Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, March 26, 2009

Complete DHS Daily Report for March 26, 2009

Daily Report


 According to the Air Force Times, all 84 of the U.S. military’s V-22 Ospreys were temporarily grounded Saturday after the discovery of loose bolts on the aircraft by Marines in Iraq, officials said. (See item 7)

7. March 25, Air Force Times – (National) All Ospreys grounded after Iraq incident. All 84 of the U.S. military’s V-22 Ospreys were temporarily grounded Saturday after the discovery of loose bolts on the aircraft by Marines in Iraq, officials said. The grounding affected all V-22s, including the Corps’ aircraft and the 11 CV-22s the Air Force operates, said a spokesman for the V-22 program at Navy Air Systems Command. As of Tuesday morning, 76 of the 84 aircraft had been cleared to fly, with problems discovered on four Ospreys operated out of Al Asad Air Base, Iraq, by Marine Medium Tiltrotor Squadron 266 out of Marine Corps Air Station New River, North Carolina. The loose bolts were discovered by VMM-266 mechanics after a pilot noticed a vibration and heard a “loud noise” after a routine flight, he said. An inspection revealed that four loose bolts had separated from a stationary swashplate trunnion and a gimbal ring on the drive tube, causing “minor damage” to the engine’s pitch links and spinner support, he said. “We want to stress that this has not happened in flight,” he said. “This (grounding) was a precautionary measure.” Source:

 The Associated Press reports that the U.S. President declared North Dakota a federal disaster area because of statewide flooding late Tuesday. The Army Corps of Engineers cut water releases from the Garrison Dam to a record low level of 4,000 cubic feet per second to ease the flooding risk along the Missouri River in Bismarck. (See item 42)

42. March 25, Associated Press – (North Dakota) Flooded North Dakota declared a disaster area. The U.S. President declared North Dakota a federal disaster area because of statewide flooding late Tuesday. In eastern North Dakota, Fargo residents are rushing to build dikes to head off a Red River flood crest of 39 to 41 feet on March 20. The river’s flood stage in Fargo is 18 feet. Meanwhile, some south Bismarck residents who live near the Missouri River were forced to evacuate their homes when an ice jam caused unexpected flooding. A demolition team may attempt to break up the ice jam. The Army Corps of Engineers cut water releases on Tuesday from the Garrison Dam to a record low level of 4,000 cubic feet per second to ease the flooding risk along the Missouri River in Bismarck. The city also ordered the evacuation of homes along the river where access roads were under water in the middle of the spring blizzard. It was not immediately clear how many homes. Meanwhile, the Red River approached a lower-than-expected crest March 24 in Wahpeton, but the National Weather Service only tweaked its projections for a record crest 30 miles downstream in Fargo, where sandbaggers were working furiously to raise the city’s protective dikes high enough. Source:,2933,510441,00.html See also:


Banking and Finance Sector

8. March 25, – (National) Treasury pushes for more power. The Presidential Administration on March 25 released more details of its plan to give the government more power to take over and wind down troubled financial companies deemed too big to fail. The Treasury Secretary proposed that the Treasury be the one to make the final call of when a nonbanking firm, such as AIG or Lehman Brothers, is in deep trouble and needs government intervention. Treasury would do so after talking with the Federal Reserve and the President, according to Treasury plans. For days, the Treasury Secretary has been saying that he needs more power to step in to prevent the kind of collapse of the financial sector that threatens to deepen the recession. Treasury says the new “resolution authority” would make loans, purchase shares, or put the non-banks into receivership, according to new details. Under the proposal, the Treasury would assess these nonbanking financial firms in the same way that banks are assessed by the Federal Deposit Insurance Corp. to fund takeover efforts when banks go bad. The size of such assessments is unclear. However, lawmakers said they were concerned about giving so much power with a political appointee, and they preferred to tap the Federal Reserve to administer such a program. Source:

9. March 24, Atlanta Business Chronicle – (Georgia) Gainesville man pleads guilty to $60M in fraud. A 50-year-old pleaded guilty on March 25 in federal district court to running a Ponzi scheme through his construction equipment business that defrauded investors out of more than $60 million. February 2005 through October 2008, the Gainesville, Georgia resident bought and sold construction equipment in Gainesville. He did business in the names of North Georgia Equipment Sales LLC and Cornerstone International Investments LLC. In order to keep his failing businesses afloat, he sought and obtained from investors funds to buy additional construction equipment, which he said he could re-sell to third parties for a substantial profit. He promised some of the investors he would split the profits with them on a 50/50 basis, and he promised other investors that he would pay them interest at the rate of 36 percent a year. The guilty party got more than $60 million in investment capital from more than 50 investors in Gainesville and elsewhere. He then led the investors to believe he used their money to buy specific pieces of construction equipment. He prepared and provided to the investors bogus bills of sale and other counterfeit documents to make it appear he bought equipment as promised. He used a substantial portion of the fraud proceeds to pay phantom “profits” to the investors, to pay his own personal expenses, and to buy a variety of real and personal property for himself and his family members. Source:

10. March 24, KRDO 13 Colorado Springs – (Colorado) Scam targets you through text message. A text messaging scam has exploded across the Colorado Springs area. ”It seems to be escalating,” said a representative of the Better Business Bureau, “we are receiving numerous calls each day.” The calls are about emails, phone messages, or text messages that appear to come from the Air Academy Federal Credit Union. The message says an individual’s card or account has been deactivated, and then gives a number to call. ”More people have fallen for it than you would think,” said the representative. The Better Business Bureau says people are caught off guard, thinking scammers will not have their personal cell phone numbers. “Its organized crime,” said an individual with the Air Academy Credit Union, “it is another way of trying to get a hold of information and finances.” Financial institutions say they will never contact individuals like that. Source:

Information Technology

34. March 25, MyBroadband – (International) Mac users warned of malware. Sophos is warning Apple Mac users to be on their guard against Web sites hosting malicious code designed to infect their systems. The advice follows the discovery of a new version of the OSX/RSPlug Trojan horse that is being distributed via a legitimate-looking Web site offering HDTV software. “While there is much less malware for the Apple Mac than for Windows, it does not mean that Apple fans can avoid the issue,” said the CEO of regional Sophos distributor, Sophos South Africa. “Mac users are no different to Windows users when it comes to falling for social engineering tricks like this, they are just as likely to install and run this program on their computer if they believe it will help them watch high definition TV.” Sophos notes that the criminal gang behind this malware attack is targeting Windows computers as well as Mac OS X. If a user visits the Web site from a Windows computer, it will serve up a malicious Windows executable from the Zlob family of malware rather than the RSPlug-F Mac OS X Trojan horse. “By targeting both platforms with their malicious website, the hackers can kill two birds with one stone,” said the CEO. ”Once a piece of malware such as this in place on a user’s computer, it can do whatever the hacker wants it to do. Mac users are gambling with the security of their data if they believe they are somehow immune from threats that Windows users have been living with for years.” Source:

35. March 24, IDG News Service – (International) China becoming the world’s malware factory. With China’s economy cooling down, some of the country’s IT professionals are turning to cybercrime, according to a Beijing-based security expert. Speaking at the CanSecWest security conference last week, the CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country’s cybercrime industry. “As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market,” he said. “So sometimes they sell 0days,” he said, referring to previously unknown software bugs. “China is not only the world’s factory, but also the world’s malware factory,” the CEO said. China’s red-hot economy has been hit by the global recession, and while the economy is still growing, technology companies such as Intel, Motorola, and Lenovo have all laid off employees in China in recent months. In December 2008, Chinese hackers found a previously undisclosed 0day vulnerability in Internet Explorer. When employees of the CEO’s company inadvertently published details of the bug on a public forum, Microsoft was sent scrambling to patch the issue. Chinese hackers tend to focus on hacking software that runs on the desktop, rather than the server, because the underground market pays big money for client-side bugs, which are then often used to install malicious software on millions of desktops. While recently investigating a single, but widespread attack, the CEO’s researchers counted more then 4 million infected computers over a one-day period. China has an estimated 250 million computer users, so attackers can do pretty well targeting only Chinese systems. “We have a huge amount of users and a very big local market,” he said. Source:

36. March 24, Computerworld – (International) Adobe details secret PDF patches. Adobe Systems Inc. revealed on March 24 that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack. According to a security bulletin issued on March 24, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug, as Adobe indicated at the time, but for five other vulnerabilities as well. Foremost among the five were a quartet of bugs in Adobe’s handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time. That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments. “The way we always handle this,” said Adobe’s director of product security and privacy, “is, will publicly released information help more users than not releasing the information?” The director said on Tuesday that Adobe decided the answer was “no,” since it had yet to issue updates for all users when it first patched the software on March 10. The decision was prompted by the staggered release of the Reader and Acrobat updates, although Adobe patched the Windows and Mac OS X editions of the two apps on March 10, offered updates to the Version 8 line on March 17, and did not issue Reader 9.1 and Acrobat 9.1 for Unix until March 24. It also did not produce a fix for the even-older Version 7 until March 24. Source:

37. March 23, Computerworld – (International) Conficker’s next move a mystery to researchers. Security researchers are in the dark about what will happen next week when the newest variant of Conficker, 2009’s biggest worm by a mile, begins trying to contact its controllers. “It is impossible to know until we see something that has a clear profit motive,” said the director of malware research at SecureWorks Inc. and a noted botnet researcher. PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said the director. That tactic is just one of several designed to make it tough for security researchers to figure out what Conficker’s all about, and more importantly, what it might do. “We had to trick it into thinking it is not only getting back the right page, but that it is getting the April 1 date,” said the director, talking about the machines SecureWorks purposefully infected with Conficker.c. “So far, we have not seen any evidence [on those machines] of what it will do April 1,” added the director, although that is to be expected. “It is not April 1 yet, so they are not going to put something online, where it might be found. In fact, it is almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network.” Source:

Communications Sector

38. March 25, Manitowoc Herald Times-Reporter – (Wisconsin) Two Rivers council OK’s contract to allow cell phone tower in industrial park. U.S. Cellular will be able to erect a wireless tower on a vacant parcel of land in the city’s industrial park. The City Council voted March 24 to authorize the city manager and city clerk to sign the lease with U.S. Cellular on behalf of the city. The vote was unanimous by the six council members present. Construction of the tower is contingent upon zoning approval by city staff and approval of the site plan by the Plan Commission, according to the city manager. Plans call for constructing a 195-foot, freestanding lattice tower on an 80-by-80-foot parcel of land in the industrial park, said the city manager. Source: