Department of Homeland Security Daily Open Source Infrastructure Report

Monday, November 9, 2009

Complete DHS Daily Report for November 9, 2009

Daily Report

Top Stories

 The Washington Post reported that on November 5 an army psychiatrist open fired at Fort Hood in Texas, killing 13 people and injuring as many as 31. The suspect was shot by a civilian police officer and remains hospitalized and on a ventilator. (See item 17)

17. November 6, Washinton Post – (Texas) 13 dead in Fort Hood rampage, largest mass shooting on an Army post. The Arlington-born Army psychiatrist suspected of killing 13 people at Fort Hood Thursday before being shot by a civilian police officer remains hospitalized and on a ventilator, officials said November 6 as investigators probed a motive for the rampage and tried to determine whether anyone else was involved. Military officials said they believe the suspect, a 39-year-old major trained to treat soldiers under stress, opened fire with a pair of pistols — one of them semiautomatic — in the processing facility just after lunchtime. All around him, unarmed soldiers who had been waiting to see doctors scattered or dropped to the floor. A Fort Hood police sergeant responded within four minutes of the report of gunfire, a deputy commander said . The officer arrived just as the suspect was fleeing the building. The suspect fired one of his two guns, hitting the officer in both of her thighs and one wrist, said an officer who witnessed the shooting. The deputy commander said an investigation will determine how the shooter brought guns onto the post, where, like at all U.S. military installations, firearms are kept secured unless they are needed for training or security work. Soldiers and civilians are allowed to maintain privately owned weapons in accordance with local gun laws, the deputy commander said. But they must register those weapons on post. Source:

 According to MSNBC, a suspect was in custody on November 6 after a man opened fire in the offices of an Orlando architecture company that fired him two and a half years ago, killing one person and wounding five others, police and the company said. (See item 26)

26. November 6, MSNBC – (Florida) 1 killed, 5 injured in Fla. shootings; suspect held. A suspect was in custody on November 6 after a man opened fire in the offices of an Orlando architecture company that fired him two and a half years ago, killing one person and wounding five others, police and the company said. The Orlando police chief identified the suspect as a 40 year old. Police said he was arrested peacefully at his mother’s home. All of the victims worked for Reynolds, Smith and Hills, an architecture firm. One was dead and five others were in stable condition at Orlando Regional Medical Center with gunshot wounds, police said.The incident comes just a day after an Army psychiatrist opened fire at Fort Hood, Texas, killing 13 soldiers and wounding 30 others in the worst mass shooting on a U.S. military base. “This is a tragedy, no doubt about it, especially on the heels of the tragedy in Fort Hood that is on our minds,” the police chief said. “I’m just glad we don’t have any more fatalities or any more injuries than we currently have.” Source:


Banking and Finance Sector

8. November 4, CNET News – (National) Congress may require ISPs to block fraud sites. For the last decade or so, Internet service providers have been dealing with requests to block access to pornographic or copyright-infringing Web sites, or in China, ones that dare to criticize the government. Now a U.S. House of Representatives bill is taking the unusual step of requiring Internet providers to block access to online financial scams that fraudulently invoke the Securities Investor Protection Corporation (SIPC)—or face fines and federal court injunctions. The House Financial Services Committee approved the legislation on November 4 by a 41 to 28 vote. SPIC is a government-linked entity that aids investors when funds are missing from their accounts, up to a limit of $500,000 for stocks, bonds, and mutual funds. Only investor accounts that investors have opened with members of the SIPC—here’s a list—qualify for its protection. It turns out that occasionally, Internet fraudsters, scamsters, and other assorted malcontents have posed as legitimate brokerage firms that are SIPC members, often with a similar name or domain name. The scam may be a too-good-to-be-true offer to buy securities that asks the unwitting customer to pay fees in advance, or schemes involving fraudulent checks that eventually bounce. That seems to be in part what prompted a representative from Pennsylvania and chairman of a key subcommittee, to introduce the Investor Protection Act a few weeks ago. Section 508 of that bill says, “Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation (of the SIPC) shall be liable for any damages caused thereby, including damages suffered by the SIPC, if the Internet service aware of facts or circumstances from which it is apparent that the material contains a misrepresentation.” Source:

Information Technology

22. November 6, IDG News Services – (International) Gumblar malware’s home domain is active again. ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages. Gumblar can steal FTP credentials as well as hijack Google searches, replacing results on infected computers with links to other malicious sites. When the Gumblar malware was found in March, it looked for instructions on a server at That domain was taken offline at the time, but has been reactivated within the last 24 hours, wrote a senior security researcher with ScanSafe, on a company blog. Web sites that are infected with Gumblar contain an iframe, which is a way to bring content from one Web site into another. Malware writers usually make those iframes invisible. When a victim visits the site, the iframe will launch a series of exploits hosted on a remote computer to try and hack the visiting machine. Gumblar checks to see if the victim’s PC is running unpatched versions of Adobe Systems’ Reader and Acrobat programs. If so, the machine will be compromised by a so-called drive-by download. Source:

23. November 6, IDG News Service – (National) Senate committee approves data-breach notification bills. The U.S. Senate Judiciary Committee has approved two bills that would require organizations with data breaches to report them to potential victims. The Judiciary Committee on November 3 voted to approve both the Personal Data Privacy and Security Act and the Data Breach Notification Act by large majorities. The Data Breach Notification Act, sponsored by a Senator who is a California Democrat, would require U.S. agencies and businesses that engage in interstate commerce to report data breaches to victims whose personal information “has been, or is reasonably believed to have been, accessed, or acquired.” The bill would also require agencies and businesses to report large data breaches to the U.S. Secret Service The Personal Data Privacy and Security Act would also require that organizations that maintain personal data give notice to potential victims and law-enforcement authorities when they have a data breach. It would increase criminal penalties for electronic-data theft and allow people to have access to, and correct, personal data held by commercial data brokers. The second bill, sponsored by another Senator who is the Judiciary Committee chairman and a Vermont Democrat, would also require the U.S. government to establish rules protecting privacy and security when it uses information from commercial data brokers. Source:

24. November 6, The Register – (International) Backdoor in top iPhone games stole user data, suit claims. A maker of some of the most popular games for the iPhone has been surreptitiously collecting users’ cell numbers without their permission, according to a federal lawsuit filed on November 4. The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers. “Nonetheless, Storm8 makes use of the ‘backdoor’ method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed,” states the complaint, which was filed in US District Court in Northern California. “Storm8 does so or has done so in all of its games.” Source:

25. November 5, DarkReading – (International) Little-known hole lets attacker hit main website domain via its subdomains. Turns out an exploit on a Website’s subdomain can be used to attack the main domain: A researcher has released a proof-of-concept showing how cookies can be abused to execute such an insidious attack. A senior researcher for Foreground Security published a paper this week that demonstrates how an exploit in a subdomain, such as, could be used to hack the main production domain,, all because of the way browsers handle cookies. “There’s no specific vulnerability here, but it’s widening the attack surface for any large organization that has more than one [Web] server set up. A [vulnerability] in any one of those servers can affect all the rest,” he says. Most Web developers are not aware that a vulnerability in a subdomain could be used to target the main domain. “We’re trying to get the message out that now you have to treat everything [in the domain] as though someone can compromise your crown jewels,” says the CSO for Foreground. “You have to realize that every vulnerability, every attack vector in those subdomains, can be used to compromise [other areas of the domain],” he says. It all boils down to the browsers themselves. Within the DNS architecture, the main domain —, for instance — has control over its subdomains, such as has no authority to change anything on the main site. But browsers do the reverse, the CSO says. can set cookies for, the main domain. That leaves the door open for cookie-tampering, he says, when the subdomain has an exploitable vulnerability, such as cross-site scripting (XSS) or cross-site request forgery (CSRF). Source:

Communications Sector

Nothing to report