Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, September 8, 2009

Complete DHS Daily Report for September 8, 2009

Daily Report

Top Stories

 The San Gabriel Valley Tribune reports that a suspicious package, containing an unidentified, yellow powder, opened on September 3 at Western University of Health Sciences in Pomona, California left one student exposed and 30 other people quarantined for their protection as hazardous materials teams and the FBI investigated the possible attack. (See item 29)

29. September 3, San Gabriel Valley Tribune – (California) 30 quarantined due to suspicious powder in Pomona. A suspicious package, containing an unidentified, yellow powder, opened on September 3 at a college in Pomona left one student exposed and 30 other people quarantined for their protection as hazardous materials teams and the FBI investigated the possible attack. A “possible anthrax in an envelope” call was reported at 2:07 p.m. to the Student Services office at Western University of Health Sciences, 309 E. Second St., said an inspector with the Los Angeles County Fire Department. “One student was exposed but is showing no symptoms at this time,” the inspector said. “And 30 other people have been quarantined to defend them from an exposure.” Source:

 KING 5 Seattle reports that the group Earth Liberation Front is claiming responsibility for toppling two radio station towers owned by station KRKO in Snohomish County, Washington early the morning of September 4. The FBI says it has found no indication that any other groups are involved. (See item 39 in the Communications Sector, below)


Banking and Finance Sector

Nothing to report.

Information Technology

35. September 3, The Register – (International) Breaching Fort — What went wrong? Administrators at the Apache Software Foundation have pledged to restrict the use of Secure Shell keys for accessing servers over their network following a security breach on August 31 that briefly forced the closure of the popular open-source website. In a detailed postmortem describing how hackers penetrated several heavily fortified machines, site admins identified their use of SSH keys as one of the flaws that made the attack possible. They went on to lay out concrete ways they plan to fix the problems, which also included faulty procedures for backing up data and methods for providing geographically localized servers for downloads. “At no time were any Apache Software Foundation code repositories, downloads, or users put at risk by this intrusion,” they wrote. “However, we believe that providing a detailed account of what happened will make the internet a better place, by allowing others to learn from our mistakes.” The hack started with the compromise of, a website that is owned by the ApacheCon conference production company. Although logs confirming the exact cause were destroyed, investigators suspect it was the exploit of one or more local root vulnerabilities in the Linux kernel for which Red Hat issued a patch seven days earlier but had not yet been installed. They then used the SSH key for a backup account to access the server that runs With an unprivileged user account, the attackers added common gateway interface scripts to the document root folders for several Apache websites. Routine backup processes then copied the scripts to the foundation’s production server, where they became visible to the outside world. Those scripts, which allowed the hackers to obtain remote shells, were aided by Apache’s use of ExecCGI. The admins have since recreated new SSH keys with minimum lengths of 4,096 bits and mandated the use of a separate one for each host doing backups. Source:

36. September 3, Computerworld – (International) Microsoft to deliver five critical Windows patches next week. Microsoft on September 3 said it will deliver five security updates on September 8, all affecting Windows and all ranked “critical,” the company’s highest threat rating. Unlike some months when Microsoft provides its usual advance notification for upcoming updates, this time there were not any hints of what may be coming, said the director of security operations at nCircle Network Security. “We could see another ATL update,” he said, referring to the flaws in Active Template Library (ATL), a Microsoft code “library” that it and third-party developers use to create software. Microsoft acknowledged the ATL vulnerabilities in July, when it issued two emergency updates to patch six bugs in its own software. Since then, it and several other vendors, including Adobe, have released additional patches for programs that inherited the ATL flaws. All five of the security updates slated to ship on September 8 are rated critical, and all five were tagged as affecting various versions of both the client and server editions of Windows. Four of the five updates apply to Windows Vista — all four of those are ranked critical — while the same four will also impact Windows Server 2008, the newest production version of Microsoft’s server software. Three of those Server 2008 updates were pegged critical, while the fourth was rated as “important,” the next-lowest threat level. Windows 2000, Windows XP and Windows Server 2003 will also receive updates on September 8. Source:

37. September 3, IDG News Service – (International) Patch scramble throws Adobe updates off schedule. July was a tough month for Adobe Systems’ security team. So tough, in fact, that the company’s second-ever quarterly patch release will arrive a month late, Adobe’s security chief said September 3. In June, Adobe took a cue from Microsoft, Oracle, and Cisco, and said it would start delivering security updates on a regular, predictable schedule. Although most software companies roll out patches on an ad hoc basis, these predictable updates make it easier for enterprise customers to plan how they roll them out. At the time, Adobe said it would roll out its next set of patches on September 8. But that was not to be. That is because instead of readying quarterly patches, Adobe’s security team spent most of July scrambling to fix two critical security problems: one stemming from a flaw in Microsoft’s ATL (Active Template Library) software, and the other a critical flaw in its Flash and Reader software that was being exploited in cyber-attacks. The ATL issue was a big deal because Adobe, like other software vendors, had to comb through its source code to see which products used the buggy library component. Adobe has built time into its quarterly schedule to handle out-of-cycle updates, but there simply was not enough time to handle both these major issues and the updates this quarter. So instead of a September release, Adobe’s next quarterly update will be released October 13, the same day as Microsoft’s “Patch Tuesday” security release for that month. Source:

38. September 3, eWeek – (International) Online malware — Compromised computers host an average of 3 malware families. According to security company ESET, the average compromised machine is home to 13 infected files as well as malicious programs from three different malware families. ESET based its findings on scans of more than a half-million PCs using the free online scanner on the company’s Website. In their own way, the results may demonstrate the way attackers are working together to tag-team vulnerable users. According to ESET, the presence of multiple malware families is the result of the “pay per install” phenomenon, in which cyber-criminals are pushing out malware to computers under their control. “Multiple malware families do not have any propagation mechanism built into their code,” blogged ESET Senior Researcher. “Instead, these pieces of malware are distributed and installed on computers by criminal gangs.” Some good examples of this are campaigns to push out rogue anti-virus programs, he continued. Those familiar with the Conficker worm will remember that earlier in 2009 Conficker infections were linked to the installation of the Waledac worm. Waledac in turn installed a bogus anti-virus program. ESET’s findings also show that there is not always a one-to-one relationship between malware and infected files. Many files on an infected computer can be corrupted by the same piece of malware, the researcher wrote. “To sum up, we are seeing more malware per infected computer and also more malicious files on each of them. Our virus lab receives over 100,000 new pieces of malware every day. There are more malware authors than ever and their technologies are getting better to rapidly create new variants of malicious code.” Source:

Communications Sector

39. September 4, KING 5 Seattle – (Washington) ELF claims it toppled Everett radio station towers. The group Earth Liberation Front (ELF) is claiming responsibility for toppling two radio station towers in Snohomish County early the morning of September 4. The FBI says it has found no indication that any other groups are involved. The towers, owned by station KRKO and known as North Sound 1380, are located on Short School Road and 129th St. SE in the Lord’s Hill Valley. “What they used was a machine called an excavator, it has a front arm off the front end of the machine. They stole it out of the yard,” said the president and general manager of KRKO. “They went and attached it to the tower and pushed one of them over and pulled the other one down.” A sign left at the scene said the ELF was responsible. The North American Earth Liberation Front applauded the move. The general manager of KRKO said, “There’s quite a bit of destruction to the antenna system and it will probably take at least three months to get it back up and operational again.” The towers have been at the center of controversy for years. There are four towers currently at the location and there have been plans to build two more towers. Opponents have claimed that AM radio waves can harm people and wildlife. The station is still broadcasting on a backup transmitter and it is going to offer a reward for information leading to the arrest of the suspects. Source:

40. September 3, KOTV 6 Tulsa – (Oklahoma) AT&T upgrading system to deal with increased smartphone traffic. Customers across the country are being told they could be facing issues with their cell phones. In Oklahoma, frustrated users are sounding off over their cell services or lack of at times. Cell phone users have been getting everything from dropped calls to poor signal for weeks, and the cause could be the explosion of traffic over the AT&T network, especially with smartphone and iPhone customers. Spotty service, dropped calls, delayed texts and voicemails are problems AT&T cell phone users say they have been facing in recent weeks. “I would apologize for any inconvenience that customers have had. We are working on it,” said an AT&T of Oklahoma City spokesperson. He said the company is working on upgrading their cell towers and network equipments. The fast growing popularity of the iPhone and smartphones could also contribute to the cause. “We’ve seen the wireless network go up about 350 percent year over year over the last 2 years. Part of that is the growth and popularity of smartphones like the iPhone, the Blackberry, the smartphone, so we’re seeing a lot of data moved over that network,” he said.While the AT&T network upgrades equipment, many customers will have to wait for improvements. There is no time frame on how long this problem will persist and for now they are asking customers to be patient. Source: