Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, December 23, 2009

Complete DHS Daily Report for December 23, 2009

Daily Report

Top Stories

 KRQE 13 Albuquerque reports that Interstate 40 in western New Mexico reopened Monday after being closed for 13 hours due to a crash near Gallup that flipped a 9,000-gallon propane tanker. About 1,000 gallons of the compressed gas leaked after the crash. (See item 1)

1. December 22, KRQE 13 Albuquerque – (New Mexico) I-40 crash closure lasted 13 hours. Interstate 40 in western New Mexico reopened shortly before 11:30 p.m. Monday after being closed since mid-morning by a crash that flipped a 9,000-gallon propane tanker. Earlier in the evening, New Mexico State Police reported that the process of transferring 8,000 gallons of propane to another tanker was taking longer than expected. Another 1,000 gallons of the compressed gas leaked after the crash, raising the threat of a catastrophic explosion, although none occurred. The crash happened in the eastbound lanes at mile marker 47 at about 10:15 a.m. Monday when a car in the left lane somehow got under the wheels of the propane trailer in the right lane. The tractor-trailer rig rolled over onto the shoulder. No serious injuries were reported in the collision. State Police quickly shut down 25 miles of I-40 from Thoreau west of Grants to Church Rock east of Gallup and began detouring traffic. The 45-mile detour routed motorists onto State Roads 566 and 379 and a Navajo Nation road connecting the two highways. Compounding the massive backups has been what police are calling heavier than normal holiday traffic. Source:

 According to the Wall Street Journal, U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack. (See item 14 in the Banking and Finance Sector)


Banking and Finance Sector

14. December 22, IDG News Services – (International) Report: Russian gang linked to big Citibank hack. U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report. The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, the Wall Street Journal said on December 22, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography, and spam. The Federal Bureau of Investigation is probing the case, the report said. It was not known whether the money had been recovered, and a Citibank representative said the company had not had any system breach or losses, according to the report. The report left unclear from whom the money was stolen, but said a program called Black Energy, designed by a Russian hacker, was one tool used in the attack. The tool can be used to command a botnet, or a large group of computers infected by malware and controlled by an attacker, in assaults meant to take down target Web sites. This year a modified version of the software appeared online that could steal banking information, and in the Citi attack a version tailored to target the bank was used, the Journal said. The attackers also targeted a U.S. government agency and one other unnamed entity, the report said, adding that it was unknown if the attackers accessed Citibank systems directly or through other parties. Source:

15. December 22, Reuters – (International) France says will keep using stolen Swiss bank tax data. France will continue to use data stolen from a Geneva private bank in its drive against tax evasion, its budget minister said on December 22, a day after French officials agreed to return the client lists to Switzerland. “Of course they can be used. The French judicial procedure will continue,” the budget minister told reporters on the sidelines of a visit to China with the prime minister. Despite Swiss protests, French tax authorities have been using information secured from a former HSBC computer specialist who has admitted stealing client data from HSBC’s private banking arm in Geneva. On December 21, Paris agreed to return the data after Switzerland threatened not to ratify a tax treaty that would make it easier for French authorities to go after taxpayers who had salted away funds in Swiss bank accounts. A Swiss finance ministry spokeswoman said on December 21 the French move left a number of questions open and said these would have to be resolved between the two governments. A global crackdown on tax havens has forced Switzerland to relax its treasured bank secrecy regime, and it promised in March it would enter new treaties that would allow it to share bank client information in some cases of tax evasion. Source:

16. December 21, KING 5 Seattle – (Washington) Bomb threat used to rob Kitsap Co. bank. A bank robber told employees to stay put or a bomb would go off as he fled a bank in Kingston on December 21. The robbery happened at a Bank of America on Highway 104. According to published reports, the robber told employees that if anyone left the building or if police arrived within 90 minutes, a bomb would detonate. The robber took off on foot. A description has not been released. The Edmonds-Kingston ferry run was suspended for 25 minutes while police searched for the suspect. Source:

Information Technology

36. December 22, The Register – (International) Intel patches critical security bug in vPro processors. Intel has released a patch for its series of silicon-based security protections after researchers from Poland identified flaws that allowed them to completely bypass the extensions. The implementation errors in Intel’s TXT, or trusted execution technology, mean the feature cannot be counted on as advertised to protect sensitive files and prevent systems from booting operating systems that have been tampered with. The vulnerability affects the Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets. “We again showed that an attacker can compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way, fully circumventing any protection TXT is supposed to provide,” researchers with the Invisible Things Lab stated in a press release issued on December 21. The researchers laid out a variety of ways their software-only attack could defeat the security measures, which Intel has built into its vPro-branded processors and held out as a way for large corporate customers to make their servers and PCs more resistant to criminal hackers. One TXT feature that can be overridden is a setting that restricts the use of USB-based flash drives. The researchers also said that attacks could allow them to defeat procedures for securely launching applications and encrypting hard disk contents. The attacks exploit implementation errors in Intel’s SINIT Authenticated Code modules, which are digitally signed pieces of code that cannot be modified. The researchers brought the defects to the attention of Intel officials in late September and agreed to withhold publication of their findings until the chipmaker was able to patch the vulnerability. Source:

37. December 22, The Register – (International) iPhone worms can create mobile botnets. A detailed analysis of the most malign in a recent spate of iPhone worms points to future mobile botnet risks. The IKee-B (Duh) iPhone worm, released in late November, exploited default root passwords on jailbroken iPhones to turn the smartphones into botnet clients under the control of a server based in Lithuania. The worm affected iPhone users in The Netherlands, and specifically targeted customers of Dutch online bank ING Direct. Security researchers at SRI International - noted for top notch work in dissecting the Conficker botnet - published an analysis of the iPhone botnet on Monday that warns users of Apple’s device and similar smartphones to expect more of the same in future. Warnings about mobile malware have been circulating for years. But it’s only since the advent of iPhones and other smartphones, allowing decent internet access with what’s essentially a mini-computer, that such risks have become tangible, rather than the stuff of anti-virus vendor PowerPoint slides, SRI warns. Source:

38. December 22, Broadband DSL Reports – (National) Mediacom customers still having e-mail problems. A week ago a Mediacom e-mail upgrade promising to deliver “next generation” e-mail service wound up leaving some customers without e-mail for a week. Now, two weeks since the upgrade, both residential and business users are still writing in to complain that they are either without e-mail service, or they’re suffering through oddities like lost e-mail. An ongoing thread in DSL Reports’ Mediacom forum has hit 55 pages, most of them filled with customers complaining about the broken upgrade. The upgrade appears to have given spammers an opportunity to hammer the system further, complicating the upgrade and repair process. Several customers complain that of the e-mail they do actually get, a chunk of it is new phishing attempts they had not seen previously. Source:

39. December 21, ComputerWorld – (International) Microsoft’s ‘whitelist’ helps hackers, says Trend Micro. By recommending that users exclude some file extensions and folders from antivirus scans, Microsoft may put users at risk, a security company said on December 21. In a document published on its support site, Microsoft suggests that users do not scan some files and folders for malware as a way to improve performance in Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2. “These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking,” Microsoft states in the document. Among the files and folders Microsoft tells users to exclude are those associated with Windows Update and Group Policy, and files with the .edb., .sdb and .chk extensions contained within the “%windir%\security” folder. Trend Micro took exception — not with the list itself, but with Microsoft making it public. “Although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly,” said a malware researcher with Trend Micro, in an entry to his firm’s blog. The researcher argued that the list could be a boon to hackers. “Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,” he said. “Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning, or use a file extension that is also in the excluded list.” Source:

40. December 21, SCMagazine – (International) Malicious cards, Brittany Murphy poisoned search hit web. Security researchers on December 21 began warning internet users of a pair of unrelated threats whose goal is to install malware on victims’ machines. A virus analyst at Sophos said in a blog post that a new wave of spam purport to be Christmas-related electronic greeting cards sent from Hallmark. However, clicking on the link included in the message installs a trojan known as VBlnject. More e-card scams are expected during the holiday season, experts said. Meanwhile, the untimely death of an actress has, as expected, given rise to a number of poisoned search attacks, said a researcher and communications manager at McAfee Avert Labs, in a blog post. Through a technique known as blackhat search engine optimization (SEO), searches for phrases such as “[famous actress] dies” or “[famous actress] 8 mile” have resulted in a number of questionable results trying to lure users to websites pushing rogue anti-virus programs or other malware. The ploy is a common one for attackers hoping to cash in on a curious public seeking news on a major media story. Source:

For more stories, see items 41 and 43 below in the Communications Sector

Communications Sector

41. December 22, – (International) China outlines new web site regulations. The Chinese Ministry of Industry and Information Technology (MIIT) has issued new internet regulations which could mean that many overseas web sites will be unavailable to Chinese readers. MIIT now demands that all domain management companies and internet service providers (ISPs) tighten controls over domain registration as part of the government’s anti-pornography campaign. This means that only licensed businesses and state-approved organizations can register for a web site. MIIT said that any domain names not registered will not be resolved or transferred, but the organization did not explain whether this applied to overseas web sites as well. The Beijing News maintained that it would be a pity if legal foreign web sites could not be accessed if they were not registered, as the internet “ is meant to connect people.” A copyright lawyer at Beachcroft LLP believes that the pressure would mostly fall on ISPs as most domain names will be registered outside China. Source:

42. December 22, Multichannel News – (National) Comcast settles class-action suit over peer-to-peer delays. Comcast has agreed to settle a class-action lawsuit alleging the nation’s largest cable company impaired the use of peer-to-peer file-swapping applications, and will pay up to $16 million to customers who believe they were affected. Comcast was sued by several customers who variously claimed breach of contract or that the operator violated consumer-protection laws by misrepresenting its broadband service as “unfettered” and that it provided “the fastest Internet connection.” Those complaints were consolidated into multidistrict litigation in the U.S. District Court for the Eastern District of Pennsylvania. The cable company’s practice of impeding P2P traffic during times of peak congestion on its networks drew national attention — and scrutiny from the Federal Communications Commission — after the Associated Press confirmed Comcast was limiting the ability of BitTorrent applications to transfer a copy of the King James Bible. Comcast’s P2P “blocking” was originally publicized by an Oregon resident, who was a plaintiff in the class action. The FCC subsequently issued an order requiring Comcast to change its network-management practices and finding that it violated the agency’s network neutrality principles. Comcast is fighting the FCC’s ruling in federal court; the U.S. Federal Appeals Court for the D.C. Circuit is scheduled to hear oral arguments on January 8 in the case and is expected to rule within three months. Source:

43. December 20, Associated Press – (Maine) Maine to consider cell phone cancer warning. A Maine legislator wants to make the state the first to require cell phones to carry warnings that they can cause brain cancer, although there is no consensus among scientists that they do and industry leaders dispute the claim. The now-ubiquitous devices carry such warnings in some countries, though no U.S. states require them, according to the National Conference of State Legislators. A similar effort is afoot in San Francisco, where the mayor wants his city to be the nation’s first to require the warnings. The Federal Communications Commission, which maintains that all cell phones sold in the U.S. are safe, has set a standard for the “specific absorption rate” of radio frequency energy, but it does not require handset makers to divulge radiation levels. Source: