Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, December 2, 2009

Complete DHS Daily Report for December 2, 2009

Daily Report

Top Stories

 The U.S. Nuclear Regulatory Commission announced that it is conducting a special inspection at the Diablo Canyon nuclear plant in California in order to determine how two switches were misaligned, potentially impairing operators’ ability to respond in the event of a severe accident. (See item 4)

4. November 30, U.S. Nuclear Regulatory Commission – (California) NRC conducting special inspection at Diablo Canyon nuclear plant. The U.S. Nuclear Regulatory Commission is conducting a special inspection at the Diablo Canyon nuclear plant in order to determine how two switches were misaligned, potentially impairing operators’ ability to respond in the event of a severe accident. On October 23, during a maintenance procedure, workers discovered that a set of switches that are intended to allow control room operators to remotely open cooling water valves were misaligned. The valves are part of a system that would collect water from the floor of the containment building for recirculation to cool the reactor during some severe accidents. If the valves could not be opened remotely, operators would be required to manually open them or use a different system to provide cooling water for the reactor. “This problem did not endanger public health or safety because operators would have been able to take compensatory actions in the event of a severe accident,” said the Region IV Administrator. “But we want a better understanding of why this occurred and the potential impact of this problem.” Source:

 WFAA 8 Dallas-Fort Worth reports that a section of the Trinity River levee in Texas has collapsed, raising new concerns about the integrity of the system that shields Dallas from flood waters. (See item 44)

44. December 1, WFAA 8 Dallas-Fort Worth – (Texas) Collapse raises concerns about Trinity levee integrity. A section of the Trinity River levee in Texas has collapsed, and that is raising new concerns about the integrity of the system that shields the city from flood waters. The collapse is just off Interstate 35E at Regal Row. City of Dallas officials say that unlike most levee collapses they see, this one was caused by a water leak. A Dallas Water Utilities water line runs across the top of the Trinity River levee where the collapse occurred; a slow leak caused the erosion leading to the damage. “This is a unique situation, obviously,” said a spokesperson from Trinity Watershed Management. “You’ve got a water line that’s running near the levee, and so you’ve got a leak, and that’s pretty unique and rare.” Earlier this year, the U.S. Army Corps of Engineers gave the city a failing grade on an important inspection, halting work on key elements of the city’s largest-ever public works project. The Corps has concerns about trees planted along the Trinity River toll road, worries about overgrown vegetation, and fears that the soil composition could spell disaster. “I know that they have concerns about the utility crossings in the levees, and so I know Water Utilities has a pretty aggressive inspection program,” the spokesperson said. “I think this line was probably tested back in 2007-2008, but since then it has developed a leak.” City officials say this is the third levee collapse in recent weeks. There are two others in the upper west levees, blamed on wet weather that saturated the ground. Rain in the forecast could delay efforts by workers to shore up the levee breeches. Source:


Banking and Finance Sector

10. December 1, Coloradoan – (Colorado) Defunct credit union, BBB being used in scams. Two new scams circulating through Northern Colorado invoke the name of a defunct credit union and the agency designed to help protect consumers from fraud. A phishing scam being texted to cell phones reports recipients’ accounts at Norlarco Credit Union have been restricted and instructs them to call a toll-free number. Norlarco, formerly Larimer County’s largest credit union, was seized by federal regulators almost two years ago after amassing millions in bad debt, mostly related to the Florida real estate market. Its assets were eventually acquired by Public Service Credit Union in Denver. The scam asks callers to enter their debit or credit card numbers, expiration date and pin number to unlock the account. On Monday, a recording on the toll-free number said the destination was unavailable. Public Service Credit Union said on its Web site that several members reported getting the text message. “Do not call this number or respond in any way to this message. Delete it immediately. It is a scam,” the credit union cautions. Also, the BBB recently found itself subject of a scam that offered a $1,000 gift card for $149.95 at the Web site Source:

11. November 30, Web CPA – (California) Court bars developer of 90% loan tax scheme. A federal judge in San Francisco has signed a permanent injunction order barring the developer of a complex tax scheme involving numerous entities located around the globe and sales of over $1.25 billion in securities from promoting the scheme. The Judge of the U.S. District Court for the Northern District of California entered the injunction against the defendant of Tuxedo Park, New York, after he advised the court on the first day of trial that he would not refute the government’s evidence. The record indicated that the defendant, a Ph.D. economist, developed a scheme called the “90% Loan Program” and promoted it throughout the United States through companies he controlled, including Derivium Capital LLC and Derivium USA. The 90% Loan Program falsely claimed that customers could exchange their appreciated stock for loan payments equal to 90 percent of the stocks’ value without paying income tax on their capital gains. It also purported to allow the tax-free return of those customers’ stocks at maturity if the customers repaid the “loans.” However, prosecutors contended that customers’ stocks were sold immediately, with 90 percent of the sale proceeds going to make the purported “loans” to the customers, and the other 10 percent being retained by the promoters. The defendant allegedly sold more than $1.25 billion worth of customers’ stock in some 3,100 transactions, leaving more than $100 million for himself and the other promoters after payment of 90 percent of the sale proceeds to customers as purported loans. The government complaint in the case alleged that the scheme cost the U.S. Treasury an estimated $230 million or more. Source:

12. November 29, KLEW 3 Lewiston – (Idaho) Scam targets credit union members. The Idaho Credit Union League (ICUL) is warning about a text message scam. According to news release from the group, earlier this week several credit unions reported that their members and non-members had received text messages requesting them to send their account information because “restrictions have been discovered/placed on your account.” These text messages appear to have originated from the credit union’s phone number and web address, but in fact are fraudulent. The Idaho Credit Union League said they do not contact members through text messages. Source:

13. November 27, WJZ 13 Baltimore – (Maryland; Virginia) State police investigate ATM fraud. Thieves are targeting ATMs using customers’ information to withdraw thousands of dollars. Police say it most recently happened to 100 people in Carroll County. Maryland State Police say two photographed men are ATM skimmers, possibly stealing $30,000 from Bank of America customers in Eldersburg. Last week bank employees contacted police after customers notified them of fraud. “Once an ATM skimmer is placed on a machine, it reads people’s data as they put their cards in to make their transaction,” said a trooper with the Maryland State Police. Police say the suspect would then come back, take the device off, make his own ATM cards with their information on it and withdraw money. Police have since removed the skimmer from the Eldersburg bank, but say there could be more. They know of other incidents at various other banks in Maryland and Northern Virginia. Source:

Information Technology

38. December 1, The Register – (International) FreeBSD bug gives untrusted root access. A security bug in the latest version of the FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher said on December 1. The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2 of the open-source OS, the researcher told The Register. He said it was “unbelievably simple” to exploit. Shortly after he disclosed the flaw on the Full Disclosure mailing list, other researchers said they were able to confirm the bug. A FreeBSD security officer said the Full Disclosure post was the first his team had heard of the reported vulnerability. The team is currently investigating. The bug resides in FreeBSD’s run-time link editor. A binary run by an unprivileged user can be executed with administrative privileges in a restricted environment, the researcher said. That allows the user to obtain root access to the system. All that’s required to run the exploit code, which the researcher included in his post, is a command shell. To exploit the bug, hackers would need local access to the vulnerable machine. To use the attack code remotely, it’s conceivable it could be used in concert with another vulnerability, such as one residing in a web application running on the box. The researcher speculated a fix would be coming shortly. Source:

39. November 30, – (International) Malware can be hidden in English language text, say US scientists. A team of US security researchers has engineered a way of hiding malware in sentences that read like English language spam. The work is a breakthrough because current network security techniques work on the assumption that the code used in code-injection attacks, where it is delivered and run on victims’ computers, has a different structure to non-executable plain data, such as English prose. One of the researchers of Johns Hopkins University, Baltimore, said the team wanted to broaden its understanding of how malicious code could be deployed, and highlight the need to design more efficient techniques for preventing this kind of attack altogether. An expert in security and cryptology at University College London, said the work was an important paper in virusology, challenging an assumption that code has a different structure to non-executable plain data. He said malware deployed in this way would be “hard, if not impossible, to detect reliably.” The research is a proof of concept, but the researcher from John Hopkins doubts any hackers are currently using the English language disguise technique for their code. “I’d be astounded if anyone is using this method in the real world owing to the amount of engineering it took to pull off,” he said. “A lot of people didn’t think it could be done.” The expert from London says the paper has significant implications for technology companies, and argued that companies such as Intel should redesign their instruction set to make this kind of attack easier to detect. Source:

40. November 30, DarkReading – (International) Heap Spraying: attackers’ latest weapon of choice. Computer security has been described as a game of one-upmanship, an ongoing escalation of techniques as both sides attempt to find new ways to assault and protect system vulnerabilities. The most prevalent forms of incursion over the last decade have been aimed at computer memory — and of these, the newest, most popular weapon of choice for attackers is a technique known as “heap spraying.” Heap spraying works by allocating multiple objects containing the attacker’s exploit code in the program’s heap, the area of memory used for dynamic memory allocation. Many recent high-profile attacks, such as an Internet Explorer exploit in December 2008 and one of Adobe Reader in February 2009, were examples of heap spraying. The goal of any attack is to get the targeted computer to run exploit code supplied by the attacker. To achieve this, two things must happen: The code must end up on the computer, and the computer must run that code. The earliest type of memory exploit took advantage of buffer-stack overflows. Attackers found ways to overwrite a buffer on the stack and used that vulnerability to change or insert program code to make the program jump to instructions provided by the attacker. Stack-overflow attacks diminished in effectiveness as programming languages evolved to prevent buffer overflows. Memory exploits then focused on heap-based overflows, in which, instead of placing instructions on the stack, attackers found ways to insert them into the program’s heap. Nowadays, heap-based exploits are more difficult to achieve. Operating systems such as Windows Vista use a technique called “address-based layout randomization,” in which the base address of the code, the heap, and the stack change each time the program runs. This prevents attackers from reliably predicting target addresses for code locations, and if there is one copy of the exploit code in a large heap, it’s akin to finding the proverbial needle in a haystack. Heap spraying circumvents this challenge by allocating, or “spraying,” multiple copies of exploit code to increase the odds of finding a copy in the heap. The attacker can allocate hundreds of thousands of copies of exploit code into the heap. All that’s needed is for one random program jump to land on one copy of such code, and a successful attack begins. Source:

41. November 30, ComputerWorld – (International) Scammers get better tools for tapping social networks. New tools capable of quickly finding, gathering and correlating information about individuals from social networking sites and other public sources are giving online scammers a powerful new weapon, say security researchers. The tools allow potential attackers to build detailed profiles of individuals by finding and piecing together bits and pieces of information about them scattered on social sites and other public forums. The information can then be used in highly targeted, “spear-phishing” scams and other attacks against individuals and enterprises, they said. Two companies providing such tools are Core Security Technologies Inc., with its Exomind application, and Paterva, with its Maltego product. Exomind is designed to find, combine and correlate information on individuals and groups of individuals from across multiple social networking sites. It can be used to build a concise portrait of an individual and to identify key relationships with others on social networks and in the real world, said the head of CoreLabs, the R&D unit of Core Security. Paterva describes Maltego as an open source intelligence and forensics application that can import and correlate data from almost any publicly available online source, including social networks, search engines and PGP key databases. A community edition of the tool also can be downloaded. The application can be used to determine relationships and real-world connections between people, groups of people such as those in a social network, companies and Web sites. It can also be used to find links between domains.

Communications Sector

42. November 30, Columbia Daily Tribune – (Kentucky) Wire theft disrupts telephone service. The theft of hundreds of feet of copper wire resulted in problems with Internet and phone lines, according to a Boone County Sheriff’s Department news release. CenturyLink fielded complaints this morning from residents about phone service. Crews found a 200-foot section of wire had been removed from the service line. The copper wiring was removed from between two telephone poles in a wooded area between Brock Rodgers Road and Gans Road sometime between midnight and 5:30 a.m. today. The estimated cost to restore telephone service is $15,000. A public affairs manager for CenturyLink said that while there were some outages, it affected “a very minimal amount of customers” and that CenturyLink anticipated having service restored quickly. In late September, about 200 customers in north Columbia lost service after the theft of two 100-foot transmission cables from utility poles. Copper wiring can be a source of quick cash to thieves who sell the stolen goods as scrap metal. Source: