Department of Homeland Security Daily Open Source Infrastructure Report

Friday, August 7, 2009

Complete DHS Daily Report for August 7, 2009

Daily Report

Top Stories

 Minnesota Public Radio reports that several thousand turkeys at a large poultry producer in central Minnesota’s Meeker County have been quarantined after routine testing discovered a strain of avian flu. (See item 20)

20. August 5, Minnesota Public Radio – (Minnesota) Thousands of Minn. turkeys quarantined. Several thousand turkeys at a large poultry producer in central Minnesota’s Meeker County have been quarantined after routine testing discovered a strain of avian flu. The state Board of Animal Health said the birds appear healthy and show no signs of infection. Poultry workers are being monitored for signs of infection, but there have been no reported illnesses. All turkey flocks within three miles will be repeatedly tested for the virus for six weeks, along with any flocks linked to the farm. Although the current case has caused no illness in Minnesota poultry, the virus, if left unchecked, can change into a form that could be lethal to domestic poultry and chickens. Minnesota is the nation’s top turkey producing state. Source:

 According to the Associated Press, police in Springboro, Ohio closed city offices Wednesday after police found a pipe bomb in a teen’s backpack in the police station. (See item 32)

32. August 5, Associated Press – (Ohio) City offices in southwest Ohio evacuated after pipe bomb found in teen’s backpack. Police in a southwest Ohio closed a city office Wednesday after police found a pipe bomb in a teen’s backpack. Police in Springboro brought two 16-year-old boys into the police station for questioning early Wednesday morning and found the device. They quickly took the pipe bomb outside and called the bomb squad. The discovery forced the evacuation of Springboro city offices and the cancellation of the Springboro Mayor’s Court. Source:,0,815404.story


Banking and Finance Sector

11. August 6, Forum of Fargo-Moorhead – (North Dakota) Structural issues force closing of downtown Fargo parking ramp. The US Bank parking ramp in downtown Fargo was ordered closed on August 5 after city officials were told it was no longer structurally sound and could potentially collapse. The director of planning said the city was notified in an e-mail from a structural engineer on August 5 that an inspection found the core of the ramp had deteriorated to a dangerous level. “We’ve been concerned about the structure for some time,” the director of planning said, adding that the condition of the city-owned ramp at the corner of Third Avenue and Fifth Street North is “significantly worse than last year.” The structural engineer was quoted in a Planning Department news release on the closure: “The center core ramp has deteriorated to what I feel is a dangerous level. I am also concerned with this core structure and its connection to the rest of the ramp. These connections are in an extremely serious condition. There is a potential that if the core collapsed, it could bring some of the ramp with,” the structural engineer wrote. The director of planning said a bank drive-through area on the first level of the ramp will remain open. He said alternatives that will be explored are offering spaces in the underground Ground Transportation Center ramp or in other city-owned lots. Source:

12. August 5, Cliffview Pilot – (New Jersey; New York) FBI smashes $10M foreclosure scam. Two men scammed homeowners in Bergenfield, Paterson and elsewhere out of their homes, then pocketed about $1.5 million for themselves, the FBI said. Homeowners facing foreclosure in Bergenfield, Paterson and elsewhere were approached by the pair, who offered a way to keep their houses -- and even restore their credit, the bureau said. The completed their scheme by conning buyers with good credit into applying for mortgages on the homes in exchange for a fee. After the lenders wrote the business, the crooks paid the necessary fees at closing -- and walked off with about $1.5 million, the FBI said, in a criminal complaint on file in U.S. District Court in Newark. Operating in New Jersey and New York the pair wrote up more than $10 million in worthless loans from the lenders while pocketing 15 percent from five properties, the FBI Special Agent-in-charge said. Agents arrested both at their Brooklyn home this morning on federal charges of attempting and conspiring to commit wire fraud. They are being held pending court appearances this afternoon and will be prosecuted by the assistant U.S. attorney in Newark. Calling themselves “Home Savers Consulting Corporation,” the pair scammed three different sets of victims, the assistant attorney said. First were the homeowners, all of whom had substantial equity in their homes but were facing foreclosure because of an inability to make the monthly payments. Also victimized were the straw purchasers, whom the pair recruited by saying they were helping the true owners “save” their homes, according to the criminal complaint. Source:

13. August 5, Bloomberg – (National) Bair says regulators should set banker pay standards. The Federal Deposit Insurance Corp. chairman, weighing in on the debate over executive pay, said regulators should set standards for U.S. banks to ensure incentives to encourage long-term performance. Banking agencies should become more active in setting compensation standards that are “principles-based” without setting specific amounts for pay, the chairman said today in an interview with Bloomberg Television in Washington. “We do need to revamp the system to make sure that the incentives are long-term,” the chairman said. “I do wish some of these firms would exercise better restraint and common sense on what they’re paying their folks.” The chairman joined the House Financial Services Committee Chairman and lawmakers who say government needs to write pay rules that discourage excessive risk-taking. Republicans in Congress oppose government setting pay, and last week lost an effort to defeat a House bill to control incentive pay. Some Democratic senators are reluctant to support pay limits. Goldman Sachs Group Inc. set aside a record $11.4 billion for compensation for the first six months, up 33 percent from a year ago and enough to pay each worker $386,429, the company said last month. The average ratio of compensation to revenue at securities firms this decade is about 48 percent, Sanford C. Bernstein&Co. said in a report. “I’m not sure I buy this that all these eye-popping salaries are necessary to keep folks for competitive reasons,” the chairman said. “At some point, it just becomes a little beyond the pale in terms of questioning what value is added for those types of eye-popping salaries.” Source:

Information Technology

37. August 6, The Register – (International) Top vendors flunk Vista anti-virus tests. Security vendors including CA and Symantec failed to secure Windows systems without fault in recent independent tests. Twelve of the 35 anti-virus products put through their paces by independent security certification body Virus Bulletin failed to make the grade for one reason or another and therefore failed to achieve the VB100 certification standard. The main faults were either a failure to detect a threat known to be in circulation (one particularly tricky polymorphic file infector caused the most grief in this area) or creating a false alarm about a file known to be benign. Virus Bulletin’s VB100 tests benchmarks the performance of a vendor submitted anti-virus product against a set of malware from the WildList, a list of viruses known to be circulating. To gain VB100 certification, a security product must correctly detect all of these malware strains without blowing the whistle when scanning a batch of clean files. Vendors only get one run at passing the tests, which are conducted free of charge to security software manufacturers. Most, but not all, of the main vendors submits products for testing. Trend Micro - which has expressed reservations about Virus Bulletin’s testing methodology - is a notable dissident. The anti-malware test director at Virus Bulletin, said its biggest problem in running its most recent tests were crashes and system slowdowns. “Many of the products in this test did prove stable, speedy and well behaved, but many others had issues far too serious to be classed as mere quirks and oddities,” he said. “We experienced a large number of freezes, crashes and hangs, not just of the product interfaces or of specific scans but in many cases seeing the whole machine shutting down.” Virus Bulletin recently began assessing the reactive and proactive detection abilities of anti-virus products alongside the long-established VB100 tests. The new tests are a reflection that the malware landscape has changed radically over recent years, with greater malware volumes and targeted attacks. Source:

38. August 5, New Scientist – (International) Virtual computer army takes on the botnets. More than 1 million virtual computers are set to provide insight into how networks of infected computers called botnets wreak havoc on the internet, as the Conficker worm did recently. Two researchers of Sandia National Laboratories in Livermore, California, crammed 250 independent linux “kernels” - the core system of a computer - onto each of 4400 networked Thunderbird machines, creating a total of over 1.1 million individual virtual computers. While this network cannot mimic the internet’s estimated 600 million computers, the duo hope to use it to study how a small number of machines can attack and bring down larger networks. They can also study, for example, why some botnets prefer to be small and others large. Source:

39. August 5, Computerworld – (International) Apple patches 18 Mac vulnerabilities, ships OS X 10.5.8. Apple on August 5 patched 18 vulnerabilities in Mac OS X, including half a dozen that could let hackers hijack machines by duping users into viewing malicious image files on the Web. Security Update 2009-003, which was distributed along with Mac OS X 10.5.8 for Leopard users and delivered separately to Tiger users, plugged holes in components ranging from ColorSync and Dock to the kernel and MobileMe, Apple’s for-pay sync and storage service. But it was the six vulnerabilities in various image file formats that caught the eye of the director of security operations at nCircle Network Security. “The PNG [Portable Network Graphics] bug is the most interesting,” said the director of the half-dozen image file flaws. “It’s a pervasive format that’s frequently on Web sites,” he added, noting that attackers could trigger the bug simply by getting users to visit malicious sites, a common tactic in the Windows hacker world. “It’s easy enough to host one of these malicious files on [a hacker’s] Web site,” the director added. Apple patched four flaws in the ImageIO component of the Mac’s operating system related to its handling of OpenEXR images, a format developed by Lucasfilm’s Industrial Light and Magic visual effects studio in 1999 and released to open-source four years later. The sixth image vulnerability, also in ImageIO, could be exploited by malformed Canon RAW photographic files. The August 5 security release was Apple’s smallest this year by vulnerability count. In May, for example, the California-based computer company quashed 67 bugs, while February’s security update patched 55. Two of the bugs Apple called out in its advisory affect Safari, but the flaws are not actually found in the browser. And with the exception of one vulnerability in the “bzip2” open-source data-compressor, all of today’s bugs were within Apple’s own code. The director also called attention to the MobileMe vulnerability, which, although not serious, could be used by unscrupulous friends or co-workers to access someone’s account. “A logic issue exists in the MobileMe preference pane,” Apple said in the advisory. “Signing out of the preference pane does not delete all credentials. A person with access to the local user account may continue to access any other system associated with the MobileMe account which had previously been signed in for that local account.” More than half of the vulnerabilities -- 10 of the 18 -- were labeled with Apple’s “arbitrary code execution” phrase, meaning the flaws are critical and could be exploited to compromise a Mac. Unlike other vendors, such as Microsoft and Oracle, Apple does not assign a threat ranking to the bugs it discloses. Source:

40. August 5, ChannelWeb – (International) Apple keyboard firmware vulnerability detected by BlackHat researcher. On top of patching the iPhone SMS flaw, Apple has to deal with a keyboard firmware vulnerability that allows hackers to silently log keystrokes to steal passwords and other identifying information. During the BlackHat conference in Las Vegas, one hacker demonstrated that Apple keyboards contain a flaw that enables cybercrooks to launch key-logging software designed to record keystrokes. Any personal information entered by the users, such as passwords and credit card numbers, can then be swiped by the attackers. The vulnerability, which stems from a poorly designed firmware upgrade in the keyboard USB buses, enables a rootkit to flourish with a clean reinstallation of the host operating system. Apple’s keyboards contain enough RAM and flash memory -- albeit a small amount -- for hackers to inject key-logging software. Once injected in the Apple keyboard firmware, the key-logging software is almost undetectable by the malware-detection system. The attack is further enabled by the fact that the keyboard firmware updater is unencrypted and doesn’t require validation. The security researcher who first detected the Apple firmware vulnerability said that many modern firmware upgrade devices embedded in the keyboards contain cheap microcontrollers that make it difficult to verify cryptographic signatures. During the BlackHat conference, the researcher demonstrated how the exploit could be used to obtain passwords, login credentials and other information typed into the system by the user. Source:;jsessionid=2KG2XIAH5AIQ1QE1GHOSKHWATMY32JVN

41. August 5, Washington Post – (International) Researchers: XML security flaws are pervasive. Security researchers on August 5 unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products. At issue are problems with the way many hardware and software makers handle data from an open standard called XML. Short for “eXtensible Markup Language,” XML has been used for many years as a fast and efficient way to transport, store and structure information across a wide range of often disparate applications. Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML “libraries,” chunks of code that are typically used and re-used in software applications to process XML data. Codenomicon is a spinoff from the University of Oulu, and is run by many of the same individuals who in 2001-2002 found and reported a widespread vulnerability in a remote Internet management protocol called ASN.1. That research kicked off months of studying and patching by the U.S. government and private sector, which found the ASN.1 flaws extended to some of the nation’s most critical electronic infrastructures, including the telephone network, the power grid, and air traffic control systems. A Codenomicon board member who served as cyber security adviser to a former U.S. President during the ASN.1 episode, said these XML flaws are nearly as widespread. The adviser said the result of a successful attack against a vulnerable XML library could range from allowing the remote installation of malicious software to simply sending the application into an infinite loop, rendering it temporarily inaccessible. “XML is being used in so many different things we’re doing on the Web today,” the adviser said. “So it’s a big deal when something goes wrong with something that’s Internet-facing that so many people depend upon.” XML is used in a variety of document formats (docx, openoffice, playlists, configuration files and RSS feeds, to name a few). As a result, there are numerous vectors for attacking XML flaws remotely, such as sending malicious documents or network requests, said an information security adviser for CERT-FI, the Finnish Computer Emergency Response Team. The security advirer for CERT-FI said three major software makers — including Sun Microsystems, Apache Software Foundation and Python Software Foundation — are expected to release updates on August 5 to address the XML flaws (Sun’s Java Update — Java 6 Update 15 — is already out, and mentions at least two XML flaws). Source:

42. August 5, The Register – (International) Microsoft gets personal on Windows 7. Microsoft has gotten personal in responding to reports of a “show stopper” bug in Windows 7 capable of delaying the planned roll-out, which starts on August 6. The company has blamed a chip-set controller issue rather than a critical bug in the Windows 7 chkdsk /r tool that could cause a memory leak capable of causing a user’s PC to seize up and crash. Windows 7 customers have been advised to update their chipset drivers to the current driver supplied by their motherboard manufacturer. That came after the president of Microsoft’s Windows division took on those who had used blogs and online forums to jump on Windows 7 and the Microsoft development and testing process. The president said Microsoft had not reproduced the crash or experienced any crashes with chkdsk on the stack reported in “any measurable number.” He appeared to take particular issue, however, with descriptions of a “critical bug” and “showstopper” in Windows 7, of bugs being “out of place” and comments Windows 7 would have to be delayed. The code is to be released to MSDN and TechNet subscribers on August 6 and OEMs a few days later, with the official launch planned for October 22. Source:

Communications Sector

43. August 5, Inquirer – (International) Latvian botnet host canned. A Latvian hosting company that was thought to have harbored the world’s biggest phishing botnet has been forced to shut up shop by the Swedish telecoms outfit Telis Sonera. Real Host, which owned the AS8206 Junik server based in Riga that spread the Zeus botnet, has been linked to almost half of the world’s phishing attacks in which Russian gangsters attempted to steal the identities and bank details of Internet users. The Russian Business Network (RBN), which inhabited the same server, had been described as one of the world’s most blatant cybercrime networks and was considered a bullet proof hosting hub by digital criminals the world over. Under the counter goings on served at Real Host connected sites included exploits for unpatched zero-day flaws, malware payloads to drop on victims PCs (including fake codecs, banking trojans, spambots, fake antivirus software and even a Mac trojan), phishing websites, money mule (pyramid selling) recruitment sites, cracked software and illegal pornography. Real Host has been compared to McColo and Atrivo, the two most notorious hosting companies in the history of the Internet, and was described by one observer as “a cesspool of criminal activity”. The Zeus trojan is estimated to have infected up to 3.6 million individual PCs and could be purchased from sites hosted on the Latvian server for as little as $1,000. Source: