked and malicious Web sites with code that tries to install malware. “These types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the Internet,” a Shadowserver volunteer wrote on the group’s blog. Adobe’s advisory lacks any advice users can follow to mitigate the threat from this flaw. But those at Shadowserver say Adobe Reader and Acrobat users can significantly reduce their exposure to such attacks by disabling Javascript within the application. Source:

42. February 19, IDG News Service – (International) Conficker worm gets an evil twin. The criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates. The new variant, dubbed Conficker B++, was spotted February 16 by SRI International researchers, who published details of the new code on February 19. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines. Conficker-infected machines could be used for nasty stuff, sending spam, logging keystrokes, or launching denial of service (DoS) attacks, but an ad hoc group calling itself the Conficker Cabal has largely prevented this from happening. They have kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names, such as, that the Conficker Cabal has worked hard to register and keep out of the hands of the criminals. The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether. That means that the Cabal’s most successful technique could be bypassed. Conficker underwent a major rewrite in December 2008, when the B variant was released. But this latest B++ version includes more subtle changes, according to a program director with SRI. “This is a more surgical set of changes that they’ve made,” he said. Source:

43. February 19, DarkReading – (International) Romanian hacker cracks Symantec, International Herald Tribune. The Romanian hacker who penetrated the Web sites of three security vendors the week of February 9-13 is now claiming two new victims: Symantec and the New York Times. The hacker, known only as “Unu,” posted a blog about an SQL injection vulnerability found on one of Symantec’s Web sites, the Document Download Center of the Norton Resource Center for Resellers. The flaw “permits access to their databases,” Unu says, although he did not say which databases or what data is contained in them. Ironically, the flaw was found on a login page that promotes the Norton line of security products, Unu observes. In a response posted to Unu’s Web site, Symantec concedes that the page is flawed by “inconsistent exception handling,” but it rejects Unu’s assertion that the bug could lead to database access. “Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective,” Symantec says. “The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling.” In a separate blog, Unu also claims to have discovered an SQL injection vulnerability in the Web site of the International Herald Tribune, the global edition of the New York Times. “I discovered an unsecured parameter, which allows access to the database,” Unu says. “Besides the wealth of information in the database, we also found an interesting table containing login details of 161 affiliates, editors, reporters, and other associates of the famed newspaper.” The International Herald Tribune says the vulnerability has been patched, but concedes that some login details were exposed. Unu says he is targeting other newspapers’ Web sites for further research. Source:;jsessionid=1MBCH2P0WJGTSQSNDLPSKHSCJUNN2JVN?articleID=214501999

44. February 19, DarkReading – (International) Kaminsky calls for DNSSEC adoption. The much-debated protocol to help secure the Domain Name System received a big boost on February 19 when a DNS security guru said the industry must adopt the DNSSEC protocol. The security guru, who discovered the now-infamous big DNS flaw last year and got the vendor community to patch it, had for some time mostly dismissed DNSSEC as a DNS security solution. But after studying the specification more closely, the security guru, who discussed his support for DNSSEC during his Black Hat DC presentation, said DNSSEC could remedy some of DNS’ security weaknesses. “I was never anti-DNSSEC — I was just never for it. It just didn’t look like it was going to work,” the security guru said in an interview on February 19. “This is my first time publicly saying we need to do it. No one is more surprised than I.” The Federal Government is already on its way to widespread DNSSEC adoption after initially only recommending it for some systems. A new federal policy issued in the wake of the DNS flaw scare last summer mandates that all federal agencies adopt DNSSEC by December 2009 for their DNS servers. DNSSEC has been criticized for its complexity, as well as the DNS infrastructure overhaul its adoption typically entails. For DNSSEC’s validation model to work for DNS servers, it has to be adopted from end to end, for instance, an issue that is rife with both technical and political challenges. And DNSSEC requires significant manual configuration, including the signing of encryption keys and updating records, the security guru noted. Source:;jsessionid=1MBCH2P0WJGTSQSNDLPSKHSCJUNN2JVN?articleID=214501924

Communications Sector

Nothing to report.