Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, November 18, 2009

Complete DHS Daily Report for November 18, 2009

Daily Report

Top Stories

 NextGov reports that information security weaknesses continue to plague Los Alamos National Laboratory. According to the Government Accountability Office (GAO), the lab failed to allow only authorized users access to the network. The GAO identified numerous network vulnerabilities in several critical areas of the laboratory, which manages operations at nuclear facilities. (See item 9)

9. November 16, Nextgov – (New Mexico) Los Alamos National Lab again under fire for weak computer security. Information security weaknesses continue to plague Los Alamos National Laboratory, according to the Government Accountability Office (GAO), which reported on Friday that the lab failed to allow only authorized users access to the network. In its report last week, GAO identified numerous network vulnerabilities in several critical areas of the laboratory, which manages operations at nuclear facilities. Among the weaknesses were failures to identify and authenticate users, authorize user access, encrypt classified information, monitor compliance with security policies, or check that security settings are up to date. The National Nuclear Security Administration (NSAA) oversees the laboratory, which is managed by Los Alamos National Security, a consortium of contractors. According to GAO, NNSA policy states that individuals must not share passwords except in emergency circumstances or when there is an overriding operational necessity, and passwords on sensitive systems should be changed at least every six months. The administration also requires the lab use two-factor authentication whenever possible. Two-factor authentication requires a user to provide two sets of identity such a username and password, and possibly a smart card or a fingerprint. “[The lab] did not always manage passwords securely on the classified computer network,” GAO investigators said. “As a result of this weakness, increased risk exists that insiders with malicious intent could guess the passwords of other individuals and use them to gain inappropriate access to classified information.” In addition, users were granted access to more computer files than needed to perform their duties and classified systems were not configured with necessary security controls, according to the report. Although the lab made some improvements to information security in the past couple of years, the latest report highlights “a number of high-profile security lapses,” GAO noted. Source:

 Reuters reports the U.S. Securities and Exchange Commission (SEC) charged two companies, Mantria, Speed of Wealth, and four individuals with running a $30 million Ponzi scheme that targeted elderly investors and people nearing retirement who were seeking environmentally friendly investments. (See item 14 in the Banking and Finance Sector below)


Banking and Finance Sector

11. November 17, CNBC – (National) Financial fraud task force to be announced. The Treasury Department, Justice Department, Department of Housing and Urban Development (HUD) and the Securities and Exchange Commission (SEC) plan to form a taskforce to devote more resources to discovering and punishing those who commit financial fraud, NBC News has learned. The task force will focus particularly on fraud in the housing and securities industries, officials said on November 16. A government announcement about the program is expected around noon, New York time. The Attorney General, Treasury Secretary, HUD Secretary and the director of enforcement at the SEC will speak from the Justice Department. No enforcement actions will be announced, but the purpose of the task force will be explained, officials said. Source:

12. November 16, IDG News Services – (International) MasterCard to authenticate online transactions by phone. In the face of mounting threats from hackers, MasterCard said on November 16 it will use mobile phones to improve security for online transactions. The added layer of security comes from a one-time password that the user is asked to enter when approving a transaction. The password is either sent via an SMS (Short Message Service) or created by an application that runs on a smartphone or a phone that supports Java. The goal is to improve users’ protection against phishing and man-in-the-middle attacks, which are growing problems in the e-banking and e-commerce world, according to MasterCard. There is no fool-proof way to protect against these attacks, but the fact that the new passwords can be used only once limits the potential damage they could inflict, according to a senior business leader and head of chip product management at MasterCard. The first services to use the improved security will become available during the first half of next year, the business leader said. MasterCard is not building these systems itself, but will work with a number of partners. It has so far signed deals with three vendors, but is not ready to name them, according to the business leader. The use of mobile phones for payments and other related services is slowly gaining ground all over the world. MasterCard on November 16 also announced the Mobile Payments Gateway. It will, for example, let users pay, send and receive money and keep track of activities via alerts on the their mobile phone, MasterCard said. Source:

13. November 16, CNET News – (National) Senate to disclose findings in Web ‘mystery charge’ probe. So-called mystery charges that have appeared on some of their customers’ credit card statements will come under scrutiny at a hearing held by the U.S. Senate Committee on Commerce, Science and Transportation. At the center of the federal probe are Webloyalty, Affinion, and Vertrue, companies that make “cash-back” and coupon offers to consumers and charge them monthly fees to enroll in their loyalty programs. The reason the government is involved is that for years, scores of online shoppers have asserted they were signed up for the programs without their consent. An example of this deceptive practice: An ad pops up just as the customer completes a transaction at an online retail site. It is packed with fine print and it’s not easy to see how to get past the page to complete the purchase. What is clear is that all it takes to move off the page is to enter an e-mail address. A shopper may think that entering an e-mail cannot hurt them and is not aware a marketer has their credit card information. But what those who enter their address are often unaware of is that they are authorizing the retail store to allow Web Loyalty, Affinion, Vertrue, or other similar marketers to charge their credit cards. There are cases where shopper does not discover the monthly charges on their credit card statement for months. Affinion, Webloyalty, and Vertrue have all denied any wrongdoing and argue that their services offer users savings and are valued by many subscribers. Source:

14. November 16, Reuters – (National) SEC files charges over “green” Ponzi Scheme. The U.S. Securities and Exchange Commission (SEC) charged four individuals and two companies with running a $30 million Ponzi scheme that targeted elderly investors and people nearing retirement who were seeking environmentally friendly investments. In a civil lawsuit filed on November 16 in Denver federal court, the SEC accused Mantria Corp of Bala Cynwyd, Pennsylvania and its principals of raising $122 million from more than 300 investors nationwide in a dozen fraudulent securities offerings. The SEC said Mantria enlisted Speed of Wealth LLC, a Centennial, Colorado firm and its owners, to encourage investors to liquidate retirement plans and home equity, and buy securities offering returns of 17 percent to “hundreds of percent” annually. It said the owners of Speed of Wealth encouraged victims through seminars, the Internet and phone calls “to move at the speed of wealth” to invest in Mantria’s securities, receiving a 12.5 percent commission for their efforts. According to the SEC, Mantria purported to use the securities to finance such projects as a “carbon negative” housing community in rural Tennessee, and production of “biochar,” a charcoal substitute made from organic waste. Instead, it said Mantria overstated its own investment success, and used much of the proceeds from new investments to repay earlier investors. The SEC charged Mantria, Speed of Wealth, and the four individuals with fraud and the sale of unregistered securities. It is seeking the return of illegal profits, civil fines, and a freezing of the defendants’ assets. Source:

Information Technology

36. November 17, Network World – (International) Are nations paying criminals for botnet attacks? Nations that want to disrupt their enemies’ banking, media and government resources can simply order botnet attack services from cybercriminals. In McAfee’s new report, “Virtually Here: The Age of Cyber Warfare,” draws from the opinions of about 20 experts, including a former deputy director of the U.S. National Security Agency. U.S. cyber war policy needs new focus, experts say. There have been several larger denial-of-service attacks over the past few years that raised suspicions about whether they were initiated by nations in conflict against their adversaries. Such incidents include cyberattacks that hit Estonia and Georgia, which some viewed as traceable to Russia. More recently, many were tempted to blame North Korea for this year’s July 4th cyberattacks on South Korea and U.S. resources. The McAfee report, prepared by an analyst at Good Harbor Consulting, presents the opinions of diplomats, researchers and others about the nature of cyberattacks that seem concentrated on a specific country but where it’s hard, if not impossible, to determine whether or not another nation-state initiated the attack. One reason it may be hard to tell is simply because a nation state may go to the criminal underground to secretly pay for a massive botnet attack against its enemy. In this case, it is conceivable that the criminals themselves would not fully understand what they are being asked to do since the request and payment of botnet attack services are typically carried out as anonymously as possible, says the vice president of threat research at McAfee. Source:

37. November 16, Register – (International) DNSSec update deadline penciled in for 2011. VeriSign announced plans on November 16 to roll out the DNSSec security standard for the web’s .com and .net Top Level Domain Names (TLDs) by the first quarter of 2011. Short for Domain Name System Security Extensions Protocol, DNSSec is designed to guard against “man in the middle” and cache poisoning attacks that create a means for hackers to hijack web browsing sessions. DNSSec adds digital signature to domain name requests, thus making the system more secure. The technology has existed for more than a decade but it was only after a researcher discovered a block-buster DNS flaw last year that anybody started paying serious attention to architectural shortcomings that have plagued the net’s domain name system since its very beginning. A decision by the U.S. government to move .gov domains from vanilla DNS to the more secure DNSSec last year began the long-awaited migration process, which has finally begun to get moving after years of technical and bureaucratic problems. VeriSign has begun working with EDUCAUSE, the association for information technology in higher education, and the Department of Commerce to deploy DNSSec within the .edu TLD. Lessons learned from this process will be applied to the bigger job of introducing DNSSec to the .net and .com domains over the next 18 months or so. Source:

38. November 16, DarkReading – (International) Most security products don’t initially work as intended, study says. Nearly 80 percent of security products fail to perform as intended when first tested — and most require two or more cycles of testing before achieving certification, according to a new report from ICSA Labs, which performs security product testing. The ICSA Labs Product Assurance Report — a first-of-its-kind study co-authored by ICSA and the Verizon Business Data Breach Investigations Report research team — offers insights from ICSA’s tests of thousands of security products from the past 20 years. According to the report, the main reason why a security product fails during initial testing is that it does not adequately perform as intended. Across seven product categories, core product functionality accounted for 78 percent of initial test failures — for example, an antivirus product failing to prevent infection or an intrusion prevention system product failing to filter malicious traffic. The failure of a security product to completely and accurately log data was the second most common reason for test failure, according to the report. Fifty-eight percent of failures were attributed to incomplete or inaccurate logging of who did what — and when, ICSA said. The report findings suggest some vendors and enterprise users consider logging a nuisance. According to the report, logging is a particular challenge for firewalls. Almost every network firewall (97 percent) or Web application firewall (80 percent) tested by ICSA experienced at least one logging problem. The third most significant reason for test failure was inherent security problems in the products themselves, including vulnerabilities that compromise the confidentiality or integrity of the system, ICSA said. The product categories studied were antivirus, network firewall, Web application firewall, network IPS, IPSec VPN, SSL VPN, and custom testing. Source:

39. November 16, Albany Legislative Gazette – (National) NY gets $3M. to help stop cyber attacks. New York state has secured $3 million in federal funding to help protect state and local government computer networks against cyber attacks. The funding is part of the 2010 Department of Homeland Security Appropriations Act, which the President signed on October 28. The $3 million will facilitate New York’s cyber security efforts through the Multi-State Information Sharing and Analysis Center, which is operated by the state Office of Cyber Security and Critical Infrastructure Coordination. The federal appropriation will also enable the organization to make program enhancements such as real-time threat detection and prevention for more state, local, and territorial governments. The center is focused on cyber threat prevention, protection and response and recovery for state, local and territorial governments across the country and serves as a lookout for cyber security threats. It now oversees all Los Angeles airports as well. It looks for threats to governments around the country by identifying both the causes and vulnerabilities. “Most people don’t see this,” said the director of the Office of Cyber Security and Critical Infrastructure Coordination. “Other than weapons of mass destruction, cyber security is of the most concern.” Cyber terrorists and thieves could conceivably take control of the electric grid or steal from banks, agencies or individuals, he said. They could also, for example, get control of flood gates for dams, which could cause as much damage as a bomb. He said he does not know exactly when the money will be administered but said it will be distributed to state and local governments and used to beef up monitoring when it arrives. “We are it for the country right now,” said the director. “This is real. We’re being attacked everyday.” Source:

For more stories, see items 12, 32, 33, and 35 in the full report

Communications Sector

40. November 17, Product Reviews News – (International) BlackBerry Outage: Internet service hit again. We have heard reports that BlackBerry users have been suffering from another internet outage, mainly the BlackBerry Internet Service (BIS), which is possibly affecting customers all around the world. Around 75-80% of BlackBerry users have been affected by the problem, and it is not just targeting specific carriers either. Source:

41. November 16, Christian Science Monitor – (National) ATT net service halted by cut fiber cable. Access to AT&T’s webmail was interrupted Monday morning because a fiber optic cable was disabled. The service was working again by 10:15 a.m. E.S.T. “Due to a fiber cut, access to was temporarily impacted earlier this morning,” a company spokesman wrote in an e-mail. “Access to the site has been restored.” The outage cut off users from their AT&T Web-based e-mail and other services for several hours. Some AT&T users reported difficulties last night as well, according to a news report. Source:

For another story, see item 20 in the full report