Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, October 8, 2009

Complete DHS Daily Report for October 8, 2009

Daily Report

Top Stories

 The Associated Press reports that protesters in Istanbul, Turkey hurled firebombs at Turkish and foreign banks and police in a second day of protests on Wednesday against the International Monetary Fund. Protesters attempted to break through police lines and march to a complex where the IMF and World Bank were wrapping up discussions on internal reforms and the recovery from the global economic meltdown. (See item 15 below in the Banking and Finance Sector)

 According to SC Magazine, the National Archives and Records Administration is investigating a potential data breach involving a lost hard drive that could affect 70 million records of U.S. military veterans. (See item 38)

38. October 5, SC Magazine – (National) Lost hard drive could affect 70 million U.S. military veterans. The National Archives and Records Administration (NARA) is investigating a potential data breach involving a lost hard drive that could affect 70 million records of U.S. military veterans. A report by Wired claimed that a defective hard drive that powered eVetRecs, the system veterans use to request copies of their health records and discharge papers, was sent by an agency back to its vendor for repair and recycling without first destroying the data. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them for repair. GMRI determined it could not be fixed, and ultimately passed it to another firm to be recycled. However, the NARA said that the lost drive is not a problem because its contractors signed privacy promises in their contracts, though the agency has since changed its policy to require that sensitive media be destroyed by NARA itself. Writing on the blog, a consultant claimed that the hard drive should have never left the facility and should have been destroyed. The consultant said: “A $2,000 hard drive with millions of social security numbers is worth millions, maybe billions of dollars if it gets into the hands of a criminal. The ‘loss’ of data like this can cost a government agency or corporation millions to respond to the breach. The Pentagon requires that old or defective drives be de-magnified or destroyed.” Source:


Banking and Finance Sector

15. October 7, Associated Press – (International) Police break up second day of anti-IMF protest. Protesters in Istanbul hurled firebombs at banks and police and smashed shop windows in a second day of protests on October 7 against the International Monetary Fund. The crowd of some 150 people, members of fringe left-wing groups, gathered about half a mile away from the venue of the annual meetings of the IMF and World Bank being held in Istanbul, shouting “IMF get out!” The protesters also stoned a police vehicle, prompting officers inside to fire warning shots in the air to keep them at bay, while riot police used water canons and tear and pepper gas. Groups of masked youths hurled gasoline bombs at several banks, and shattered the windows of a Burger King fast food restaurant as well as windows of several Turkish and foreign banks in Istanbul’s Sisli district. Outnumbered by police, the protesters ran down side streets but regrouped quickly in a failed attempt to break through police lines and march to a complex where the IMF and World Bank were wrapping up discussions on internal reforms and the fragile recovery from the global economic meltdown. Source:

16. October 7, Washington Post – (National) Trade groups seek more limited plan to regulate derivatives market. An alliance of business trade groups is pushing to scale back the U.S. Presidential Administration’s efforts to regulate the multitrillion-dollar derivatives industry, arguing that the proposed changes could have consequences well beyond Wall Street. While government officials are seeking to rein in the excesses that contributed to the financial crisis, business lobbyists have been warning key lawmakers that companies such as Ford, Johnson & Johnson and Coca-Cola could suffer if the new regulations are far-reaching. Beyond Wall Street, many companies have traditionally bought derivatives as a way to hedge against investment risks. It is those “end users” that the alliance wants excluded from the coming legislation. In the lead up to the financial crisis, trading in derivatives, securities that derive value from underlying assets, such as stocks, bonds and commodities, swelled into an immense global market, accounting for hundreds of trillions of dollars in deals. Often dubbed the “shadow market,” it allowed unregulated traders around the world to influence and speculate on a vast array of sectors, from how much companies pay to borrow money to the value of currencies and goods such as oil and cotton. Ultimately, derivatives acted as a catalyst in the downward spiral of the economy, and contributed to the meltdown of such financial giants as American International Group. The Coalition for Derivatives End-Users, organized by groups such as the U.S. Chamber of Commerce, the Business Roundtable and the National Association of Manufacturers, sent a letter to lawmakers last week saying that “some reform proposals would place an extraordinary burden on end-users of derivatives in every sector of the economy — including manufacturers, energy companies, utilities, healthcare companies and commercial real estate owners and developers.” The letter was signed by more than 170 companies and trade associations. Wall Street firms such as J.P. Morgan Chase and Goldman Sachs, which have profited over the years from dealing in derivatives, have waged lobbying efforts along with industry groups, such as the International Swaps and Derivatives Association, to reshape parts of the proposed legislation. Source:

17. October 6, Associated Press – (International) Financier fights fraud charges in Turks & Caicos. A financier accused of defrauding thousands of investors through his Olint TCI Corp. will fight all charges against him, his attorney said on October 6. The financier, who promised big returns to clients in the Caribbean through Olint, insists no crimes were committed, said his attorney in a brief interview on October 6 in the Turks and Caicos. Investigators in this wealthy British dependency accuse the financier of operating a Ponzi scheme that duped clients out of millions. He has been charged with forgery, theft, false accounting and other fraud-related charges. A Court-appointed liquidator has said Olint TCI had about 6,000 investors who together invested US$220 million. Only US$13 million has been located. Source:

18. October 6, Associated Press – (National) Liberty Bank reports FBI investigating phishing scam. The FBI is investigating an automated phone-call “phishing” scam referencing Liberty Bank, the first vice president of Liberty Bank, said on October 6. The calls, which started on the East Coast recently and hit the West Coast October 2, are ongoing. “We’ve been told that Bank of America, Wells Fargo Bank, Citibank and some credit unions as far away as Humboldt County have all been targeted,” the vice president said. “The source of one calling point was identified, a Web site was hijacked and calls were made from West Virginia. That was shut down, but more continue.” South San Francisco-based Liberty Bank issued an alert on October 2 as did Connecticut-based Liberty Bank. Residents of San Lorenzo Valley and parts of Santa Cruz report receiving automated phone calls purportedly from Liberty Bank, saying, “Your card has been suspended because we believe it was accessed by a third party. Please press 1 now to be transferred to our security department.” Some of those called are customers of Liberty Bank, which has branches in Boulder Creek and Felton; non-customers also have been called, including a retired Stanford University employee. Customers who press “1” are asked to enter their credit/debit card number and personal identification number. Once usernames and passwords to a Web-based e-mail account are captured from a customer, criminals can access the login information and transfer money out. Source:

Information Technology

42. October 7, BBC – (International) Web mail scam propagates itself. The industry-wide phishing scam that has affected popular web mail services such as Hotmail and GMail, is spreading, according to experts. Security firm Websense says it has noticed a sharp rise in spam emails from Yahoo, Gmail and Hotmail accounts. This is because infected accounts are sending personalized e-mails to contacts suggesting shopping sites, which are in fact fakes. One security expert thinks victims of the scam could have been part of a so-called key-logging attack. A researcher from security firm Imperva said the high numbers of victims suggested this type of attack. Unlike a traditional phishing scam, which lures people into revealing their details on fake websites, key-logging records individual key strokes. In some cases the malware could have been downloaded automatically. The scam was highlighted when several lists, detailing more than 30,000 names and passwords from Hotmail, Google and Yahoo web mail accounts were posted online. Source:

43. October 6, IDG News Services – (International) Windows attack code out, but not being used. It has been a week since hackers released software that could be used to attack a flaw in Windows Vista and Server 2008, but Microsoft and security companies say that criminals have not done much with the attack. On October 5, Microsoft said it had not seen any attacks that used the vulnerability, an analysis that was echoed by security companies such as SecureWorks, Symantec and Verisign’s iDefense unit. While criminals jumped on a similar flaw in 2008, using it in widespread attacks that ultimately forced Microsoft to rush out a security patch ahead of its monthly set of security updates, that has not happened with this latest bug, which lies in the SMB v2 software used by Vista and Server 2008 to do file-and-printer sharing. A SecureWorks researcher said on October 6 that there are several reasons why this latest attack has not been picked up. The main reason is probably that the Metasploit code does not work as reliably as last year’s MS08-067 attack, and often causes the computer to simply crash instead of running the hacker’s software. SMB v2 is typically blocked at the firewall, and it does not ship with Windows XP, meaning that the Metasploit attack will not work on the majority of PCs. Vista, the only Windows client that is vulnerable to the attack, is used on about 19 percent of computers that surf the Web, according to Web analytics firm Net Applications. Windows XP runs on 72 percent of PCs. Because of these factors, the SMB v2 flaw is simply not “all that popular of a target,” the researcher said. Source:

44. October 6, The Register – (International) Scareware scams spill onto Skype. Scareware spreaders have started to use Skype to spread their cash-sapping crud. The VoIP channel has joined malicious manipulated search results, malicious online advertisements, Facebook messages and iFrame contaminated sites as a means to spread rogue “anti-virus” software scans. A security researcher a Panda Security, explains that under its latest guise, scareware scams appear as spam messages sent to personal Skype accounts. The message poses as originating from an account called “Online Notification” and claims to have discovered infection on a supposedly compromised PC. Once the prospective mark visits the linked site for “more information”, a fake antivirus scan takes place that warns a system is crawling with malware in a bid to coerce potentially alarmed users into buying a clean-up utility of no value. One strain of scareware detected by Panda disables all applications on a compromised PC except the rogueware utility and IE. A browser is left available because it’s needed for a victim to hand over payment to rogues. After receiving funds, the full version of the scareware package reactivates disabled applications. Black hat SEO tactics remain the main tactic for seeding scareware traps. Source:

45. October 6, The Register – (International) Man banished from PayPal for showing how to hack PayPal. PayPal suspended the account of a white-hat hacker on October 6, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor. “Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law,” company representatives wrote in an email sent to the white-hat hacker. “Please understand that this is a security measure meant to help protect you and your account.” The email, sent from an unmonitored PayPal address, makes no mention of the item that violates the PayPal policy. The suspension effectively freezes more than $500 in the account until the white-hat hacker submits a signed affidavit swearing he has removed the PayPal logos from his site. Since 2002, the white-hat hacker has included a yellow donate button on the download page for a hacking tool he calls SSLSniff, and more recently he released a program called SSLStrip, which also includes the button. But it was only after someone published counterfeit SSL certificate on October 5 that PayPal took action against the account. “This is not something I had anything to do with, and they responded by suspending my account,” the white-hat hacker told The Register. “I’ve been the one trying to warn them of this in the first place.” The account suspension is troubling because it penalizes an independent security researcher whose discoveries have already yielded important insights into secure sockets layer, one of the web’s oldest and most relied upon measures for preventing man-in-the-middle attacks. Source:

Communications Sector

46. October 6, Web Host Industry Review – (Washington; International) VMware opens data center, updates disaster recovery. Virtualization software company VMware announced on Tuesday that it has opened a new “green IT data center” in East Wenatchee, Washington — a notice that coincided with the updating of the company’s disaster recovery mechanism for virtualized data center components in its vCenter Site Recovery Manager 4. The company has released Site Recovery Manager 4, designed to be compatible with the vSphere 4 cloud operating system, and to include support for Network File System-based storage replication as well as Fiber Channel and iSCSi-based replication. The first version of the disaster recovery product launched in June of 2008. The “4” at the end of the new version — the second version of the product — is intended to demonstrate its support for vSphere 4. A Tuesday article from Information Week says VMware intends to make disaster recovery easier to set up for virtual machines than it is for physical machines, making the process part of the software, rather than the product of some specialized knowledge. Among the advantages of virtual machine disaster recovery is the fact that a copy of a virtual machine does not necessarily need to be run on an identical piece of hardware. Virtual machines are also easier to duplicate and to move, says VMware, and virtualized disaster recovery systems are easier to run tests on than physical systems. Site Recovery Manager can also be used in situations like data center migration, in addition to the basic disaster recovery purpose. Source:

47. October 6, Network World – (National) Disney, Verizon go green in the data center. Energy efficiency in the data center is a top priority for Disney and Verizon, technology executives from the companies said last week. But the industry is still in the early stages of understanding how best to measure effectiveness, they said. Disney and Verizon officials discussed their energy efficiency programs at the New York Stock Exchange last week during an event hosted by the Green Grid industry consortium. Verizon is contemplating a more ambitious project involving solar energy. The senior vice president of global engineering and planning for Verizon Services Organization says the company is trialing the use of solar for backup power sources, “with a full intent to use it if the results look positive.” Verizon is also considering the use of hydrogen fuel cells, a senior vice president says. Source:

48. October 5, Massachusetts; New York – (National) Single point of failure blamed for Verizon FiOS, DSL outage. A single stalled router is being blamed by Verizon officials for a service outage that impacted customers of its high-speed Internet service, including fiberoptic FiOS, in New York and Massachusetts. The outage occurred at approximately 3:15 p.m., according to a message on October 2 from the company’s chief PR executive. He acknowledged that routers typically fail over to adjacent ones, but in this instance, this one did not. “The router went into a hung state and did not appear to the rest of the network as though it was having problems,” the executive wrote, being careful not to name the manufacturer. According to reporting from a writer for Telephony Online, Verizon’s principal hardware provider for FiOS is Juniper Networks. The outage lasted about 40 minutes. However, other customers, including in Massachusetts, reported poor or no service even after the problem was resolved by 4:00 p.m. What is more, support representatives who diligently worked with customers in an attempt to resolve issues as if their own on-premise equipment were to blame, were apparently not informed of the service outage themselves until after the problem was resolved. Source:

49. October 5, Beta News – (National) AT&T uses Opera to shoulder data traffic. With a network that is already overloaded with data traffic, AT&T has enlisted the help of Opera Software’s server-side compression technology to help bring mobile Web access to even more subscribers. On October 5 AT&T debuted four new feature phones, two from Pantech (Reveal and Impact) and two from Samsung (Mythic and Flight) which the company touts as “Full Web Browsing Phones,” equipped with a new branded HTML browser that “utilizes advanced data compression from Opera Software, allowing for much faster delivery of HTML Web pages.” Though AT&T did not specify which compression technologies the new browser uses, Opera Turbo is the likely candidate for AT&T’s compression technology of choice. Opera Turbo is a cross-platform solution that can compress network traffic up to 80% to reduce network traffic and increase the browsing speed on the user’s end. This is the same technology used in Opera Mini, which counted 26.5 million users and 10.4 billion page views in June 2009, which had then grown to more than 30 million users and 12 billion page views in just one month’s time. Opera Mini has increased nearly 225% in page views year over year. Opera’s servers were close to processing two petabytes of raw data in August, and Opera Software’s CEO said he expected that number to be passed in September. Opera has not yet released its updated “State of the Mobile Web” address to show if this feat was accomplished. Source: