Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, July 7, 2009

Complete DHS Daily Report for July 7, 2009

Daily Report

Top Stories

 According to the Wall Street Journal, the U.S. Justice Department arrested a former Goldman Sachs Group Inc. employee in New Jersey and charged him with stealing computer codes related to the firm’s high-speed trading platform. The suspect allegedly uploaded the codes to a computer server in Germany. (See item 11)

See item 11 in the Banking and Finance Sector, below.

For another story, see item 31 in the Communications Sector, below.

 The Seattle Times reports that a fire at the Fisher Plaza data center in Seattle on July 2 caused service disruptions to numerous Web sites, including Holdings which provides credit-card services for more than 238,000 online merchants. KOMO-TV, radio, and other stations that broadcast from the plaza were also affected. (See item 31)

See item 31 in the Communications Sector, below.


Banking and Finance Sector

11. July 6, Wall Street Journal – (New York) Ex-Goldman employee charged with computer code theft. The U.S. Justice Department arrested a former Goldman Sachs Group Inc. employee and charged him with stealing computer codes related to the firm’s high-speed trading platform. The suspect, a naturalized U.S. citizen who emigrated from Russia, allegedly unlawfully copied, duplicated, downloaded, and transferred computer codes from New York-based Goldman Sachs and uploaded the codes to a computer server in Germany, according to a complaint filed by federal prosecutors. The complaint from the government did not specifically reference Goldman Sachs. Goldman Sachs was referenced during Saturday’s bail hearing, and a person familiar with the matter confirmed that the suspect worked as a computer programmer for the company. The person familiar with the matter also said, “The theft has had no impact on our clients and no impact on our business.” The alleged actions took place between June 1 and July 3, when the suspect was arrested as he got off a flight at Newark Liberty International Airport. The suspect worked at Goldman as a computer programmer from about May 2007 until about June 5. Questioned by Federal Bureau of Investigation officials, the suspect admitted only to “unwitting conduct,” that whatever he is accused of doing was not done on purpose. An FBI Special Agent said in the filing that the computer codes were related to a platform that allows Goldman Sachs to engage in high-speed and high-volume trades on stock and commodities markets. The bank considers the code to be proprietary, confidential information and trades made on the platform generate millions of dollars in profits each year for the company.


For another story, see item 31 in the Communications Sector, below.

Information Technology

27. July 6, PC Advisor – (International) Adobe to patch ColdFusion bug next week. Adobe Systems will have a patch ready next week for a flaw in its ColdFusion web development software that other security authorities say could result in a hacked system. The problem lies in the FCKEditor rich text editor, which is installed with ColdFusion 8, Adobe said on its security blog. Adobe also listed in its warning three steps that could in the meantime mitigate an attack. FCKEditor is an open-source application that handles file uploads and file management, but the feature is supposed to be disabled in the version embedded on a ColdFusion server, wrote a ColdFusion consultant who writes a blog called CodFusion. In some cases, the connector that enables the feature is left on. “If left on, this means a hacker might be able to directly call the file manager system to upload files and take control of the server,” he wrote. “FCKEditor has had some history on being exploited by this type of attack.” The SANS Internet Storm Center said it had seen a “high number” of websites running ColdFusion that had been compromised. Source:

28. July 6, – (International) McAfee glitch causes havoc for IT admins. A recent VirusScan update from McAfee caused mayhem for some IT administrators over the weekend, after it falsely reported that a range of critical system files were infected with a Trojan. The problem became apparent when users began posting to the company’s forums, complaining of false positives and even some cases of the dreaded blue screen of death. The issue seems to affect only those users running an outdated version of the VirusScan engine, but some running the latest version also reported false positives, although not with critical system files. McAfee has acknowledged a problem, and has released another update which corrects it. However, it appears that machines affected by the glitch will have to be repaired manually, as the quarantined files cannot easily be returned to their original locations. “Last Friday, McAfee was made aware of some incorrect identification when using no longer supported versions of the software,” explained a McAfee spokesman. “Customers reporting this issue have been confirmed to be running VirusScan Enterprise 7.1 or 8.0i specifically with the 5100 scanning engine that has not been supported for 18 months.” “Customers running 5200 or a newer scanning engine version have not been impacted. Current versions are VSE8.7 and scanning engine 5301. The incorrect identification was resolved in the daily release on Friday July 3rd.” The company has created an entry in its KnowledgeBase detailing the issue and offering potential fixes for those affected. Source:

29. July 6, ZDNet – (International) June malware report – something’s phishy. June marked an increase in malware and the “highest rate of phishing attacks to date” on the Web, Fortinet’s latest report on online threats found. The threat management vendor released on July 6 its latest monthly report, which highlighted the current reign of Trojan horses and “disappointing” anti-spam campaigns. Of the overall 108 newly-reported vulnerabilities in June, 62 were active exploits, indicating an “all-time high” of 57.4 percent, Fortinet said. Fortinet said the majority of overall activity came from the United States, which contributed 22 percent of all reported exploits. A significant proportion of the attacks were traced back to Asia — specifically, Singapore, Japan and Korea, which ranked second, third and fourth place, respectively. Some 13.57 percent of all attacks originated in Singapore. Online games sites hosted the most number of Trojans, followed by Zbot variants W32/Zbot.M and W32/Zbot.V, which climbed to second and third place, respectively. The Zbot malware spreads keylogging and data-siphoning Trojans through e-cards sent via e-mail, directing users to malicious sites. Another commonly used malware redirecting visitors to infected sites was the JS/PackRedir.A, which moved up 36 positions on the list to fifth position, said Fortinet. Source:

Communications Sector

30. July 5, Florida Times-Union – (Florida) Jacksonville data center’s security as advanced as its technology. When Barnett Banks Inc. built its 120,000-square-foot operations center on Jacksonville’s Southside in 1971, it built a facility that accommodates state-of-the-art technology and can withstand a Category 5 hurricane. As of three months ago, Colo5 now occupies the building and is a data center operator that offers colocation services to businesses — that is, it offers them a secure facility to store and maintain their information technology systems. The building is technologically advanced, but what stands out are its security features. It starts with 17-inch-thick concrete walls and windows covered by steel mesh screens that can withstand a 200-mile-per-hour projectile. The glass doorways are equipped with roll-down steel doors that can cover the glass in an emergency. The facility was actually built above ground and has a series of pumps underneath to keep water out. The building has three large diesel generators that will ensure a continuous power supply in case of a power outage. Colo5 is currently installing freezers and refrigerators for food storage, as well as an artesian well to supply water. Colo5 offers office space to its clients and some do have staff permanently stationed at the building to maintain their information technology systems. The building is also equipped to house workers if a hurricane approaches.


31. July 4, Seattle Times – (Washington) Fisher Plaza fire disrupts Web service, TV station. A short-lived fire at Seattle’s Fisher Plaza the night of July 2 caused service disruptions July 3 to numerous Web sites, including one that handles transactions for thousands of online merchants. Also affected were KOMO-TV, radio and other stations that broadcast from the plaza. The small fire, which broke out around 11 p.m. on July 2 at the complex near Seattle Center, apparently began with a failure in KOMO’s equipment, which caused a short, said a Seattle City Light spokeswoman. It happened in the garage level of one of the buildings in Fisher Plaza, at an electrical vault, where KOMO’s transformers meet the city’s power lines, she said. Except for the building that houses KOMO, power was restored to everyone on the same electrical feeder grid by 3 a.m. on July 3. Power was intentionally left off in the KOMO building so engineers could make repairs to the station’s equipment. Among the multiple Web sites that saw service disrupted by the fire and outage were Microsoft’s Bing Travel and Seattle’s Mars Hill Church, and Holdings, which is based in Marlborough, Massachusetts. The company provides credit-card services for more than 238,000 online merchants. A Verizon Communications spokesman said the company’s DSL service in the Seattle area was temporarily disrupted.


32. July 2, Associated Press – (Vermont) FairPoint experiences long distance glitch in Vt. Some of FairPoint Communications’ Vermont customers were unable to call out-of-state or reach FairPoint’s customer service and repair centers on July 1. The outage lasted about six hours before it was fixed around 4:30 p.m. A FairPoint spokeswoman in Vermont says the problem was with Verizon Business, which FairPoint uses for its out-of-state long distance service. Source: