Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, July 15, 2009

Complete DHS Daily Report for July 15, 2009

Daily Report

Top Stories

 CNN reports that a Southwest Airlines jet made an emergency landing in Charleston, West Virginia on Monday after a football-sized hole in its fuselage caused the cabin to depressurize. All 181 of Southwest’s 737-300s — about a third of the airline’s fleet — are being inspected after the emergency landing. (See item 13)

13. July 14, CNN – (West Virginia) Jet makes landing with football-sized hole. A Southwest Airlines jet made an emergency landing in Charleston, West Virginia, on July 13 after a football-sized hole in its fuselage caused the cabin to depressurize, an airline spokeswoman said. There were no injuries aboard the Boeing 737, which was traveling at about 34,000 feet when the problem occurred, a Southwest spokeswoman told CNN. The sudden drop in cabin pressure caused the jet’s oxygen masks to deploy. Southwest Flight 2294 was en route from Nashville, Tennessee, to Baltimore, Maryland, with 126 passengers and a crew of five aboard, the spokeswoman said. It landed at 5:10 p.m. after the crew reported a football-sized hole in the middle of the cabin near the top of the aircraft, she said. What caused the damage to the jet had not been determined, she said. Both the Federal Aviation Administration (FAA) and the National Transportation Safety Board are investigating the incident, an FAA spokeswoman said. “We have safety procedures in place, and they were followed in this instance to get all passengers and crew safely on the ground,” the airline said. “Reports we have are that our passengers were calm and that our pilots and flight attendants did a great job getting the aircraft on the ground safely.” In addition, all 181 of Southwest’s 737-300s — about a third of the airline’s fleet — will be inspected overnight after the emergency landing. Source:

 According to Softpedia, the malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial Web sites has received an update to damage the computers it infected. Experts concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks. (See item 28)

See 28 in the Information Technology sector below.


Banking and Finance Sector

11. July 14, Washington Post – (National) U.S. considers rescue of major small-business lender. The deteriorating health of CIT Group, a major small-business lender, is shaping up as a gut check for the U.S. Presidential Administration, which may be forced to choose between allowing a painful failure and conducting a rescue that would underscore just how fragile the economy remains. While CIT has about $75 billion in assets, it was not included in the government’s stress tests of major financial firms, and most analysts agree that its failure would have relatively modest consequences for the financial system. But it has grabbed the Administration’s attention because of its focus on small-business lending, an area of outsize political importance. The New York company is mounting an increasingly public case that its failure would crumple thousands of fragile firms. Administration officials met on July 13 to review CIT’s problems and to consider possible responses, according to a person familiar with the matter. Some officials would like to leave CIT alone, to show that the economy is strong and that the government will not rescue every faltering firm. But at a time when the Administration already is working on ways to increase lending to small businesses, other officials see rescuing CIT as a necessary and obvious step. Source:

12. July 13, Bloomberg – (International) Stanford investors sue Antigua, claiming complicity. A group of R. Allen Stanford-run business investors sued the government of Antigua and Barbuda, claiming the Caribbean nation helped the financier engineer an alleged $7 billion fraud scheme. In a lawsuit filed in a U.S. Court in Houston, seven investors say the island government received money in exchange for helping the financier conceal the financial condition of the Antigua-based Stanford International Bank Ltd. “Antigua is sovereign but not above the law,” the investors said in their complaint. “It became a full partner in Stanford’s fraud, and reaped enormous financial benefits from the scheme.” The named investors, three of whom live in the U.S., three from Latin America and the last the trustee for a retirement plan, seek class action or group status on behalf of all who were Stanford bank customers as February 16, 2009. “We’re seeking to represent victims worldwide to recover losses from the government of Antigua, which has benefited tremendously from the accused ponsi artist showering the island with money,” the plaintiffs’ lawyer said in a phone interview. The investors are seeking at least $8 billion in damages, which can be tripled under U.S. civil racketeering laws, and claiming the class could include tens of thousands of people. Source:

Information Technology

26. July 14, IDG News Services – (International) HTC smartphones left vulnerable to Bluetooth attack. If a user has an HTC smartphone running Windows Mobile 6 or Windows Mobile 6.1, the user may want to think twice before connecting to an untrusted device using Bluetooth. A vulnerability in an HTC driver installed on these phones can allow an attacker to access any file on the phone or upload malicious code using Bluetooth, a Spanish security researcher warned on July 14. “HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service,” a security researcher said in an e-mail exchange. HTC handsets running Windows Mobile 5 are not affected. For the attack to work, the targeted device must have Bluetooth enabled and file sharing over Bluetooth activated. “This connection can be done either by standard Bluetooth pairing or taking advantage of the Bluetooth MAC spoofing attack,” the researcher said, referring to a process where the attacking device attempts to convince the target that it is another device on its list of paired devices. The directory traversal vulnerability allows an attacker to move from a phone’s Bluetooth shared folder into other folders, giving them access to contact details, e-mails, pictures or other data stored on the phone. They can use this access to read files or upload software, including malicious code. Because the driver, obexfile.dll, is an HTC driver, only handsets from the company are affected. However, HTC is the world’s largest manufacturer of Windows Mobile handsets, selling phones under its own brand as well as making phones under contract for other companies. That means millions of users are potentially vulnerable. Source:

27. July 13, Enterprise Security Today – (International) New York official: Tagged site stole identities. New York’s attorney general charged on July 9 that stole the identities of more than 60 million Internet users worldwide, by sending e-mails that raided their private accounts. The attorney general said he plans to sue the social networking Web site for deceptive marketing and invasion of privacy. “This company stole the address books and identities of millions of people,” the attorney general said in a statement. “Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged’s unethical, and illegal, behavior.” Started in 2004 by Harvard math students, Tagged calls itself a “premier social-networking destination.” The California-based company claims to be the third-largest social networking site after Facebook and MySpace, with 80 million registered users. The attorney general said Tagged acquired most of them fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends. When recipients tried to access the photos, the attorney general said they would in effect become new members of the site, without ever seeing any photos. Recipients’ e-mail address books would then be lifted, the attorney general said. Source:

28. July 13, Softpedia – (International) DDoS worm starts damaging infected systems. The malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial websites has received an update to damage the computers it infected. Starting with July 10, the worm began to rewrite HDD Master Boot Records (MBR), leaving the zombie computers unbootable. Recently, it was reported that serious distributed denial of service (DDoS) attacks had affected the stability of many websites operated by large organizations or the governments of United States and South Korea. Experts later concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks. Security researchers from FireEye warn that, even though the DDoS has stopped, the impact of this malware might prove to be a lot bigger. Everything started with a DDoS component being shipped to computers infected with a particular strain of Mydoom, a worm dating back to the beginning of 2004. The attackers planned for the DDoS to start on July 4 (Independence Day) and to end on July 10. The worm drops a file called mstimer.dll and loads it as a windows service named “MS Timer Service.” The purpose of this component is to check the date and if it matches July 10 to execute yet another file, called wversion.exe. Originally, wversion.exe contained instructions to uninstall the timer service, suggesting that its authors intended for it to self-destroy. However, a malware researcher at FireEye explains that another, much more destructive version of wversion.exe was deployed shortly before July 10. The new version features a three-step plan to destroy data on the infected computers. First, it rewrites 512 bytes of every hard disk in the system, not only the one used to boot from. The first 512 bytes of a hard disk are used to store the Master Boot Record and Volume Boot Record, which are employed to store information about the file system and partitions. The new data written over the MBR and VBR includes a string reading “Memory of the Independence Day.” The second destructive step targets the personal files and documents stored on the hard disks. The component searches for files with one of 37 extensions, including .pdf, .doc, .ppt, and proceeds to compressing and password-protecting every one of them. Source:

29. July 13, DarkReading – (International) Researchers to release tool that silently hijacks EV SSL sessions. If a user thinks they are safe from man-in-the-middle (MITM) attacks as long as they are visiting an Extended Validation SSL (EV SSL) site, then think again: Researchers will release a new tool at Black Hat USA later this month that lets an attacker hack into a user’s session on an EV SSL-secured site. Two researchers, who in March first demonstrated possible MITM attacks on EV SSL at CanSecWest, will release for the first time their proxy tool at the Las Vegas conference, as well as demonstrate variations on the attacks they have discovered. The Python-based tool can launch an attack even with the secure green badge displaying on the screen: “It doesn’t alert the user that anything fishy is going on,” says the principal consultant at Intrepidus and one of the researchers. All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That is because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate. “There’s no differentiation between the two certs beyond the green badge,” the consultant says. If an attacker has a valid domain-level certificate, he can spoof EV SSL connections and execute an MITM attack, with access and view of all sensitive data in the session, all while the unsuspecting victim still sees that reassuring green badge displayed by his browser. Source:

Communications Sector

30. July 14, ComputerWeekly – (International) Mobile phone directory crashes as users rush to take numbers off. A controversial mobile phone directory has been suspended after being inundated with requests from people who want their details removed. said it is not taking requests either via the website or over the phone for people’s mobile numbers. The company said on its website that it is making “major improvements” to its beta service. It said all ex-directory requests made by people in the directory to date are being processed, and further requests will be taken once the service is back up and running. “We will take further ex-directory requests when the service resumes. We will not be taking ex-directory requests by phone or text whilst the service is not operational.” The directory holds about 15 million phone numbers, with the owners reported to be hoping to increase this to 42 million numbers. Earlier this week the website appeared to crash under a traffic surge after mobile phone users decided they wanted their numbers taken off the directory. Source: