Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, February 26, 2009

Complete DHS Daily Report for February 26, 2009

Daily Report


 The Alton Telegraph reports that an explosion destroyed a building Tuesday night at Hanley Industries in Alton, Illinois. Hanley Industries manufactures explosive devices for the military equipment and aircraft markets. (See item 12)

12. February 24, Alton Telegraph – (Illinois) Explosion reported at Hanley Industries. An explosion rocked the Alton, Illinois area Tuesday night and destroyed a building at Hanley Industries. The blast was reported about 9:40 p.m. and numerous area residents reported feeling their houses shake and windows rattle. The Fosterburg Fire Protection District responded to the blast, which was reportedly caused by some black powder that ignited inside a small outbuilding. The explosion also caused a small grass fire in a nearby wooded area. Godfrey Fire Protection District also responded. A captain with the Fosterburg Fire Protection District said there were no injuries. He said the building that was destroyed was designed for incidents such as this and to cause the least amount of damage. Hanley Industries manufactures explosive devices for the military equipment and aircraft markets. The company’s Web site says it produces high-quality explosive components for field and aerospace equipment, artillery and bomb fuses, initiators and priming elements. It also makes miniature electrically initiated detonators, explosive bolts for space launch vehicles, stab primers and electric primers for naval guns. Source: See also:,0,6442269.story

 According to Government Executive, a report released on Monday by the Energy Department Inspector General concluded that the department could not accurately account for the quantities and locations of nuclear material at 15 out of 40, or 37 percent, of facilities reviewed. (See item 32)

32. February 24, Government Executive – (National) IG: Energy cannot account for nuclear materials at 15 locations. A number of institutions with licenses to hold nuclear material reported to the Energy Department in 2004 that the amount of material they held was less than agency records indicated. But rather than investigating the discrepancies, Energy officials wrote off significant quantities of nuclear material from the department’s inventory records. That is just one of the findings of a report released on February 23 by the Energy Department Inspector General that concluded “the department cannot properly account for and effectively manage its nuclear materials maintained by domestic licensees and may be unable to detect lost or stolen material.” Auditors found that Energy could not accurately account for the quantities and locations of nuclear material at 15 out of 40, or 37 percent, of facilities reviewed. The materials written off included 20,580 grams of enriched uranium, 45 grams of plutonium, 5,001 kilograms of normal uranium and 189,139 kilograms of depleted uranium. “Considering the potential health risks associated with these materials and the potential for misuse should they fall into the wrong hands, the quantities written off were significant,” the report stated. Auditors also found that waste processing facilities could not locate or explain the whereabouts of significant quantities of uranium and other nuclear material that Energy Department records showed they held. More than 100 academic and commercial institutions and government agencies lease nuclear materials that are owned by Energy. The department, along with the Nuclear Regulatory Commission, is supposed to track these materials through the centralized accounting system known as the Nuclear Materials Management and Safeguards System, or NMMSS. Source:


Banking and Finance Sector

13. February 25, ZDNet Asia – (International) Phishers ride on financial crisis theme. Phishing attacks have doubled during the months of January and February, with phishers riding on the downturn in the economy to pose as financial institutions, said Symantec. According to the antivirus company’s latest MessageLabs Intelligence Report, the recession theme has seen a revival in the past month, where spam is concerned. “At a time when concerned consumers may not be surprised to hear from their banks, phishing attacks have risen to one in 190 e-mail messages, from one in 396 in January 2009,” said the report. “Recession spam” messages have also surfaced, carrying text strings such as “money is tight, times are hard.” February saw the reappearance of search engine redirects referencing the financial crisis, for the first time in over a year, said Symantec. Overall, however, spam declined by 1.3 percent to 73.3 percent of all e-mail messages in February. The report added this includes a spike in levels hitting 79.5 percent at the start of the month, due in part to Valentine’s Day-themed spam. Symantec said the vast majority of such spam originated from the Cutwail (Pandex) botnet, which pushed out an estimated 7 billion Valentine’s Day-themed messages each day. Source:,39044215,62051534,00.htm

14. February 25, The Register – (International) Banking app vuln surfaces 18 months after discovery. In the course of penetration testing a client’s Web site, the CTO of security consulting firm Netragard says he discovered that CAMAS, the marketing name for Cambium’s content management system, was riddled with vulnerabilities that made its customers’ Web sites susceptible to breaches that could reveal administrator passwords and other sensitive data. It is no small deal since a significant percentage of Cambium’s clients are banks, credit unions, and health care providers. What was unprecedented was the amount of time it took to publish the CTO’s findings: Almost 18 months from the time of discovery. During most of that time, he says CAMAS customers who did not take special precautions — including Cambium Group itself, according to this Google cache — were vulnerable to attacks known as SQL injections. “I have no doubt what so ever that the vulnerability shown in the cached link above is the exact same one that we alerted Cambium’s president of in August of 2007,” the CTO wrote in an email to The Register. “Cambium’s president may have fixed the vulnerability in our customer’s instance of their Cambium Group Content Management System, but he certainly did not fix the rest of his customers according to Google.” The time line of the advisory shows that Cambium was notified in full detail on August 24, 2007. And yet, a review by The Register earlier this month identified 24 Cambium-driven Web sites that returned verbose error messages when a single additional character was added to the Web sites’ URL. The errors were returned by the sites’ SQL database and were the result of the same vulnerability, the CTO said. Source:

15. February 24, Reuters – (National) U.S. regulators brace for jump in bank failures. The rate of U.S. bank failures is expected to increase more than four-fold this year as federal regulators get fresh resources to handle insolvent banks, and as the U.S. Presidential Administration takes a more aggressive approach toward some banks’ dismal prospects. Bank analysts and industry insiders say a continued deterioration in credit conditions will be the driving force behind a big upswing in the number of failures, but policy decisions will also push the numbers up. “I think people were surprised there weren’t more last year, and I think that has to do more with the capabilities of the (Federal Deposit Insurance Corp) than the quality of the banks,” said the chairman of law firm Pepper Hamilton’s financial services practice group. The FDIC seized 25 banks last year. In just the first seven weeks of 2009, 14 banks failed and the FDIC is on pace to close more than 100 in 2009. The agency is on a hiring spree and wants to triple its line of credit with the Treasury Department, better equipping it to close weak banks and find buyers for their assets. “The FDIC has clearly stated that we expect an increase in our resolution activity as we work through this economic cycle,” said a FDIC spokesman. “The prudent planning efforts by the FDIC over the last year and a half reflect this — including additional hiring, contractor engagements and budget increases.” Source:

Information Technology

36. February 25, – (International) Phishers launch multi-platform IM attack. Users of Internet chat services have been hit by a major phishing attack aimed at stealing account log-in details, security researchers have warned. The unsolicited instant messages urge users to click on a TinyURL link to watch a video, but the link takes them to a site called ViddyHo which asks them to fill in user names and passwords. The phishers can then use these details to hack into user accounts and send more malicious links. Much of the focus around this attack has been on risks to Gmail account holders, in response to the Google Mail outage on February 24. However, phishers are also targeting users of instant messaging systems from Yahoo, Microsoft and MySpace. “This is, of course, a classic attempt to phish credentials from the unwary,” wrote the Sophos senior technology consultant in a blog posting. “The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet.” Users are also more likely to fall for this attack because the link comes from a trusted source, according to a solutions architect at security vendor Trend Micro. Source:

37. February 25, BBC News – (International) Experts sound scam threat warning. Experts are warning of an increase in the number of fake anti-virus Web sites. Hackers are tricking people with a false warning, saying that the computer is infected with a Trojan and getting users to buy a fake anti-virus product. A number of sites were closed last year when authorities in the United States took action to stop sellers of “scareware.” But despite the closures, the number of sites continues to grow, with one expert saying it was “the biggest threat facing computer users today.” The chairman of the Independent Trade Association of Computer Specialists, which represents independent computer retail and repair shops across Britain, said hackers were playing on people’s fear. “At my repair shop in Lincoln alone, we’ve had more than 300 users in the past six months come in with a computer infected with fake anti-virus software.” “This week, we’ve seen fake AVG anti-virus that was so good, one of my engineers was convinced that it was the real thing,” said the chairman. Hackers have been employing more sophisticated tricks to dupe users into buying their fake software. In early February 2009, hackers put fake parking tickets on cars with a URL directing them to “view pictures with information about your parking preferences” that in reality downloaded a Trojan that then prompted the user to install fake anti-virus software. Source:

38. February 25, Daily Tech – (International) eWeek ads infect users thanks to Adobe flaw. Adobe has over the last several years claimed many of the top security vulnerabilities due to its rich format which gives hackers many easy routes to take over computers. eWeeK, a leading computer and security news site, became the latest victim of an Adobe exploit earlier this month. Other sites owned by Ziff Davis Media, which owns eWeek, were also affected. The Ziff Davis sites hosted an ad, which while looking legitimate redirected users through a series of iFrames to a pornographic Web site. And that was not the end of the shenanigans, either. The site then tried to download an Adobe PDF containing a known exploit, ‘bloodhound.exploit.213.’ A patch had been previously released for the exploit, which affects Adobe Acrobat and Reader versions 8.12 and earlier, but many users still have yet to receive it. Once the exploit gains access to the system, it installs a file named “winratit.exe” in the user’s temporary files folder and two other files, according to security researchers at Websense. The files are activated when users are browsing the Internet and they try to get users to buy fake antivirus software by redirecting them to phony sites. Websense describes the fake software, “The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed], which has been set up to collect payment details.” The offending ads have been removed from the system. Source:

39. February 23, SC Magazine – (International) Microsoft says password stealers pose biggest threat. The top two threat families on Microsoft’s detection and removal list this month are online game password stealers (PWS). These threats are now predominantly occurring in the United States, a shift from last June, 2008, when they mostly were detected in China. In one week, Microsoft’s free Malicious Software Removal Tool (MSRT) cleaned more than 980,000 machines from the Taterf worm, the top threat family this month, a spokesman in Microsoft’s Malware Response Center wrote in a blog post February 19. The worm steals gaming credentials either through keylogging or by injecting itself into game clients and reading memory. The MSRT, released on the second Tuesday of each month, checks computers running Windows Vista, XP, 2000 and Windows Server 2003 for infections by prevalent malware and helps remove infections. The second most detected and removed malware family this month is Frethog, another PWS, which MSRT cleaned off 316,971 machines in one week. A threat researcher with anti-malware firm Trend Micro told that the motivation behind these threats is financial. Many online games have in-game currency or “game gold.” Portals to convert these various game currencies into real world cash have been available for some time. Stolen game login credentials are similar to stolen banking passwords, since game currency can be turned into real cash, the threat researcher said. Source:

Communications Sector

Nothing to report.