Department of Homeland Security Daily Open Source Infrastructure Report

Friday, September 18, 2009

Complete DHS Daily Report for September 18, 2009

Daily Report

Top Stories

 According to the Lower Hudson Journal News, the new $15 million, 172-siren system for the Indian Point nuclear power plant in Buchanan, New York failed to meet the 94 percent federal emergency threshold for success during a quarterly test on Wednesday. (See item 6)

6. September 17, Lower Hudson Journal News – (New York) 10 percent of Indian Point sirens fail test. More than one in 10 of the new emergency sirens for Indian Point in Buchanan failed to work properly during a quarterly test on September 16, just as federal officials are deciding whether to allow the old system to be dismantled. It is the first time in a year that the new $15 million, 172-siren system has failed to meet the 94 percent federal emergency threshold for success. A spokesman for Entergy Nuclear, which owns and runs Indian Point, said it appears there were software problems with the new system that were all but addressed within hours of the 10:30 a.m. test. Emergency and plant officials are discussing whether to run the full-volume, 4-minute test again before the fourth quarter. Eighteen sirens showed up on the computer tracking screen as failing to sound — of those, two were in Putnam and eight each in Westchester and Rockland counties. Source: percent of Indian Point sirens fail test

 According to National Public Radio, law enforcement officials said raids earlier this week in Queens, New York and another search of a Denver apartment Wednesday night are all part of one of the most sensitive U.S. terrorism investigations in years. New York police say that with a Presidential visit to the city and the upcoming U.N. General Assembly, they could not afford to risk anything going wrong. (See item 34)

34. September 17, National Public Radio – (New York) FBI raids in NY, Denver yield questions, no arrests. Law enforcement officials said raids earlier this week in Queens, New York, and another search of a Denver apartment Wednesday night are all part of one of the most sensitive U.S. terrorism investigations in years. The seriousness of the operation in Queens was underscored by the dozens of agents swarming apartment buildings in full combat gear. The head of the FBI’s office in New York was on the scene, personally directing the searches. Agents expected to find bomb components — chemicals or timers or fuses. Instead, they turned up a frightened Muslim family and a bomb-making manual, and the key suspect they hoped to grab was already gone. In this week’s case, understanding why officials moved when they did depends on whom you ask. New York police say that with a Presidential visit to the city and the upcoming U.N. General Assembly, they could not afford to risk anything going wrong. FBI officials say privately they wanted to wait and track the group longer. The lawyer of a person of interest in the investigation says neither the FBI nor any other law enforcement agency has filed any charges against his client. Source:


Banking and Finance Sector

14. September 17, New York Daily News – (National) Investigations of mortgage fraud soar 63%, FBI reports. Mortgage fraud cases under investigation by the FBI have jumped by about 63 percent in the past year, according to the bureau director. “The schemes have evolved with the changing economy, targeting vulnerable individuals, victimizing them even as they are about to lose their homes,” he told the Senate Judiciary Committee on September 16. The FBI has more than 2,600 cases open, with most of them involving losses of more than $1 million, the director said. That is more than triple the number of three years ago and up from 2,400 cases the director said were open in May. The FBI has shifted its investigative resources to focus on mortgage fraud and assigned about 300 special agents to the task. The director said their focus has centered on “industry insiders.” The FBI also has more than 580 open corporate fraud investigations, he said. The bureau has declined to identify any companies under criminal probes. Source:

15. September 17, Washington Post – (National) FDIC packages loans from failed banks. The Federal Deposit Insurance Corp. launched a new program on September 16 to subsidize investor purchases of loans that the agency has acquired from failed banks, as it tries to attract more bids and higher prices for its rapidly expanding collection of troubled assets. The long-awaited program was announced earlier this year as a way to help banks that remained in business get rid of their soured loans, but a lack of interest from banks led the FDIC to focus on its own holdings instead. The agency said on September 16 that it would form a partnership with a Texas company, Residential Credit Solutions, to take ownership of mortgage loans originally worth $1.3 billion. The company, which will manage the partnership, will pay the FDIC $64.2 million for a half-share of any profits as the loans are repaid or sold. An FDIC official said a second deal would soon follow, and that he expected others before the end of the year. The official said that the agency continued to believe that the program could help banks and that the agency in part was moving ahead so that it would be ready if the industry took a turn for the worse. “We’d be ready to apply this process either on failed bank assets or on open banks,” said the official, who conducted a briefing for the media on the condition of anonymity. The FDIC repays depositors in failed banks and then seeks to recoup as much money as possible from the wreckage. Historically it has relied on the basic approach of immediately selling everything it can to another bank, but 92 failures so far this year have started to sate the appetite of eligible buyers. Increasingly the FDIC has sweetened the deal by guaranteeing to limit any potential losses, but even that sometimes is not enough, leaving the agency with a growing pile of assets that must be sold. Source:

16. September 17, – (International) Worldpay reportedly hit by cross-site scripting security problems. According to news reports, RBS Worldpay’s various web portals are “riddled with holes”. The vulnerabilities were discovered by Unu, a Romanian grey-hat hacker. RBS WorldPay responded that a security audit has established that access to merchants or cardholder accounts was not possible via any of the reported vulnerabilities. They commented: “RBS WorldPay have thoroughly investigated reports of a technical vulnerability on our website. We have taken the report very seriously, and enforced immediate security measures. Any information the unauthorised third party found would not provide access to either merchants or cardholder accounts. We take data security very seriously, and regularly review the way in which we protect customer and consumer data. As part of our ongoing commitment to protecting customer data, we will be conducting an additional assessment of the circumstances, and continue to make further security re-enforcements where appropriate.” Fortify Software believes it all comes down to what appears to be poor code auditing at the programming level. “Coupled with lack of security soak testing, which is a must-have for any transaction processing system, RBS Worldpay’s sites appear to have been hit by cross-site scripting (XSS) security problems,” said Fortify’s European Director. “Of course, RBS Worldpay isn’t alone in its sites having XSS problems, but it is a high profile problem, simply because the company processes card payments online for a large number of e-tailers,” he added. Source:

17. September 16, CNET News – (International) New scam adds live chat to phishing attack. Online scammers have created a phishing site masquerading as a U.S.-based bank that launches a live chat window where victims are tricked into revealing more information, researchers at the RSA FraudAction Research Team said on September 16. After a user accesses the phishing site, the chat window messages come through the browser and not via a typical instant messenger application, RSA said in a blog post. The chat window is displayed if the log-in credentials are typed in or if any other link on the page is clicked, said an online fraud expert at RSA. The scammer claims to be from the bank’s fraud department and says that the bank is requiring members to validate their accounts, asking for additional information such as name, phone number, and e-mail address, according to screenshots. That information could be used to get access to accounts and money online or over the phone. The scammers are using the open-source Jabber IM protocol to manage the one-on-one chat, RSA said, declining to identify the bank involved in the scam. Meanwhile, the “chat-in-the-middle” phishing attack, as RSA has dubbed it, is being hosted on a fast flux network that criminals pay to use that hosts malicious Web sites and other tools for online scams. Such networks are comprised of numerous computers that can be used to serve up the phishing page if one site gets shut down, which makes stopping such attacks difficult, the RSA fraud expert said. Source:

Information Technology

42. September 17, The Register – (International) Mozilla catches half of Firefox users running insecure Flash. More than half of all Firefox users ran an unsafe version of Adobe’s Flash Player, according to statistics collected last week as users installed the latest release of the popular open-source browser. Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to a Mozilla official. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version. That suggests that some 2 million Firefox users remained vulnerable to remote exploit attacks even after Mozilla presented them with a warning that said “your current version of Flash Player can cause security and stability issues” and added “you should update Adobe Flash Player right now.” A similar pattern has played out ever since, although the numbers in all three categories were smaller. Over that time, about 10 million users in all clicked on the link, which led to an update page on Adobe’s website. The overall click-through rate was about 30 percent. The statistics were gathered by counting the number of page impressions that are automatically generated when Firefox users install the latest version of the browser. As previously reported, the newest release began checking users’ version of Flash and admonishing them to update if it was found to be out of date. Source:

43. September 16, Associated Press – (International) Google acquires Carnegie Mellon’s anti-fraud tool. Google is acquiring a Carnegie Mellon University spin-off that lets users help digitize books as they register at Web sites or buy things online. Google Inc. and the Pittsburgh university announced on September 16 that Google has acquired ReCAPTCHA, a tool meant to cut down on spam and fraud. The tool offers simple distorted word puzzles that users fill out to prove they are human, rather than spammers or others automating sign-up. Unlike other word puzzles, however, the text comes from actual books, letting the system create a digitized version in the process. The tool was developed by Carnegie Mellon computer science professor, who started the ReCAPTCHA company in 2008. Source:

44. September 16, The Register – (International) White hats release exploit for critical Windows vuln. White-hat hackers have released reliable code that remotely exploits a critical vulnerability in the Vista and Server 2008 versions of Microsoft’s Windows operating system. The exploit code, released on September 16 by security firm Immunity, came as separate researchers with the Metasploit penetration testing project said they were close to releasing their own software targeting the network file-sharing technology known as SMB2, or Server Message Block version 2. It was first added to Vista and has since been put into other Microsoft operating systems. The progress of ethical researchers in exploiting the bug is important because it’s an indication of how other, less scrupulous hackers are likely faring. It shows that the bug, which affects newer operating systems built under a program designed to prevent such security flaws, is far from being a mere theoretical risk to the millions of people who use the products. Rather, it means attackers can use the internet to take over vulnerable machines located half-way around the globe. “This is the kind of vulnerability that hits everybody who is sharing files with other users,” the CTO of Immunity, told the Register. “It affects the most secure operating system Microsoft has put out other than Windows 7.” The CTO said it took a team of four researchers to develop an exploit for the vulnerability, which surfaced recently. An Immunity researcher led the effort. The exploit code works on all versions of Vista and the Service Pack 2 version of 2008, he said. Microsoft has said it plans to release updates patching the vulnerability as soon as they are ready. Source:

45. September 16, InfoWorld – (International) Microsoft offers tools for secure application development. Microsoft is introducing on Wednesday two testing tools to help Windows programmers build better security into their C and C++ applications, but an industry analyst was dismissive of how useful the tools would be for enterprise developers. Offered at no cost, the tools enable implementation of Microsoft’s SDL (Security Development Lifecycle) process, for injecting security and privacy provisions into the development lifecycle as opposed to testing during pre- and post-deployment of an application. One of the tools, BinScope Binary Analyzer, analyzes binary code to validate adherence to SDL requirements for compilers and linkers. It also verifies use of strong-named assemblies and up-to-date build tools. “Essentially, what it does is it checks for a variety of SDL requirements like GS flag, which is used to prevent buffer overflows,” said the principal security program manager for the security development lifecycle team at Microsoft. Buffer overflows enable hackers to take control of an application, the manager said. “To the extent that you can prevent those at compile time, that’s a good thing from a security standpoint,” he said. The tool requires symbol files, providing security against hackers potentially using the tool to analyze software on the Web for weaknesses. The second tool, Microsoft MiniFuzz File Fuzzer implements the fuzz testing technique. Testers check application behavior by parsing files that have been deliberately corrupted. Security tests are applied to take code through different flow patterns and identify whether resulting crashes should be investigated as potential application security risks. “If you find a file failure and it has security ramifications, you want to go out and fix that problem,” the manager said. Source:

46. September 15, Download Squad – (International) Facebook removes Fan Check app after malware rumors. Fan Check is a Facebook app that claims to tell a user who is viewing their Facebook profile. Although it does not actually work, it is not a virus, as a widespread rumor would have users believe. The real malware problem comes from other applications that promise to remove the Facebook Fan Check virus, and users are falling for it after seeing the virus rumors reposted in friends’ status messages. So, users should not keep posting the warning about Facebook Fan Check being a virus, should not link to any sites that claim they will fix it, and should not download or install anything from said sites. In the meantime, Facebook has removed Fan Check from the app directory. Visiting its URL just shows a note explaining that Facebook had an issue with the third-party developer and is investigating it. Source:

Communications Sector

47. September 16, Louisville Courier-Journal – (Kentucky) AT&T wireless customers experience service interruptions. AT&T is dealing with interruptions to wireless service across Kentucky. In a statement a company spokeswoman said customers in the Louisville, Lexington, Bowling Green and Frankfort areas may be experiencing a loss of service. She said she did not know how many customers were affected, or how long the interruptions had taken place. “AT&T technicians are working to restore service to all affected customers as quickly as possible,” she said in the statement. “We apologize for any inconvenience this may be causing our customers.” Some customers told the Courier-Journal the outages began around mid-day, and affected calls to areas outside the local calling area. Source:

48. September 16, RadioWorld – (Florida) Transmitter sites remain prime targets. A former DOE for the Mega stations in Tampa experienced three transmission line attacks in four months last year, the last ending in an arrest. The first resulted in the disappearance of the coil at the base of the tower. This line was excess after he moved an old main FM antenna down the tower to make room for a new one. Since this was now an aux line, it was not active at the time of theft, but he had a pressure alarm on the line, which alerted him after the fact. A month or two later, someone harvested the next 40 feet of that same line. On their way out, they also took about 6 feet of rigid line that was used to connect the active flex line to the transmitter inside the building. This took the station off the air for almost 10 hours while a new section was fabricated by Central Florida Tower, delivered, and installed. A few weeks later, he was alerted to yet another incident by an off-air alarm that tripped while the thief was cutting the active line. That outage lasted 29 hours. Again, Central Florida Tower was able to fabricate and install a replacement line. Meanwhile, he contacted police. A sheriff’s deputy stopped a man leaving the area. The former Mega employee reported these thefts to the Federal Communications Commission and the Federal Bureau of Investigation. He says the commission office in Tampa had no interest because the individual — who had been caught and subsequently pled no contest — had not caused unauthorized transmissions. The former Mega employee says the FBI person he reached was not interested either. The sentence was probation and restitution for the line section and labor to replace it. Source: