Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, December 9, 2009

Complete DHS Daily Report for December 9, 2009

Daily Report

Top Stories

 WGN 9 Chicago reports that one person is dead and one is hurt after an explosion Monday at the NDK America plant in Belvidere, Illinois, which manufactures crystals used in liquid-crystal displays. (See item 9)

9. December 7, WGN 9 Chicago – (Illinois) 1 dead, 1 hurt after blast at Belvidere plant. A Belvidere factory designed to break apart during an explosion did just that Monday afternoon, but debris from the still unexplained blast killed a truck driver in the parking lot of a nearby Tollway Oasis. Investigators are still trying to discover what caused the explosion at the NDK America plant, 701 Crystal Parkway, which manufactures crystals used in liquid-crystal displays. They are also exploring whether other parts of the building could pose a danger. The Belvidere Fire Chief said the blast happened about 2:30 p.m., apparently in a highly pressurized vessel where crystals are made. He said the six-story factory, which has been there for about five years, was built with special exterior panels that are meant to break away during an explosion. One employee who was inside the building was unhurt by the blast, he said. But he said a piece of one of the exterior panels, several feet long, flew through the air before striking a man standing outside his vehicle on the north side of the Interstate 90 Tollway Belvidere Oasis. The distance appeared to be less than a quarter mile. The debris field left from the explosion spanned several hundred feet, he said. Some who lived near the factory said the blast felt like an earthquake. Source:

 According to U.S. News and World Report, TSA officials say that a “full review” is underway to determine how a 2008 copy of its standard operating procedures for all airport security checkpoints was released in its entirety on the Internet. The document was “improperly redacted,” TSA officials say. (See item 15)

15. December 7, U.S. News and World Report – (National) TSA to conduct full review after leak of sensitive information. TSA officials say that a “full review” is underway to determine how a 2008 copy of its standard operating procedures for all airport security checkpoints was released in its entirety on the Internet. The document was “improperly redacted,” according to TSA officials, meaning that with a few keystrokes what was once secret spilled out into the public domain. The document itself details screening procedures at metal detectors, explosive residue testers, and other elements of airport security. It outlines procedures for escorting certain travelers around security checkpoints, including air marshals, diplomats, and CIA officers. An annex to the document gives several examples of official credentials for agencies including the CIA, Congress, and federal air marshals and notes on determining their authenticity. Another redacted section of the document reveals that travelers are selected for screening if their passports are issued by any one of 12 specific countries. The TSA document, dated June 30, 2008, is stamped “Sensitive Security Information,” a description of sensitive but not classified information. To redact the TSA document for public release, officials apparently used a computer program to blacken particularly sensitive parts of the handbook, including which types of travelers are exempt from various kinds of random and required screening, the procedure for CIA officers escorting foreign dignitaries and others through checkpoints, the minimum gauge of wire used to calibrate X-ray machines, and the types of chemicals used for cleaning explosive residue scanners. The document was then published online as a PDF, a common file format used widely by the government. To redact it, officials obscured text using a program which successfully obscures the text as viewed on a computer monitor. But the information was not deleted. Highlighting the text of the PDF page and then using the copy and paste functions on a computer easily revealed the hidden information. Source:


Banking and Finance Sector

10. December 7, Washington Post – (National) La. firm sues Capital One after losing thousands in online bank fraud. An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart. According to JM Test, Capital One has denied any responsibility for the losses. On December 4, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches. The lawsuit is the latest to challenge whether banks are doing enough to help customers prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company’s online banking credentials, said a digital media lawyer with the Los Angeles law firm Jeffer Mangels Butler & Marmaro LLP. He said that under the Uniform Commercial Code, banks generally are required to maintain “commercially reasonable” methods of providing security against unauthorized payment orders.” But he said just what constitutes “commercially reasonable” security practices has only recently been challenged, citing a recent court case in Illinois expected to go to trial soon in which a couple is suing their bank over $26,500 lost when cyber thieves stole the user name and password needed to access their home equity line of credit. Source:

11. December 7, Bank Info Security – (National) Phishing scam spreads to three more states. Banking customers in three additional states have received bogus text messages purporting to be from their institutions. As part a growing wave of similar phishing attempts throughout the nation, customers in Cincinnati, Ohio, St. Louis, Missouri and Lewiston, Idaho last week reported receiving text messages stating their bank accounts had been frozen. These attacks mirror those against bank customers in October in Pennsylvania, Nebraska and New York, and are part of a continuing wave of phishing attacks that have shot up 600 percent over last year, according to the Anti-Phishing Working Group. In Ohio, one Cincinnati US Bank customer told law enforcement about receiving the text message, calling the phone number listed and then giving out an account number, expiration date and PIN. The next day, the customer became suspicious and called the number again and heard the following message: “This is a message from the Federal Trade Commission. The telephone number you have just called has been disconnected because it may be involved in a scam.” The customer called US Bank, had the card replaced and did not lose any money. Law enforcement reported a number of banks had been targeted in the scam. Similar reports come in from Bridgeton, Missouri-based Vantage Credit Union customers who reported to the credit union they received the text message phishing scam. Source:

Information Technology

35. December 8, IDG News Services – (International) Social network and banking scams are on the rise, says Cisco. What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they are all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year. In its 2009 Annual Security Report, due to be released on December 8, Cisco says that the smart cyber-criminals are moving on. “Social media and the data-theft Trojans are the things that are really in their ascent,” said a Cisco researcher. “You can see them replacing a lot of the old-school things.” The researcher is talking about attacks such as the Koobface worm, which spreads via Facebook and Twitter. Koobface asks victims to look at a fake YouTube video, which ultimately leads to a malicious download. Cisco estimates that Koobface has now infected more than 3 million computers, and security vendors such as Symantec expect social network attacks to be a major problem in 2010. Another sneaky attack: the Zeus password-stealing Trojan. According to Cisco, Zeus variants infected almost 4 million computers in 2009. Eastern European gangs use Zeus to hack into bank accounts. They then use their networks of money mules to wire stolen funds out of the U.S. They have been linked to about $100 million in bank losses, some of which have been recovered, the U.S. Federal Bureau of Investigation said last month. With that kind of success, older types of attacks such as instant messaging worms and phishing are now on the decline, the Cisco researcher said. Source:

36. December 8, The Register – (International) Adware touts $1 bribe to prospective zombies. An adware distributor is offering to pay punters $1 to install their software. The bribe comes attached to malware, specifically an application bundle that includes adware and agents that change browser home pages, detected by Sunbelt Software as C4DLMedia and classified as a medium risk threat. The offer of payment is buried in the application’s terms and conditions. Even if the adware slingers come through on this offer to pay via PayPal, the amount of the bribe is probably a problem. “In places where a dollar is worth enough to make this worth the effort, there probably isn’t any internet connectivity,” writes a Sunbelt security researcher. Source:

37. December 7, The Register – (International) Webmasters targeted in cPanel look-alike phish. Fraudsters are targeting webmasters in a massive phishing campaign that attempts to trick marks into giving up credentials needed to administer their sites. The emails are sent to customers of some of the world’s most widely used webhosts, including GoDaddy, Hostgator, Yahoo!, and 50Webs. Although the subject lines vary, they all purport to come from the hosting service. In all, admins from at least 90 different webhosts are being targeted. “Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details,” the emails state. Those who take the bait are led to a website formatted to look like a page from cPanel, the widely used website administration program. Once a website’s address and FTP credentials are entered, users are directed to their host’s login page. Over the past year, scammers have increasingly targeted administrators of legitimate websites. According to a review in the third quarter of this year by security firm Dasient, 5.8 million pages from 640,000 websites were infected with code designed to launch malware attacks on visitors. ScanSafe, a separate security firm, has been tracking a single infection known as Gumblar that has taken over at least 2,000 websites by stealing their administrator credentials. Source:

38. December 7, – (International) Scientists promise an end to web attacks. Research published by academics at the University of Bristol’s Department of Computer Science suggests that a new technology could render cyber attacks “ computationally impossible”. The experts will present their research at the ASIACRYPT 2009 security and cryptology conference being held in Japan this week. The experts will discuss how a new technique could be applied that makes web site attacks impossible. The researchers plan to demonstrate how encryption could be used to prevent attacks such as denial of service, while also providing two-factor authentication that does not overburden users. Both hardware and software issues will be discussed. A second paper will demonstrate how to transfer information between databases in a truly encrypted way. The researchers suggested that this could be used by doctors to access centralized healthcare databases in a way that protects patient confidentiality, for example. A final paper covers what the researchers call “basic constructions in cryptography”, which could be applied to applications like the web browser. Source:

39. December 7, DarkReading – (International) Microsoft warns of malware-laced counterfeit software. Citing a rising tide of complaints from people who unknowingly bought counterfeit software infected with malware, Microsoft on Thursday announced the launch of educational initiatives and enforcement actions in over 70 countries to raise awareness of counterfeit software and to protect consumers. Such complaints have doubled in the past two years, according to the company, reaching 150,000, a fairly large number considering such reports are made voluntarily by consumers. “Consumers who are duped by fraudulent software encounter viruses, lose personal information, risk having their identities stolen, and waste valuable time and money,” said a associate general counsel for Worldwide Anti-Piracy and Anti-Counterfeiting at Microsoft, in a statement. “Today’s announcement demonstrates our commitment to working with others, including our partners, government agencies and nongovernmental organizations, to protect people from the ill effects of counterfeit software.” Microsoft is calling its anti-piracy campaign Consumer Action Day. The event includes an intellectual property education program in schools across China, a club for software resellers in Germany to provide legitimate software, a course in counterfeit software risks offered by Mexico’s consumer protection agency, an online safety program for children in Greece, and a business piracy impact study in Argentina. Microsoft claims that counterfeit software is becoming more dangerous. It cites a 2006 IDC study that found 25 percent of counterfeit software attempted to install unwanted or malicious code when downloaded. More recently, German anti-piracy company Media Surveillance found that among several hundred pirated copies of Windows and hacks, 32 percent contained malicious code. Source:

40. December 7, The Register – (International) Service cracks wireless passwords from the cloud. A security researcher has unveiled a low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary. The WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in about 20 minutes. Those willing to wait 40 minutes can pay $17 to access the system at half mode. In addition to operating in the cloud, the service is also notable because its dictionary has been set up specifically for cracking Wi-Fi Protected Access passwords. While Windows, Unix and other systems allow short passwords, WPA pass codes must contain a minimum of eight characters. Its entries use a variety of words, common phrases and “elite speak” that have been compiled with WPA networks in mind. WPA Cracker is used by capturing a wireless network’s handshake locally and then uploading it, along with the network name. The service then compares the PBKDF2, or Password-Based Key Derivation Function, against the dictionary. The approach makes sense, considering each handshake is salted using the network’s ESSID, a technique that makes rainbow tables only so useful. Source:

Communications Sector

41. December 8, – (International) Satellites touted as solution to UK’s rural broadband issue. Satellite broadband could be the answer to Britain’s digital divide, according to internet industry experts. The chief executive of Skyware Global told that the government “will have to look at satellite technology as a solution to providing broadband across the country”. The installation of fiber optic cable would be too time-consuming and expensive to provide broadband in rural areas, according to the executive, and bottlenecks are appearing in the telecoms infrastructure as data rates on the network grow. “Currently there are around 865,000 satellite broadband customers worldwide, but the industry is expecting that to reach 10 to 15 million as the technology is made cheaper and demand grows,” he explained. A senior analyst with Northern Sky Research agreed, saying that in developed economies satellite broadband is helping meet the demand from users who see broadband access as a must-have service. He also agreed that satellite broadband is an excellent technology for issues of rural divide and has done very well in countries with government subsidy programs, like Australia. However, he pointed out that satellite broadband subscriber patterns mirror population densities. “Satellite broadband is very effective at filling the still substantial number of broadband white spaces that are found in and around urban and suburban areas.” Currently there are around 1.2m satellite broadband customers worldwide, with around 900,000 subscribers in North America, and around 150,000 in Europe. Source:

42. December 8, Federal Communications Commission – (National) FEMA, FCC announce standards for wireless carriers to receive and deliver emergency alerts via mobile devices. As part of the Integrated Public Alert and Warning System (IPAWS), the nation’s next generation of emergency alert and warning networks, the Department of Homeland Security’s Federal Emergency Management Agency (FEMA) and the Federal Communications Commission (FCC) recently announced the adoption of the design specifications for the development of a gateway interface that will enable wireless carriers to provide its customers with timely and accurate emergency alerts and warnings via their cell phones and other mobile devices. The Commercial Mobile Alert System (CMAS) is one of many projects within IPAWS intended to provide emergency mangers and the President of the United States a means to send alerts and warnings to the public. Specifically, CMAS provides Federal, state, territorial, tribal and local government officials the ability to send 90 character geographically targeted text messages to the public regarding emergency alert and warning of imminent threats to life and property, Amber alerts, and Presidential emergency messages. The CMAS is a combined effort of the federal government and cellular providers to define a common standard for cellular alerts. Today’s announcement marks the beginning of the 28-month period, mandated by the FCC in August 2008, for commercial mobile service providers who have elected to participate in the design specifications known as CMAS to develop, test and deploy the system and deliver mobile alerts to the public by 2012. “Working as a team with our partners in the public and private sectors, the adoption of the CMAS standard brings us even closer to making the nation’s next-generation of emergency alerts and warnings – Integrated Public Alert and Warning System (IPAWS) – a reality,” said FEMA’s Administrator. “Our goal is simple, to give one message over more devices to more people for maximum safety.” Source:

43. December 8, Baltimore Computers Examiner – (National) Comcast plans on nationwide limit on monthly data usage. Comcast is proceeding with plans to implement a plan to limit data transfers to 250Gb per month. The move will change how consumers have used the Internet and how Internet Service Providers (ISPs) provide Internet access. Comcast has been developing different plans to curb what it considers an overuse of its networks by file-sharers and downloaders of large files. ISPs or Internet service providers have been trying to implement different types of data caps for some time now. Source: 44. December 7, Coated – (National) AT&T iPhone application to track network problems. AT&T has developed a new application for the Apple iPhone that allows AT&T customers to easily report mobile phone problems in a given network area. Users will be able to report such things as poor coverage, dropped calls, data errors as well as a general network outages. The software application is free to download and install through iTunes. Source:

For more stories, see items 37 and 40 above in the Information Technology Sector