Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, November 25, 2009

Complete DHS Daily Report for November 25, 2009

Daily Report

Top Stories

 According to the San Francisco Examiner, water officials are rushing to repair a massive pipe, one of the two pipes that carry drinking water into an out-of-service reservoir, to ensure the eastern half of San Francisco continues to have clean water. (See item 18)

18. November 24, San Francisco Examiner – (California) Half of the city in danger of losing water. Water officials are rushing to repair a massive pipe to ensure the eastern half of San Francisco continues to have clean water. With one of the two pipes that carry drinking water into an out-of-service reservoir, the San Francisco Public Utilities Commission, which handles water distribution, is rushing to make the repairs, lest anything damage the second pipe. Joints between steel pipes laid in recent decades inside a tunnel 40 feet underground were found to be corroded late last month after leaking water flooded Tioga Avenue in the Visitacion Valley neighborhood. The corroded, 36-inch pipe, called Crystal Springs 1, is one of two built to carry Hetch Hetchy Valley snowmelt north from the Crystal Springs Reservoir on the Peninsula into the University Mound Reservoir in San Francisco. The water is then stored and distributed to the eastern half of the city, including downtown. All the water that had been carried by the pipe is now being fed through Crystal Springs 2, a 60-inch pipe that runs roughly parallel to the older pipe. It is not known when Crystal Springs 1 began leaking, but 2,200 feet of piping was shut down after the leaks were detected last month, preventing any water from flowing through. If Crystal Springs 2 fails because of old age or due to an earthquake before Crystal Springs 1 is repaired, the University Mound Reservoir could run dry within two days, according to the Public Utilities Commission water manager. The reservoir is one of two major ones in the city. If such a scenario unfolds, utility workers would have to frantically attempt to reroute the water network to continue providing water for eastern and downtown San Francisco. “If [Crystal Springs] 2 went out for some reason, we would really be hard-pressed to deliver water,” the water manager said. “Our plumbers would have to work miracles.” The Public Utilities Commission is not equipped to repair the corroded pipe, agency documents show. Repair work by A. Ruiz Construction is expected to last until the end of December, agency documents show. Source:

 The Register reported that a bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said. (See item 28 in the Information Technology Sector below)


Banking and Finance Sector

9. November 24, CNN – (National) Bank ‘problem’ list climbs to 552. Despite the frenetic pace of bank failures this year, 552 banks are still at risk of going under, according to a government report published Tuesday. The Federal Deposit Insurance Corp. (FDIC) said that the number of lenders on its so-called problem list climbed to its highest level since the end of 1993. At that time, the agency red-flagged 575 banks. Mounting bank failures have proven costly for the FDIC, an agency created to cover the deposits of consumers and businesses in the event that a bank is shut down. On Tuesday, the agency revealed its deposit insurance fund slipped into the red for the first time since 1991. At the end of the quarter on September 30, the value of the fund was $8.2 billion in the hole. But that number accounts for $21.7 billion the agency has set aside in anticipation of future bank failures. The ongoing recession has already claimed 124 banks this year. But fears persist that the number will multiply in coming years because banks are still taking losses on mortgage-related loans and face growing problems with commercial real estate. The banks that end up on the problem list are considered the most likely to fail because of difficulties with their finances, operations or management. Still, history has shown just 13% of banks on the list have failed on average. Source:

10. November 23, WFAA 8 Dallas-Fort Worth – (National) Electronic pickpocketing threatens credit cards, passports. Thousands of travelers and consumers can fall victim to electronic pickpocketing and never even know it because they carry new credit cards and U.S. passports. Credit card issuers, along with the U.S. State Department, have begun installing radio frequency identification (RFID) chips in credit cards and passports because the technology holds more data than magnetic stripes and can be read quicker. But, that convenience, experts warn, can also put people at risk of having their information taken. RFID chips are commonly found in cards used to raise gates in parking garages and unlock doors at businesses. All one has to do is simply swipe the card in front of a reader. Within the last few years, that same technology has been introduced to credit cards and U.S. passports, potentially putting holders at risk. It does not matter if the cards are kept in a wallet or a purse since they can transmit through them when prompted by a RFID reader, which are for sale on eBay. Using free software, hackers using a RFID reader can easily obtain account numbers and expiration dates simply by placing the reader within a few inches of the card. The only credit cards that are vulnerable are those that allow users to tap or pass a reader to pay rather than swiping. Some might also have a symbol on them that indicate they transmit. Source:

11. November 23, DarkReading – (International) Employees willing to steal data; companies on the alert. Employees know it is illegal to steal company data, but they are prepared to do it anyway. Companies know their employees are a chief threat to their data, but most are not doing much about it. These are the takeaways from two separate studies published today by security vendors Cyber-Ark and Actimize. Taken together, the studies paint a sobering picture of the state of trust and security within the corporate walls. In its study, Cyber-Ark surveyed some 600 workers in the financial districts of New York and London and found that most workers are not shy about taking work home — and keeping it for their own use. Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job. Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them, Cyber-Ark says. Thirty-nine percent of people would download company/competitive information if they got wind that their job were at risk. A quarter of workers said the recession has made them feel less loyal toward their employers. Of those who plan to take competitive or sensitive corporate data, 64 percent said they would do so “just in case” the data might prove useful or advantageous in the future. Twenty-seven percent said they would use the data to negotiate their new position, while 20 percent plan to use it as a tool in their new job. Customer and contact lists were the top priority for employees to steal, registering 29 percent of the respondents. Plans and proposals were next (18 percent), with product information bringing up the rear (11 percent). Thirteen percent of savvy thieves said they would take access and password codes so they could get into the network once they have left the company and continue downloading information and accessing data. Source:

Information Technology

27. November 24, IDG News Services – (International) Microsoft issues security advisory on IE vulnerability. Microsoft on November 23 issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer. Earlier in the day, the company said it was investigating the incident which emerged over the weekend when someone published the exploit code to the Bugtraq mailing list. By Monday night, Microsoft switched gears and issued the advisory. There have not been any active exploits of the vulnerability reported so far. Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft. The advisory confirmed the vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft’s said users running IE 7 on Vista can configure the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to “High” to protect against the exploit. The “High” setting will disable JavaScript, which currently is the only confirmed attack mode. Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected. For an attack to work, the hacker would first have to get his victim to visit a Web site that hosted the exploit code. This could be a malicious Web site set up by the hacker himself or it could be a site that allows users to upload content. Another way cyber criminals have launched this type of attack, however, is by hacking into legitimate Web sites. Earlier this week, for example citizen’s band radio vendor Cobra Electronics disclosed that it had been hacked in June, most likely by a professional hacker who had used the site to download malware to customers. Source:

28. November 23, The Register – (International) IE bug leaks private details from 50m PDF files. A bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said. The documents stored in Adobe’s PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches. Google searches such as this one expose almost four million documents residing on users’ C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used. “If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used,” he told The Register. “That actually invades the privacy of a user.” The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn’t always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines. This PDF, for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential. The only way to remove the path is erase the text in an editor and save the document. Source:

29. November 23, The Register – (International) Google hoodwinked into pushing Chrome OS scareware. Rogue anti-virus scammers have tainted search results for Chromium OS - the open source version of Google’s Chrome OS - in a bid to expose surfers hunting the web operating system to a fake anti-virus scan scam instead. Search terms such as “chromium os download” point to sites featuring scripts that redirect stray surfers towards scareware scam portals. These sites falsely report that users PCs are loaded with malware before pushing users to download a clean-up tool little or no utility. The SecureKeeper utility offered through the scam uses a series of aggressive and misleading tricks to coerce people into paying $49.95 to purchase a licence, as explained in a blog post by security firm eSoft here. Something very similar happened when Google released its Wave collaboration tool. In both cases, surfers are only redirected to scareware-punting portals in cases where they arrive as bobby-trapped URLs via Google search results. Both the Google Wave and Chromium Os scams refer to a product or service that is not yet generally available, a factor that arguably increases the potency of scams. Both attacks (like many before them) rely on black hat Search Engine Optimisation techniques. Cybercrooks typically break into well-established sites and create webpages stuffed full with relevant keywords, cross-linked to other sites doctored using the same technique. The tactic is geared towards tricking search engines into pushing manipulated URLs higher up the search engine indexes for targeted terms. Source:

30. November 23, Wall Street Journal – (International) EarthLink says email service restored. EarthLink on Monday blamed a server migration for the outages that disrupted email service for its customers over the weekend but said the problem has been solved. Many EarthLink subscribers lost email access over the weekend due to a server migration. “Some EarthLink email customers experienced a delay in receiving emails over the weekend. This issue was associated with EarthLink’s migration of our MindSpring customers to a new EarthLink email server,” a spokeswoman for the Atlanta Internet-services providers said in a statement. “EarthLink has corrected the problem and we believe all delayed emails have been delivered to our customers.” Source:

Communications Sector

31. November 24, McClatchy – (Texas) TWTC fire in Dallas blamed for Sunday Internet out. A short-circuit and fire in Dallas is being blamed for a broadband outage Sunday night that left 7,314 Windstream customers in Kerrville and the surrounding Hill Country without Internet access for about 12 hours. A division vice president for Windstream, a telecommunications company providing Internet and telephone service, said the problem was with equipment for Time Warner Telecom. In order to provide broadband service to Kerrville, Windstream uses data transport lines operated by Time Warner Telecom that connect to a central hub in Dallas. He said he was informed by Time Warner Telecom that a short-circuit in the Time Warner Telecom equipment caused a “localized fire,” which caused an outage from around 3:50 p.m. Sunday until 4:10 a.m. Monday. The outage affected customers from Kerrville to the Harper area Source: News/2676502/

For more stories, see item 30 above in the Information Technology Sector