Department of Homeland Security Daily Open Source Infrastructure Report

Friday, November 20, 2009

Complete DHS Daily Report for November 20, 2009

Daily Report

Top Stories

 MSNBC reports that a problem with the FAA system that collects airlines’ flight plans caused widespread flight cancellations and delays nationwide on November 19. It was the second time in 15 months that a glitch in the flight plan system caused delays. (See item 16)

16. November 19, MSNBC – (National) FAA computer glitch causes widespread delays. A problem with the FAA system that collects airlines’ flight plans caused widespread flight cancellations and delays nationwide Thursday. It was the second time in 15 months that a glitch in the flight plan system caused delays. An FAA spokeswoman said she doesn’t know how many flights are being affected or when the problem will be resolved. Another FAA spokesperson said the problem started between 5:15 a.m. and 5:30 a.m. EST. The outage is affecting mostly flight plans but also traffic management, such as ground stops and ground delays, he said. Regarding flight plans, airplane dispatchers are now sending plans to controllers and controllers in turn are entering them into computers manually, he said. “It’s slowing everything down. We don’t know yet what the impact on delays will be,” the spokesman said. An AirTran Airways spokesman said there’s no danger to flights in the air, and flights are still taking off and landing. However, another spokesman said flight plans are having to be loaded manually because of a malfunction with the automated system. “Everything is safe in the air,” he said. Hartsfield-Jackson Atlanta International Airport, the world’s busiest airport, has been particularly affected. AirTran had canceled 22 flights and dozens more flights were delayed as of 8 a.m. EST. Only minor delays were being reported at metropolitan New York City area airports, according to the Port Authority of New York and New Jersey. Source:

 According to CIO, the vice president of Research In Motion (RIM) explained that the production of more sophisticated smarphones, and the increase in the number of users, could allow the phones to become part of botnets to be used in DDOS attacks. (See item 32 in the Information Technology Sector)


Banking and Finance Sector

11. November 18, The Register – (National) Second-hand ATM trade opens up fraud risk. Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a U.S.-based security consultant. A security consultant to and personal ID theft expert, was able to buy an ATM machine through Craigslist for $750 from a bar in Boston. The previous owners hadn’t taken the trouble to clear out the data stored by the machines, making it possible for Siciliano to easily extract a log of hundreds of credit and debit card account numbers and transaction details. There are no regulations in the U.S. on who can own or operate an ATM, so the security consultant was able to make the purchase without any checks. He even managed to knock $250 off the asking price of $1,000. A manual supplied with the machine gave clear instructions on how to access the sensitive data it stored. Although the names and expiration dates of cards were not included in the logged data, there was still enough information to constitute a serious breach involving more than a thousand records. Most ATM machine operators are affiliated with reputable banks. However, there is very little to stop crooks from purchasing machines and setting them up with skimmers and cameras designed to capture PINs associated with particular cards. Source:

12. November 18, IDG News Services – (International) FTC: Online check-writing service not authenticating users. The U.S. Federal Trade Commission (FTC) has filed a civil contempt complaint against an online check-writing service, saying the company continues to allow customers to create and e-mail checks without verification of their identities. Even after a January court order requiring the principle owners of G7 Productivity Systems and the company to implement fraud prevention safeguards at online check-writing service, the defendants continue to operate a “nearly identical” operation at, the FTC said in a complaint filed with the U.S. District Court for the Southern District of California. The defendants are “engaged in business as usual” [at], even though the court in January issued an injunction and said their business model could help customers engage in fraud by stealing funds from unsuspecting people’s bank accounts, the FTC said. The FTC has asked the court to impose fines of $10,000 a day or send the defendants to prison, for their “utter disregard” of the January order. created and delivered checks without verifying that users had authority to access the accounts referenced on the checks, the FTC said. Fraudsters worldwide drew checks on the accounts of unwitting third parties and used the checks mainly for wire transfer schemes, the agency alleged. Source:

13. November 18, Bloomberg – (National) FDIC’s loan guarantees would be extended under Frank’s proposal. The Federal Deposit Insurance Corp.’s (FDIC) temporary loan guarantee program would be extended under a proposal in Congress aimed at offering regulators tools to stabilize the economy in the event of a future financial crisis. The House Financial Services Committee on November 18 approved an amendment, introduced by the chairman, to a systemic-risk bill giving the FDIC power to guarantee the debt of solvent banks and other financial institutions, modeled on the short-term program set up last year to spur lending. “It’s an extension of a program that worked fairly well,” the chairman, a Massachusetts Democrat, said during debate. The FDIC program “made a profit for the federal government.” The agency set up the Temporary Liquidity Guarantee Program to back senior unsecured bank debt and boost liquidity in the banking system. Financial companies borrowed more than $190 billion with FDIC-backing this year through September, according to data compiled by Bloomberg. The proposal lets the FDIC institute the program when a proposed systemic-risk council determines “a liquidity event” exists. The voluntary program would be funded by fees paid by the industry. Source:

14. November 18, Zanesville Times Recorder – (Ohio) Bomb threat called into bank. A bomb threat was called into the Community Bank on Maysville Pike around 12:50 p.m. on November 18. According to a police captain a single call came into the bank, and the bank immediately followed its emergency procedures. The Muskingum County Sheriff’s Office was notified and responded along with the Newton Township Fire Department and EMS, and the South Zanesville Fire Department. The captain said the bank was evacuated and an explosives K-9 unit was brought in to search the inside and outside of the bank. Nothing was found and there were no injuries reported. He said it remains under investigation. Source:

Information Technology

32. November 18, CIO – (International) BlackBerry security exec warns of smartphone DDoS attacks. The plethora of new smartphone users in the world means the potential for gain by hackers or other nefarious online individuals looking to crack smartphone security measures is drastically increasing. The more smartphone users, the more devices that could potentially be commandeered and used in various attacks. That means smartphone users are going to have to smarten up when it comes to mobile security awareness and be more vigilant in spotting and stopping potential problems before they happen. Research In Motion’s (RIM) vice president of BlackBerry security agrees, and he recently spoke with Reuters on the subject. The vice president told Reuters that he’s concerned compromised or “rogue” smartphones could be used in the future to target and bring down wireless carrier’s cellular networks via distributed-denial-of-service (DDoS) attacks. Traditional DDoS attacks occur when hackers take control of large groups of computers and then order them to all access one Web site or service at the same time, overloading servers and eventually crashing or disabling the site. RIM’s vice president warned that DDoS attacks could also be perpetrated on smartphone users, with wireless data packets being used to overload and disable carriers’ wireless networks. Reuters also spoke with Flexilis, a maker of mobile security software. The company’s Chief Technical Officer suggests that such an attack could start with users carelessly installing infected or tainted mobile applications. Source:

33. November 18, DarkReading – (National) FBI warns of spear phishing attacks on U.S. law firms and public relations firms. The FBI assesses with high confidence that hackers are using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests. Opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain. Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file. Source:

34. November 17, Wired – (National) Senate panel: 80 percent of cyber attacks preventable. If network administrators simply instituted proper configuration policies and conducted good network monitoring, about 80 percent of commonly known cyber attacks could be prevented, a Senate committee heard on November 17. The remark was made by the National Security Agency’s information assurance director, who added that simply adhering to already known best practices would sufficiently raise the security bar so that attackers would have to take more risks to breach a network, “thereby raising [their] risk of detection.” The Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security heard from a number of experts offering commentary on how the government should best tackle securing government and private-sector critical infrastructure networks The president of the Internet Security Alliance told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data. As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said the president, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.” A 2009 Price Waterhouse Cooper study on global information security found that 47 percent of companies are reducing or deferring their information security budgets, despite the growing dangers of cyber incursions. Source:

For more stories, see items 25 and 26 below

25. November 18, Federal Computer Week – (National) Hospitals tighten security on patient data. More than half of the nation’s hospitals and health care providers surveyed intend to buy more cybersecurity tools to safeguard against breaches of electronic medical records as a result of requirements in the economic stimulus law, according to a new survey of 186 health care providers and associates. The stimulus law has provision known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, which took effect on September 23. It includes a broader definition of what patient health data must be protected against unauthorized release, increased penalties for violations and provides for aggressive enforcement. The law also requires providers to notify the Health and Human Services Department of all data breaches and to call media outlets if more than 500 residents in an area are affected. More than 90 percent of the survey respondents said their organizations have either changed, or plan to change, their policies and procedures to prevent and detect data breaches. More than 75 percent plan to do additional staff training against breaches, and 75 percent are revising their organization’s security policies and procedures. Forty-six percent said they would take all those steps. Source:

26. November 18, DarkReading – (National) Survey: Patient data at risk from healthcare partners. Companies that do business with healthcare providers, including accounting firms and offshore transcription vendors, are unprepared to meet data breach obligations included in new federal regulation, according to a survey released Tuesday. The survey by Healthcare Information and Management Systems Society (HIMSS) Analytics, commissioned by security vendor ID Experts, looked at preparedness for healthcare providers business partners, such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, and temporary office personnel providers. The survey gauged the readiness of companies to comply with the security provisions of the Health Information Technology for Economic and Clinical Health Act, a component of the U.S. American Recovery and Reinvestment Act of 2009. About a third of business associates were not aware they needed to comply with security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). By comparison, 87 percent of health providers are aware. Source:

Communications Sector

35. November 18, IDG News Service – (National) FCC identifies roadblocks to broadband adoption. Several factors, including the lack of a broadband subsidy program at the U.S. Federal Communications Commission (FCC), have contributed to gaps in broadband adoption in the U.S., a new report from an FCC task force said. Several “critical gaps” in the nation’s broadband efforts must be filled before all U.S. residents can get broadband, said the task force, which is working on a national broadband plan for the FCC. The task force report identified several often-mentioned factors for a lack of broadband adoption, including the cost of the service and a lack of deployment in some areas, but it also focused on some less obvious issues. The task force suggested that broadband deployment and adoption programs should be included in the FCC’s Universal Service Fund (USF) program, which subsidizes primarily telephone service for rural areas and low-income U.S. residents. Part of the fund, with an annual budget of about $7 billion, should be shifted to broadband, the task force said. In addition, the task force recommended that the FCC begin looking for additional wireless spectrum for mobile broadband. Freeing up new spectrum can take several years, and a handful of studies have predicted a spectrum shortage by the mid-2010s due to growth in subscribers and use of bandwidth-heavy applications, said the chief of the FCC’s Wireless Telecommunications Bureau. The task force report also suggested that video and a convergence between television sets and computers will drive the demand for broadband. Source: