Department of Homeland Security Daily Open Source Infrastructure Report

Monday, May 11, 2009

Complete DHS Daily Report for May 11, 2009

Daily Report

Top Stories

 According to SC Magazine, a recently released government report concluded that Web applications that are used to support the operations of the nation’s air traffic control systems are not properly secured nor configured to prevent attacks or improper access, and the Federal Aviation Agency lacks robust intrusion detection. (See item 21)

21. May 7, SC Magazine – (National) Report: Web app hacks can invade air traffic control systems. Web applications that are used to support the operations of the nation’s air traffic control (ATC) systems are not properly secured nor configured to prevent attacks or improper access, and the Federal Aviation Agency (FAA) lacks robust intrusion detection, concluded a government report released the week of May 4. The report, written by the assistant inspector general for financial and information technology audits at the U.S. Department of Transportation, said the FAA is experiencing the same problem many critical infrastructure providers have when they try to interconnect their networks-in this case, the FAA’s administrative and ATC networks. “While use of commercial IP products, such as web applications, has enabled [the] FAA to efficiently collect and disseminate information to facilitate ATC services, it inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software,” the report said. “Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state-sponsored cyberattacks.” In one 2006 case, the report said, a virus spread from the agency’s administrative networks, forcing the shutdown of some of its ATC systems in Alaska. And during its tests, the report said the investigators gained access to an ATC system that controlled power supplies at six centers. The FAA, though, disagreed with the report’s claim that ATC systems had been compromised, and that someone could jump to the ATC network via the administrative network. Source:

 The Baltimore Examiner reports that eight Prince Georges County, Maryland firefighters narrowly escaped with their lives following a massive explosion at the scene of a gas leak in a row of commercial occupancies at the Penn Mar Shopping Center on May 7. (See item 42)

42. May 7, Baltimore Examiner – (Maryland) Explosion a good reminder there are no ‘routine’ calls. The fire and emergency services community in Maryland was spared a tragedy on May 7 when eight Prince Georges County firefighters narrowly escaped with their lives following a massive explosion at the scene of a gas leak in a row of commercial occupancies at the Penn Mar Shopping Center in Forestville. Firefighters responded to 3426 Donnell Drive shortly before 1 p.m. for a reported odor of gas. While investigating the incident, crews had evacuated citizens from several stores in a strip-mall and a pair of firefighters were approaching the building when an explosion suddenly occurred, showering bricks, glass and other debris into the parking area in front of the complex. A flash fire caused flames and smoke to blow through the roof and fire officials called a “mayday”, bringing additional EMS units to the scene from PG County and the District of Columbia Fire Department. Published reports indicate a Washington Gas employee was working on a gas line at the shopping complex when the explosion occurred. Several stores were significantly damaged or destroyed as a result of the explosion. Businesses in the complex included a pregnancy center, several restaurants, a nail salon, a medical office, and at least one vacant storefront. Source:


Banking and Finance Sector

14. May 8, Wall Street Journal – (National) Fed sees up to $599 billion in bank losses. The federal government projected that 19 of the nation’s biggest banks could suffer losses of up to $599 billion through the end of next year if the economy performs worse than expected and ordered 10 of them to raise a combined $74.6 billion in capital to cushion themselves. The much-anticipated stress-test results unleashed a scramble by the weakest banks to find money and a push by the strongest ones to escape the government shadow of taxpayer-funded rescues. The Federal Reserve’s worst-case estimates of banks’ total losses and capital shortfalls were smaller than some had feared. Optimists interpreted the Fed’s findings as evidence that the worst is over for the industry. But questions remain about the stress tests’ rigor, in part since the Fed scaled back some projected losses in the face of pressure from banks. The government’s tests measured potential losses on mortgages, commercial loans, securities and other assets held by the stress-tested banks, ranging from giants Bank of America Corp. and Citigroup Inc. to regional institutions such as SunTrust Banks Inc. and Fifth Third Bancorp. The government’s “more adverse” scenario includes two-year cumulative losses of 9.1 percent on total loans, worse than the peak losses of the 1930s. The Treasury Secretary said on May 7 that he is “reasonably confident” that banks will be able to plug the capital holes through private infusions, alleviating the need for Washington to further enmesh itself in the banking system. Banks also said they will consider selling businesses or issuing new stock to meet the toughened capital standards. Source:

15. May 8, Bloomberg – (National) FDIC chief wants an agency for risk monitoring. The chairwoman of the Federal Deposit Insurance Corp. urged Congress on May 7 to create a U.S. authority to unwind failing “systemically important” firms and avoid bailouts for companies whose collapse would disrupt the financial system. “Lack of an effective resolution mechanism for large financial organizations is driving many of our policy choices,” the chairwoman said at a Federal Reserve Bank of Chicago conference. “It has contributed to unprecedented government intervention into private companies. We need a new resolution regime that minimizes the economic impact of the failure of a large, complex financial institution.” The chairwoman is seeking new powers to seize the holding companies of U.S. lenders, expanding her agency’s authority to close the banks and savings and loans that take deposits and make loans. Such power would let the agency shield taxpayers from losses when government steps in to prevent companies from failing and disrupting the financial system, she said recently. The chairwoman urged lawmakers to give her agency the authority while testifying to a Senate Banking Committee hearing on May 7 as Congress prepares to write legislation overhauling U.S. rules regulating Wall Street. Source:

16. May 7, WUPL 54 New Orleans – (Louisiana) Scammers try to steal credit card info through phone calls. A phone and text scam is sweeping the New Orleans area seeking social security and credit card numbers. A representative of the Better Business Bureau has stated that it is a phishing scam attempting to steal people’s personal information. This latest version claims it was sent by the Jefferson Financial Credit Union. FBI agents said it is a common strategy used by con artists across the country. They often hide behind a legitimate financial institutions name, and even logo. “In the past year, we’ve seen a number of banks have been targeted,” said a FBI special agent. “I do know that we’ve seen about a 33 percent increase in Internet fraud and identity theft in general in the past year alone. Officials with Jefferson Financial Credit Union stress that the messages are not coming from their institution. Source:

Information Technology

38. May 7, Los Angeles Times – (International) bug spreads on Facebook. The phishing bug that bit many Facebook users the week of April 27 is beginning to resurface on May 8. Facebook users are receiving messages from friends that ask them to visit the website, The site is marked as malicious in most modern browsers, so curious wanderers will receive a warning when attempting to visit the link. For those daring enough to continue on, the site redirects users through a series of Web domains, eventually landing on, at least for now, an address that does not seem to point anywhere. The most recent incident appears to be directly related to the phishing outbreak that spread the week of April 27 when some Facebook users were duped into giving their passwords to scammers, a Facebook spokesman wrote in an e-mail. “We’ve already blocked the URL from being shared on Facebook and it is now being deleted from inboxes and walls across the site,” the spokesman wrote. “Anyone who…shared this content will soon have their account password automatically reset.” Source:

39. May 7, CNET News – (International) Google issues, then reissues Chrome security fix. Google fixed security holes with a new release of its stable version of Chrome, then released a replacement shortly afterward to prevent a batch of crashes that turned up as well. Chrome emerged on May 5 and was intended to fix one critical security problem and one high-severity one. On May 7, came to fix a crash during startup that affected “a small percentage of users,” said the Chrome Program Manager. With the first problem, an attacker under some circumstances could run attack software with the same privilege as the computer user. With the second, an issue handling 2D graphics could potentially allow a specially crafted image to crash a tab and run an attacker’s code within Chrome’s sandbox security isolation system. Source:

40. May 7, Security Wire Daily News – (International) Microsoft to patch critical PowerPoint zero-day flaw. Microsoft plans to issue one critical patch during its monthly patch cycle the week of May 11, plugging a critical flaw in its PowerPoint presentation program that is being actively targeted by attackers. The PowerPoint vulnerability was the only bulletin identified in the Security Bulletin Advance Notification issued on May 7 by Microsoft. Details of the flaw surfaced last month and Microsoft acknowledged that the flaw was being exploited by hackers in the wild in targeted, limited attacks. PowerPoint versions affected by the flaw are Office PowerPoint 2000 Service Pack 3, Office PowerPoint 2002 Service Pack 3, and Office PowerPoint 2003 Service Pack 3. In a Microsoft Security Advisory issued April 2, the software giant said the flaw could allow remote code execution if a user is tricked into opening a malicious PowerPoint file. The malicious PowerPoint files identified by some security vendors contain a Trojan dropper embedded within the presentation. The file can be passed via an email message with a malicious PowerPoint attachment or by tricking users to view a malicious website containing a Trojan downloader. “If a user is logged on with administrative user rights, an attacker could take complete control of the affected system,” Microsoft said in its advisory. Until a patch is released, Microsoft has issued guidance, recommending that organizations could temporarily force all PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). Companies that have migrated to the newer XML file format can temporarily disable the binary file format using the FileBlock registry configuration. As it does every month, Microsoft said it would also update its Windows Malicious Software Removal Tool. Source:,289142,sid14_gci1355904,00.html

41. May 7, ChannelWeb – (International) Virtualized systems can be a security risk: analyst. With companies looking for ways to cut their IT infrastructure costs, there is no hotter technology right now than virtualization. But those cost savings could carry a big price in compromised security if IT managers are not careful. That was the message from a Gartner Fellow in his “Securing Virtualization, Virtualizing Security” presentation the week of May 4 at Everything Channel’s Midsize Enterprise Summit in Miami. The Fellow’s argument is that most virtual machines being deployed by IT departments currently are not as secure as physical systems. Not that virtualization is inherently less secure, the Fellow was careful to say, but most virtualization technology is not being deployed in a secure way. Several times during his presentation the Fellow argued that many suppliers of virtualization and security technology are not providing the same kinds of protection they provide for physical systems. “The bad news is most of the big guys are still missing in action,” he said. Source:;jsessionid=MXPQYPG3CX5OQQSNDLPSKHSCJUNN2JVN

Communications Sector

Nothing to report.