Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, December 17, 2009

Complete DHS Daily Report for December 17, 2009

Daily Report

Top Stories

 The Associated Press reports that on Tuesday about two dozen people were sickened by fumes from hydrochloric acid at the Manchester Tank plant in Quincy, Illinois. The plant manufactures pressure vessels. (See item 9)

9. December 15, Associated Press – (Illinois) Fumes sicken more than 20 workers at Quincy plant. Officials say roughly two dozen people were sickened by fumes from hydrochloric acid at a plant in the Mississippi River city of Quincy. All the workers affected Tuesday morning at Manchester Tank were taken to a hospital, though their injuries were not thought to be life-threatening. Most were later released from the hospital. A spokesman for Tennessee-based McWane Inc., which owns Manchester Tank, says an investigation is under way into what caused the accident. The spokesman says there was no actual spill of the acid, only a leak of fumes — perhaps from some air-scrubbing equipment. Manchester Tank makes pressure vessels for the containment of propane, compressed air and chemicals. Source:

 According to the Associated Press, hundreds of thousands of swine flu shots for children have been recalled because tests indicate the vaccine doses lost some strength, government health officials said on Tuesday. The shots, made by Sanofi Pasteur, were distributed across the country last month and most have already been used. (See item 24)

24. December 15, Associated Press – (National) Kids’ swine flu shots recalled; not strong enough. Hundreds of thousands of swine flu shots for children have been recalled because tests indicate the vaccine doses lost some strength, government health officials said Tuesday. The shots, made by Sanofi Pasteur, were distributed across the country last month and most have already been used, according to the Centers for Disease Control and Prevention (CDC). The 800,000 pre-filled syringes that were recalled are for young children, ages 6 months to nearly 3 years. A CDC flu expert stressed that parents do not need to do anything or to worry if their child got one — or even two — of the recalled shots. The vaccine is safe and effective, she said. The issue is the vaccine’s strength. Tests done before the shots were shipped showed that the vaccines were strong enough. But tests done weeks later indicated the strength had fallen slightly below required levels. Young children are supposed to get two doses, spaced about a month apart. Health officials do not think children need to get vaccinated again, even if they got two doses from the recalled lots. Source:


Banking and Finance Sector

11. December 16, Wall Street Journal – (International) Credit Suisse to pay U.S. $536 million in Iran probe. Credit Suisse Group, one of Switzerland’s biggest banks, said Tuesday that it expects to pay a $536 million penalty as part of a continuing U.S. investigation into how major Western banks illegally handled funds for Iran. Credit Suisse’s role in alleged illegal transactions with Iranian enterprises previously had been disclosed. But the size of the fine and the fact that the Swiss bank joins other banking companies in settling U.S. inquiries highlight how far-reaching and secretive money flows have been with Iran and others sanctioned by the U.S. An agreement by the Swiss bank to pay that amount now means that fines and penalties for banks investigated in the alleged transactions are in the $1 billion range. Credit Suisse, which said it is in “advanced settlement discussions” with state and federal U.S. authorities, said that while it already set aside money to cover a fine, it will now record a 445 million Swiss franc ($430 million) pretax charge in the fourth quarter. The bank reports those results on February 11, 2010. Credit Suisse said that it was in the settlement talks with the Manhattan District Attorney, the Justice Department, the Federal Reserve and the Treasury Department’s unit that enforces economic and trade sanctions. Source:

12. December 16, Computerworld – (National) Mass. Supreme Court throws out lawsuit against BJs over ‘04 data breach. The Massachusetts Supreme Judicial Court affirmed a lower court ruling dismissing a lawsuit brought against BJ’s Wholesale Club by dozens of credit unions over a 2004 data breach. The court held that the credit unions could not seek restitution from BJs on their claims that the wholesaler had breached a third-party contract and had misrepresented facts about its compliance with payment industry security standards. The ruling on December 11 is similar to numerous others that have been handed down by courts recently and highlights the challenges that plaintiffs face in winning tort actions against companies that suffer massive data breaches. Just last week, a federal court in New Jersey threw out a shareholder lawsuit against Heartland Payment Systems that disclosed a major data breach in January. The court essentially said that the data breach by itself did not demonstrate Heartland’s lack of commitment to maintaining a high level of security. Framingham, Massachusetts-based BJs in March 2004 disclosed that hackers had gained access to systems that stored credit-card transaction data. The initial intrusion had taken place in July 2003, but the breach was not discovered until Feb 2004. In that time, the hackers responsible for the intrusion, who have since been arrested, accessed magnetic stripe data on more than 9 million credit and debit cards. BJs later admitted that the compromise stemmed from its failure to purge magnetic stripe data from its systems as it was required to under payment card industry security standards mandated by MasterCard and Visa. Credit unions and banks had to spend millions of dollars blocking and reissuing cards that were compromised in the breach. Many also had to deal with fraud arising from the use of the stolen card data. Source:

13. December 15, Computerworld – (International) Hackers are defeating tough authentication, Gartner warns. Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns. Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report said. Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, said a Gartner analyst and the report’s author. Gartner’s warning comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials. In August, NACHA- the Electronics Payments Association issued an alert, warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses. Cybercriminals used the stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks, NACHA said in its warning. NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network. Just a few days earlier, a similar alert was sent to members of the Financial Services Information Sharing and Analysis Center. The alert identified organized cybercrime groups in Eastern Europe as predominantly responsible for illegally siphoning millions of dollars off corporate accounts and sending the money overseas via popular money and wire transfer services.

14. December 15, CNET News – (International) Virtual currency exchange to launch in 2010. Beginning in the first quarter of 2010, social sites IMVU and MyYearbook will launch a virtual currency exchange allowing users from either service to exchange currency between the sites. Currency Connect is billed as a “cross property virtual currency exchange” system similar to how one would change U.S. dollars into euros if one were traveling in Europe. Users simply swap their currencies depending on what site they are on. Most still find it surprising that users would exchange real money for virtual money that can never be taken out of a specific site. It makes one wonder when a bigger payments vendor, like PayPal, will get into the game and offer more of a de facto universal virtual. It cannot be long before other social sites like Facebook join the fray. Ultimately, the site or currency with the most users is likely to be the one with the most users. This opens up an opportunity for other sites with large user bases such as Google and Yahoo to offer a currency program. If users are already joining multiple social-networking sites, there is no doubt that they are also using search engines and instant messaging. On the technical side, the service uses a simple set of REST APIs that implement the various checks and balances of the system. Security is maintained through tracking methods and server-to-server connections, which will initially limit how many sites can participate in the service. Again, a larger online service might have an easier time deploying a fully distributed, trusted service that did not require point-to-point connections. Source:

Information Technology

36. December 16, The Register – (International) Attacks spread malware with help from AppleInsider. Malware purveyors are exploiting web vulnerabilities in,, and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites. As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected. “What’s interesting ... is the fact that it’s embedding iframes to redirect people,” an individual who is a senior security researcher at Zscaler, told The Register. “Typically, cross-site scripting is just that - it embeds script tags so it will embed javascript to run.” While it is not the most convincing attack ever seen, there is nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild. The links work because and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Source:

37. December 15, Computerworld – (International) RockYou hack exposes names, passwords of 30m accounts. Hackers breached a database at social networking application maker RockYou Inc. and accessed username and password information on more than 30 million individuals with accounts at the company. The passwords and user names were stored in clear text on the compromised database and the user names were by default the same as the users Gmail, Yahoo, Hotmail or other Web mail account. RockYou did not immediately respond to a request for comment on the incident. In a statement sent to Tech Crunch, which first reported the breach, RockYou confirmed that a user database had been compromised that potentially exposed some “personal identification data” for about 30 million registered users. The company learned of the breach December 4 and promptly shut down the site while the problem was addressed, the statement said. Redwood City, California-based RockYou offers widgets that are used widely on social networking sites such as Facebook, MySpace, Friendster and Orkut. The company bills itself as a leading provider of social networking application-based advertising services with more than 130 million unique users using its applications monthly. The breach was discovered shortly after database security vendor Imperva Inc. informed RockYou of a major SQL injection error it had uncovered on a page on RockYou’s Web site. Imperva’s chief technology officer said the company learned of the vulnerability on RockYou’s Web site — and the fact that it was being actively exploited — as part of its regular monitoring of underground chat rooms. Source:

38. December 15, CNET News – (International) Facebook sues men for allegedly phishing, spamming. Facebook has sued three men, alleging they used phishing techniques to get access to Facebook user accounts and then sent spam from the compromised accounts. The lawsuit was filed on December 14 in federal court and named the three defendants and the companies associated with them, Choko Systems, Harm, and iMedia Online Services, according to a Facebook statement late on December 15. The defendants could not be reached for comment. A Facebook spokesperson was trying to find out what court the lawsuit was filed in. The lawsuit makes claims under the Can-Spam (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, the Computer Fraud and Abuse Act, the California Anti-Phishing Act and the California Computer Data Access and Fraud Act, according to Facebook. This is the latest legal action the social networking site has taken related to spam. In October, Facebook was awarded $711 million in a judgment against self-described “spam king.” Source:

39. December 15, DarkReading – (International) Adobe Reader, Acrobat under zero-day attack. Adobe’s Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag. Adobe late December 14 issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that’s being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. “This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe says. So far, Adobe and security researchers around the industry have been tight-lipped on details about the newly discovered vulnerability involved, but ShadowServer on December 15 said in its blog that the flaw resides in a JavaScript function in Acrobat and Reader. The trick is that the vulnerable JavaScript is hidden inside a “zlib stream,” which makes it difficult for security scanners to detect it, ShadowServer says. The flaw is found in 8.x and 9.x versions of the software, according to ShadowServer, and researchers are currently testing earlier versions for the bug as well. A senior research manager for Symantec Security Response says the exploit is similar to previous ones for Reader and Acrobat as well as for other client-side attacks. And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine. Source:

40. December 15, ComputerWorld Canada – (International) Symantec updates smart phone management suite. Symantec Corp. is rolling out a trio of updated products designed to secure and manage a user’s fleet of Windows smart phones across their lifecycle. In addition to a variety of mobile device management features, Symantec Mobile Management 7.0 will allow administrators to deploy applications and updates to the mobile fleet. The other two products include Symantec Network Access Control Mobile Edition 6.0 and Symantec Endpoint Protection Mobile Edition 6.0, which together will protect devices against malicious threats and unauthorized access to the corporate network or Microsoft Exchange server. The security giant said that while these products are only supported on Windows-based phones, the company is exploring Google Android and Apple iPhone solutions. Source:

For more stories, see items 41 and 45 below in the Communications Sector

Communications Sector

41. December 16, IDG News Services – (International) Rogue antivirus lurks behind Google Doodle searches. Malicious is the best way of describing many of the search results Google visitors got on December 15 when they clicked on Google’s front-page Doodle sketch, dedicated to Esperanto’s creator. It is the latest example of just how good scammers have become at manipulating Google search results. For months now, they have followed Google’s Trending Topics section and then used search engine optimization techniques to push hacked Web pages up to the top of Google’s search results, security experts say. They do this by flooding hacked pages with keywords that are then recorded by Google’s search engine. Hackers have several ways of getting their code on legitimate Web sites — lately they have focused on stealing FTP login credentials, according to a research scientist with Barracuda Labs. The hacked sites that pop up when one clicks on December 15’s Google Doodle include a hair salon in New Jersey, an Texas tree company, and a science fiction group. On Tuesday, clicking on the illustration on Google’s front page commemorating the 150th anniversary of the birth of Esperanto’s creator generated an awful lot of malicious search results — taking visitors to dodgy advertisements or pages that tried to trick visitors into thinking their computers were infected and paying for fake anti-virus software. These results remained steadily in the top 5 to 10 search results for people who clicked on the Google doodle link on December 15, and often filled up about half of the first few pages of results, the research scientist said. Source:

42. December 15, IDG News Service – (National) AT&T offers new position on net neutrality. The U.S. Federal Communications Commission (FCC) should back away from creating strict nondiscrimination rules requiring broadband service providers to carry all Internet content, because such net neutrality rules could hurt investment in networks, AT&T told the FCC on Tuesday. AT&T, a longtime opponent of strong net neutrality rules, nevertheless suggests in a letter to the FCC that “preserving the open character of the Internet is critically important to ensuring that all consumers have the opportunity to be creators of content and innovators from their homes or their garages.” However, the FCC should not prohibit broadband providers from entering into commercial agreements in which they provide “value-added” broadband services to some Internet companies, AT&T said. Source:

43. December 15, CNET News – (National) Wireless and broadcast industries begin spectrum debate. The wireless and TV broadcasting industries faced off for the first time at a congressional subcommittee meeting on the Hill on Tuesday, setting in motion what could be a long drawn out battle over whether wireless spectrum should be reallocated and where the government will get this new spectrum. The president and CEO of CTIA, the wireless industry group, and a member of the National Association of Broadcasters were among the witnesses gathered before the House Energy and Commerce Committee’s Subcommittee on Communications, Technology and the Internet to discuss what the CTIA and the Federal Communications Commission (FCC) have called a looming spectrum crisis. The hearing comes just weeks after the CTIA ruffled broadcasters’ feathers when it filed comments with the FCC suggesting that some of the additional spectrum it seeks for wireless broadband could come from unused TV broadcast spectrum. Broadcasters oppose giving up their spectrum. And some representatives for broadcasters say they don’t believe that there is a spectrum crisis. Source:

44. December 15, – (International) World’s first LTE transfer achieved. Another LTE milestone was reached after ST-Ericsson and Ericsson announced they achieved the first successful transfer of a mobile broadband data call between a next-generation LTE network and an HSPA network. ST-Ericsson, a joint venture between ST-NXP Wireless and Ericsson Mobile Platforms, said it was the world’s first transfer between networks of this nature. The chief technology officer and strategy planning office with ST-Ericsson said the test was important to demonstrate that LTE could be flexible enough to allow users to move between LTE networks and existing 3G networks as necessary. “If you’re travelling, for example, and move into an area where there is no LTE coverage your connection will continue regardless by moving on to an available 3G network,” he said. Source:

45. December 15, CNET News – (International) Australia moves toward mandatory ISP filtering. Mandatory ISP filtering legislation will be introduced in Australia around the middle of 2010, after which there will be a one-year period to implement and activate the filtering technology. The Australian federal government on December 15 announced it will introduce amendments to the Broadcasting Services Act, which will by 2011 require all ISPs to block refused-classification-rated material hosted on overseas servers. As part of the new legislation, the government intends to explore what additional process could be implemented around how Web sites are added to the government’s “Refused Classification” (RC) list. The obvious contender for the new RC list’s oversight is the Australian Communications and Media Authority (ACMA), which manages a list of locally hosted illegal content, and issues so-called “take-down” notices to local operators. Source: