Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, June 3, 2009

Complete DHS Daily Report for June 3, 2009

Daily Report

Top Stories

 According to the Associated Press, Nebraska and federal officials are trying to find out whether bovine tuberculosis has spread from a herd of beef cattle in Rock County, Nebraska. The outbreak was discovered three weeks ago during routine tests of cattle by a federal inspector at a slaughterhouse. (See item 19)

19. June 2, Associated Press – (Nebraska) Nebraska cattle herd tests positive for bovine TB. Nebraska and federal officials are trying to find out whether bovine tuberculosis (TB) has spread from a herd of beef cattle in north-central Nebraska’s Rock County. Thherd has been quarantined and officials say the Nebraska Department of Agriculture is working with the U.S. Department of Agriculture (USDA) also want to find out how thedisease was introduced to the herd. The outbreak is unwelcome to the state’s roughly $10 billion cattle industry, which started the year with 6.35 million head. A spokesman for an industry group, the Nebraska Cattlemen, said it is too early to worry too much. “We don’t know the extent of the infection,” said executive vice president of the Nebraska Cattlemen. “Is it one herd, is it three herds? It’s far too early to say what the effect might be.” At stake is the state’s tuberculosis-free designation from the USDA. Were that to change, Nebraska producers shipping cattle to other states might have to prove their cattle are disease-free — an expensive proposition when margins are alreadytight, said the vice president. A spokeswoman for the State of Nebraska said the outbreak was discovered three weeks ago during routine tests of cattle by a federal inspector at a slaughterhouse. She said she did not know where the slaughterhouse was located. The cow-calf herd was placed in quarantine as soon as officials could trace bacthe cattle to the producer, but she did not know how many days passed before the connection was made — hence the concern about possibly infected cattle being shippedelsewhere. The spokeswoman said the USDA makes the final determination on whetherto kill an entire herd. The other option is continued quarantine and testing. An entire herd would have to have eight consecutive clean tests before the quarantine could be lifted, a process that could take years. Source:

 ABC News reports that the suspect arrested in the fatal shooting of one soldier and the critical injury of another at a Little Rock, Arkansas Army recruiting booth on Monday was under investigation by the FBI’s Joint Terrorist Task Force since his return from Yemen. (See item 28)

28. June 1, ABC News – (Arkansas) Recruiter shooting suspect under FBI investigation. The suspect arrested in the fatal shooting of one soldier and the critical injury of another at a Little Rock, Arkansas Army recruiting booth on June 1 was under investigation by the FBI’s Joint Terrorist Task Force since his return from Yemen, ABC News has learned. The investigation was in its preliminary stages, authorities said, and was based on the suspect’s travel to Yemen and his arrest there for using a Somali passport. The 24-year old suspect had changed his name after converting to the Muslim faith. “At this point it appears that he specifically targeted military personnel, but there doesn’t appear to be a wider conspiracy or, at this point in time, any indication that he’s a part of a larger group or a conspiracy to go further,” the Little Rock police chief said. Source:


Banking and Finance Sector

13. June 1, Tennessean – (Tennessee) More banks, clients targeted by phone scams. A phone scam is sweeping through Tennessee. A recorded message states that it is calling from the F&M Bank and that an individual’s account has been frozen. The recording then asks for an account number and PIN. Thousands of people in Clarksville have received harassing calls at home, at work and on their cell phones from a computerized system claiming to be a bank and asking for personal information. Recently, clients of First Federal Savings Bank and Fort Campbell Federal Credit Union joined clients of F&M Bank as local targets of the scam. Source:

14. June 1, WLFI 18 Lafayette – (Indiana) Bank phone calls are statewide scam. Over the weekend, many people received the following automated call: “This is a message from Salin Bank. Your card has been temporarily suspended because we believe it was accessed by a third party. Please press one now to be transferred to our security department.” A West Lafayette detective recommended that the public never give any personal information over the phone. The detective said the robocalls claiming to be from Salin Bank are not just limited to the Lafayette and West Lafayette areas. “It is apparently a statewide scam. It is a spoofing of the caller ID where the caller ID is not where the call is originating from, and it is believed that it is coming from outside the US,” she said. Salin Bank issued a news release on June 1 that stated that the bank will not contact customers by telephone or text message to request an account number. If you are a customer of Salin Bank who may have fallen victim to this scam, you can call Salin Bank at 1-800-320-7536. Source:

15. May 31, Los Angeles Times – (National) Congress funds mortgage fraud crackdown. It may not have made a big splash on network news or in print, but for real estate it was the equivalent of a congressional declaration of war against mortgage fraud. Just as security and intelligence agencies were given huge funding boosts by Congress after 9/11, the FBI, the Justice Department, the Secret Service and the U.S. Postal Service have just gotten a combined $500 million in new funding authority to investigate and prosecute individuals and companies who engage in mortgage fraud. The targets range from people who lie about their incomes on home mortgage applications to highly organized roving networks of “foreclosure relief” scammers who bilk money out of homeowners seeking mortgage modifications. Known as the Fraud Enforcement and Recovery Act of 2009, the legislation will fund new SWAT teams of fraud-busters and broaden federal legal powers to go after individuals and mortgage operations that currently get attention, if at all, only at the state or local levels. The law also creates a Financial Crisis Inquiry Commission with broad powers to investigate who and what got us into the real estate mess, starting with the subprime boom, Wall Street impropriety, and more recent bank failures. Source:,0,3019413.story

Information Technology

32. June 2, CNET News – (International) Thought the Conficker virus was bad? Gumblar is even worse. ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the scene in March, according to CNET. Originally, the attack spread through infectious code that was planted in hacked Web sites and then downloaded malware from the domain on to victims’ computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code, Gumblar replaced the original material with dynamically generated Javascript (Web site code that is created on the spot instead of being completely determined beforehand — a key element of Web apps like Gmail) that is much harder for security software to detect and remove. The evolved version also went about adding new domains to the list of sources for downloading its malware payload, including and, and began exploiting security holes in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for uploading files to a Web site) on a victim’s computer, using them to infect additional Web sites. It is not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for about 40 percent of all new malware infections right now. According to ScanSafe in just the first two weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been quick to clean up the infections as best they can, but, even if all the infected pages were removed, Gumblar would still have an army of infected PCs to inflict further damage. Source:

33. June 1, – (National) Obama plans Internet czar to help protect against cyber attacks. Declaring that cyber security is both a national defense and an economic issue, the U.S. President announced on May 29 his plan to keep government and commercial information on the Internet safe from cyber criminals or terrorists. “Our defense and military networks are under constant attack,” he said. “Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country, attacks that are harder to detect and harder to defend against. Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer, a weapon of mass disruption.” He pointed abroad to what cyber attacks can do as the “future face of war.” A White House report released on May 29 detailed plans for naming a cyber security coordinator or “cyber czar”; forming partnerships with state and local governments as well as the private sector; focus on training and education to meet security needs; and working with other countries to determine ways to secure networks. The report also called for working closely with civil liberty and privacy groups to ensure that the government does not apprehend an individual’s information. Source:

34. June 1, CNET News – (International) ‘Best Video’ scam on Twitter dropped malware. Twitter users were hit with another attack over the weekend featuring tweets reading “Best Video” and a link to a Web site that downloads malware, a security firm said on June 1. The Web site, with a .ru (Russia) domain, purports to show an embedded YouTube video. Instead, the page downloads a malicious PDF that contains a “flurry of exploits” and if successful downloads fraudware that displays a fake security warning to try to get people to pay money, according to Kaspersky’s blog. Contrary to earlier reports that the attack was a worm, the Kaspersky blog post speculates that the attackers were using accounts stolen in a phishing attack that occurred recently. Thousands of Twitter users were affected by what looked like a worm-like phishing attack recently, but was instead a site designed to help Twitters increase their number of followers quickly. The TwitterCut site looked like a Twitter log-in page and prompted people to type in their user names and passwords. Site administrators denied the phishing allegations and said they were shutting it down, according to the TrendLabs Malware Blog. “This attack is very significant,” the Kaspersky post says of the latest attack. “It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we have seen on other social platforms are any indicator for Twitter, then we can only expect an increase in attacks.” Source:

35. June 1, SC Magazine – (International) Microsoft Office 2000 users warned of potential malware attacks as final patching date announced. Microsoft has warned Office 2000 users that it plans to withdraw patch updates from the middle of July. According to Network World, Microsoft supports business software for a total of ten years by policy, half in ‘mainstream’ support and the second half in the more limited support, with security updates delivered for the entire ten year stretch. Microsoft said: “This move will allow us to provide a more simplified and consistent experience for users across Microsoft products.” Also being removed from the Patch Tuesday update list will be Office Update and Office Inventory Tool. Microsoft has urged system administrators that still use Office Inventory to switch to its Windows Server Update Services (WSUS). The European director of Fortify Software, said: “That date is, of course, Patch Tuesday, so Office 2000 users can expect their last security patches for this still-popular version of Office to be issued on that date. From that date onwards, however, if any security threats are discovered with this version of Office, no patches or updates will be issued.” He claimed that organizations using custom Office extension applications should avoid the temptation to carry on using Office 2000 due to the likelihood of malware being injected into the unpatched holes. Source:

36. June 1, – (International) Don’t become a victim of the Firefox ‘nstextframe::cleartextrun()’ remote memory corruption vulnerability. Mozilla Firefox, casually called “Firefox,” is basically a free and open source web browser. It is a fast, full-featured Web browser with a streamlined browser window that displays a number of features that work with the user to help get the most out of the user’s time online. Unfortunately, Mozilla Firefox is prone to various types of vulnerabilities. A remote memory-corruption vulnerability announced at the end of April was discovered in the nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp Mozilla Firefox version 3.0.9. This specific vulnerability can be exploited by remote attackers to compromise a user’s system. If this type of vulnerability is exploited successfully, it will enable the attacker to execute arbitrary code within the context of the affected browser or crash the browser, denying service to legitimate users. This vulnerability is found in the ‘nsTextFrame::ClearTextRun()’ function of the ‘layout/generic/nsTextFrameThebes.cpp’ script. This security issue appears when the HTML Validator add-on is enabled. The vulnerability is caused by an unsuitable call to ‘free()’, which results in a pointer to point to deallocated memory. A remote user is able to design specially crafted HTML that, while loaded by the target user, will trigger a memory corruption error in nsTextFrame::ClearTextRun() and possibly execute arbitrary code on the target system. The code will run with the rights of the targeted user. Source:

37. June 1, – (International) Are you safe enough? Serious vulnerability found in Trend Micro Officescan. A serious vulnerability has been found in Trend Micro OfficeScan Client. Not long ago, the security issue was confirmed and refers to version 8.0 SP1 Patch 1. Other versions might be affected as well. This is extremely worrying due to the fact that this particular vulnerability may allow for attackers to create a denial of service attack, in other words, crash a targeted application. This particular vulnerability is called the Trend Micro OfficeScan Client Folder Name Denial of Service Vulnerability. Local attackers could exploit this vulnerability in order to terminate the NTRtScan.exe process and temporarily disable the real-time scanning protection by scanning a specially crafted directory including overly long pathnames. By performing such evil actions, malicious users are able to create denial of service attacks, as was mentioned in the first paragraph of this article. This vulnerability has been rated as low risk. Some of the file components of Trend Micro OfficeScan include but are not limited to the following: svc_au32.exe, tavupdui.exe, tavsvc.exe. Source:

Communications Sector

38. June 1, Press Republican – (New York) Verizon to add 10 cell towers in the northern region. Verizon Wireless plans to install 10 new cell-phone towers in the North Country this summer. “They will go up throughout the region; we’ll have them turned on by the end of the year,” a Verizon spokesman said June 1. All of the planned towers are new construction, he said, expanding the company’s northern cellular telephone network to 90 towers, 26 of which are in the Adirondack Park. Proposed tower locations are under review by the Adirondak Park Agency (APA) in Westport, Town of Wells, Duane, Queensbury, Wilmington, and Keene Valley. A Verizon tower was recently approved for construction on land owned by Paul Smith’s College. Another approved area includes a Verizon tower along Route 73 in Keene. Four towers of a 13-tower Verizon network planned along the Adirondack Northway are already operational, with a site approved by the APA for Poke-O-Moonshine in Chesterfield slated for construction this summer. Fully activated Verizon towers located in Schroon, Schroon Falls, Lewis and North Hudson improved communications this winter along a stretch of Adirondack Northway where there was previously little or no signal. The director of Essex County Emergency Services cautioned that some stretches of I-87 still remain without cell-phone signal. Source:

39. May 31, Hewlett-Packard – (International) HP to discuss datacenter challenges at Data Centre Strategies Middle East. Research1 conducted by HP shows that data centers across Europe are critically close to exceeding their limits, with the majority having reached 82 percent of their full capacity. The results further reveal that a vast majority of chief information officers (CIOs) are addressing this issue in the short term through data center rationalization and consolidation programs. These challenges will be discussed at the Data Centre Strategies Middle East in Abu Dhabi from June 2-3. “While increased pressure is being placed on CIOs to deliver more business services at a reduced cost, data centers are approaching the limits of their energy, cooling and space resources,” commented the managing director of HP Middle East. Source: