Department of Homeland Security Daily Open Source Infrasturcture Report

Monday, November 23, 2009

Complete DHS Daily Report for November 23, 2009

Daily Report

Top Stories

 According to Wired, a health insurer lost 1.5 million patient records last May but waited six months to disclose the incident. The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data. (See item 16)


16. November 19, Wired – (Connecticut) Health insurer loses 1.5 million patient records. A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident. The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians. Health Net discovered the loss in May but never informed patients, law enforcement or government entities, despite data breach laws in some states that require data spillers to notify victims and state officials when residents are affected by a breach. The insurer finally sent a letter to Connecticut’s attorney general and the state’s Department of Insurance this week. Health Net claimed it took six months to determine what data was on the missing disk. It said that data on the disk was compressed and stored in an image format that required special software to view, which was available only to HealthNet. Source: http://www.wired.com/threatlevel/2009/11/healthnet


 According to IDG News Services, a Seattle computer security consultant says he has developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack. (See item 25 in the Information Technology Sector below)


Details

Banking and Finance Sector

9. November 20, Empire State News – (National) Former investment company owner pleads guilty to laundering proceeds of mortgage fraud. A 35 year old of Albany pled guilty in United States District Court in Albany to a one-count information charging him with the felony offense of laundering of monetary instruments in connection with his role in an extensive mortgage fraud scheme that defrauded financial institutions and other mortgage lenders of over $5.3 million in loans. In court November 19, the guilty party admitted his participation in a mortgage fraud scheme that occurred from at least July 2003 through December 2007, in connection with his former businesses PB Enterprises, Inc., and Greater Atlantic Associates, Inc., located on Central Avenue in Albany. He admitted that, together with others, he knowingly and willfully executed a scheme to defraud banks and other mortgage lenders by arranging to secure excessive mortgages for numerous residential properties in the Capital District through the use of fraudulent loan applications and settlement statements, and by diverting mortgage funds for his personal use, and to others. Source: http://www.empirestatenews.net/News/20091120-6.html


Information Technology


25. November 20, IDG News Services – (International) Security pro says new SSL attack can hit many sites. A Seattle computer security consultant says he has developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack. The CEO of Leviathan Security Group says his “generic” proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off — the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim’s network — it could have devastating consequences. The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug’s discoverers at PhoneFactor says he’s seen a demonstration of Heidt’s attack, and he’s convinced it could work. “He did show it to me and it’s the real deal,” he said. The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there’s still no way to read the information coming back. The CEO sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by the COE’s computer before they are sent to the victim. Source: http://www.computerworld.com/s/article/9141206/Security_pro_says_new_SSL_attack_can_hit_many_sites


26. November 20, The Register – (International) IE8 bug makes ‘safe’ sites unsafe. The latest version of Microsoft’s Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said. Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a “significant flaw” in the IE 8 feature but declined to provide specifics. It’s not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. A senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site. Source: http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/


27. November 20, The Register – (International) MS discovers flaw in Google plug-in for IE. Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users. The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond [a Microsoft campus] warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems. Microsoft and a security researcher are jointly credited with discovering the vulnerability in Google’s browser add-on. Google acknowledged the flaw and urged users to update to version 4.0.245.1 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google’s security advisory. Source: http://www.theregister.co.uk/2009/11/20/google_plug_in_bug/


28. November 19, Reuters – (International) Chinese military web site target of cyberattacks. A Web site set up by China’s Ministry of Defense this summer was hit by more than 230 million hacker attacks in its first month of operation, but none of the attacks were successful, state media reported on November 19. The China Daily report could not be independently confirmed. If true, that would equate to more than 5,000 attacks per minute. The web site editor told the English-language daily the site had been popular with less malign visitors as well, drawing 1.25 billion visits in the three months since its August 20 launch. Cyber attacks to steal information or disrupt operations are a growing concern for the world’s militaries as technology takes on an ever-increasing role. Source: http://www.msnbc.msn.com/id/34042775/ns/technology_and_science-security/


29. November 19, SCMagazine – (National) House committee passes cyber R and D, standards bill. Two draft bills intended to improve the security of cyberspace were combined into one piece of legislation that was passed Wednesday by the House Committee on Science and Technology. The Cybersecurity Enhancement Act of 2009, would support cybersecurity research and development and advance the creation of international cybersecurity standards. “[This legislation] is based on the concept that in order to improve the security of our networked systems, which are fundamentally both public and private in nature, the federal government must work in concert with the private sector,” the chairman of the House Committee on Science and Technology, said in his opening statement on November 18. The legislation is a combination of two draft bills that were recently approved by House subcommittees. It incorporates the draft bill Cybersecurity Coordination and Awareness Act, approved in early November by the House Subcommittee on Technology and Innovation, to require the National Institute of Standards and Technology (NIST) to facilitate U.S. involvement in the creation of international cybersecurity standards. The legislation also includes the Cybersecurity Research and Development Amendments Act of 2009, approved in late September by the Research and Science Education Subcommittee, to require federal agencies to submit a long-term research-and-development plan detailing objectives of the initiative and the funding needed to carry it out. Source: http://www.scmagazineus.com/house-committee-passes-cyber-rd-standards-bill/article/158110/


Communications Sector

30. November 19, ComputerWorld – (National) FAA glitch shines spotlight on troubled telco project. The outage of a computer system used by airline pilots to file flight plans in the U.S will likely prompt a closer look at a $2.4 billion telecommunications system that has grappled with numerous problems in the past. The U.S. Federal Aviation Administration (FAA) offered few details Thursday about the exact nature of the glitch, which caused major delays and flight cancellations in airports across the country. But in a statement, the agency blamed a “software configuration problem” within the FAA Telecommunications Infrastructure (FTI) in Salt Lake City. That problem brought down a system used mainly for traffic flow and flight planning services for about four hours this morning. The flight management system — it’s called the National Airspace Data Interchange Network (NADIN) — was affected because it relies on FTI services to operate, the FAA said. There was no indication that the disruption was the result of a cyberattack, the FAA said. FAA experts were investigating the outage and meeting with Harris Corp., the company that manages FTI to “discuss system corrections to prevent similar outages,” the agency said. Source: http://www.computerworld.com/s/article/9141195/FAA_glitch_shines_spotlight_on_troubled_telco_project


31. November 17, Periscope IT – (National) Fibre-optic cable cut causes website outage. Thousands of internet users in the United States have been affected by an internet outage, according to reports. Problems were experienced with the ATT.Net homepage on November 16, preventing both webmail and homepage access. After initially failing to comment, a spokesperson for major US telecoms firm AT&T confirmed that an outage was triggered at around 02:30 local time when a fibre-optic cable was cut. Source: http://www.periscopeit.co.uk/website-monitoring-news/article/fibre-optic-cable-cut-causes-website-outage/544