Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, January 14, 2010

Complete DHS Daily Report for January 14, 2010

Daily Report

Top Stories

 The Associated Press reports that officials delayed reopening a Morehead City, North Carolina port Wednesday while crews continued to clean up a spill of pentaerythritol tetranitrate. A forklift operator Tuesday accidentally punctured nine containers of PETN and a small amount of the chemical explosive leaked out. (See item 6)

6. January 13, Associated Press – (North Carolina) Cleanup of explosives spill delays NC port opening. Officials delayed reopening a Morehead City, North Carolina port Wednesday while crews continued to clean up a spill of pentaerythritol tetranitrate, or PETN. No one was hurt when a forklift operator Tuesday accidentally punctured containers of PETN. Officials said nine containers were damaged and a small amount of PETN leaked out. Officials said in a statement Wednesday that crews were observing the “utmost safety” in cleaning the spill. The port had been expected to open at 8 a.m. but officials did not set a new time after that target passed. The cleanup is being performed under the direction of the U.S. Coast Guard. This is the first time in two years PETN has come into Morehead City, and the shipment was approved by the Coast Guard. A company called Maxam UEB shipped the PETN, said a spokeswoman for the North Carolina State Ports Authority, but she did not know where in the United States it was headed. According to business directories, Maxam is an explosives manufacturer based in the town of Galdakao, near Bilbao, in Spain’s northern Basque country. Source:

 According to the Washington Post, Google said on Tuesday that it may pull out of China because of a sophisticated computer network attack originating there and targeting its e-mail service and corporate infrastructure. The company said it has evidence to suggest that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” but it said that at least 20 other large companies have been the targets of similar attacks. (See item 42 in the Information Technology Sector below)


Banking and Finance Sector

17. January 13, Associated Press – (Wisconsin) Police: Bank robber’s bomb is a fake. Police say a man who used a fake bomb to rob a Kenosha, Wisconsin, bank remains at large. Authorities say the man walked into the M&I Bank and demanded money from a teller. They say he had a small case with him that he claimed contained a bomb. He left it on the counter and said he had a remote detonator. The suspect fled on foot with an undetermined amount of money. The Kenosha News says the bank and nearby homes were evacuated as the Kenosha County bomb squad used a robot device to determine if the case was dangerous. It turned out to be empty. Source:

18. January 13, Bank Info Security – (National) Year of the hack: review of 2009 data breaches. There were 62 data breaches involving financial institutions in 2009 — three of them occurring in the last month of the year. These breaches represent only a portion of the total of 498 incidents compiled in the 2009 Data Breach Report compiled by the Identity Theft Resource Center (ITRC), based in San Diego, California. But the largest of them, the Heartland Payment Systems breach, involved an estimated 130 million credit and debit card numbers taken, accounting for more than half of the 222 million records potentially taken in 2009. Insiders caused the largest number of data breaches within the financial services industry, says the executive director of the ITRC, and this threat will continue to be a problem for financial institutions in 2010, “The numbers come out almost every year, and they have said for the past eight or nine years that 70 percent of all hacking happens internal to the company,” the director said. May was the month with the most breaches (10), followed by August with nine and March with eight. June was the month with the fewest recorded breaches — just one. Source:

19. January 13, Bank Systems and Technology – (National) Card fraud costs U.S. payment providers $8.6 billion per year. Card fraud costs the U.S. card payments industry an estimated $8.6 billion per year, according to a report released on January 13 by Aite Group. Though this sum is small compared with the $2.1 trillion in total yearly U.S. card volume, this area remains troubling for the industry. Fighting card fraud effectively involves triage and telepathy — picking appropriate battles to fight while anticipating fraudsters’ next steps based on the rapidly evolving technological landscape, Aite’s analysts say. Card technologies in the United States are unlikely to be universally upgraded anytime soon due to prohibitively high implementation costs and the loss of signature interchange. Given the relative speed and cost efficiency for deployment, the most practical method of mitigating card fraud currently would be based around end-to-end encryption, they say. Source:

20. January 12, The Register – (New York) Hackers pluck 8,300 customer logins from bank server. Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank (SCNB) happened over a six-day period that started on November 18, according to a release issued January 11. It was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total “Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server,” the bank, located about an hour east of New York City, stated. “To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers.” The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. By contrast, accessing a server that is storing online credentials for tens of thousands of customers is not the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted. Source:

21. January 12, WFAA 8 Dallas-Fort Worth – (Texas) Dallas police make arrests in ATM theft ring. Dallas police say they have made a big break in an ATM theft ring. Just before three this morning, the suspects made off with a cash machine from the Doubletree Hotel near Stemmons and Market Center in Dallas. Police later caught up with a car believed to be connected to the crime. Two other vehicles are also believed to be linked. One of the suspects now in custody is who detectives believe was in charge of the theft ring. Source:

Information Technology

42. January 13, Washington Post – (International) Google threatens to leave China after attacks on activists’ e-mail. Google said on January 12 that it may pull out of China because of a sophisticated computer network attack originating there and targeting its e-mail service and corporate infrastructure, a threat that could rattle U.S.-China relations, as well as China’s business community. The company said it has evidence to suggest that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” but it said that at least 20 other large companies, including finance, media, and chemical firms, have been the targets of similar attacks. Google said it discovered the attack in December 2009. Industry sources said the attacks were even broader, affecting some 34 firms. Adobe said in a posting on a company blog on January 12 that it had been the subject of a “sophisticated, coordinated attack,” but that no sensitive information had been compromised. Congressional sources said that other targeted companies possibly include Northrop Grumman and Dow Chemical. The hackers directed the attacks on the companies through six Internet addresses linked to servers in Taiwan, which sent commands to targeted computers in the firms, said the head of international cyberintelligence for the Silicon Valley-based cybersecurity research and forensics firm Verisign iDefense, which is helping companies investigate the penetrations. The hackers were sending the data to a large Internet data center in San Antonio called Rackspace, he said. They appeared to be after information on weapons systems from defense firms and were seeking companies’ “source code,” the most valuable form of intellectual property because it underlies the firms’ computer applications, he said. U.S. authorities, including the National Security Agency, are involved in investigating the attacks. Source:

43. January 13, Computerworld – (International) Adobe patches PDF zero-day, other critical bugs. Adobe late January 12 patched eight security vulnerabilities, six of them critical, in its popular PDF viewing and editing programs. Security experts urged consumers and corporate IT administrators to use the time provided by a light month of Microsoft patching to update Adobe Reader and Acrobat, calling the Adobe fixes more important for one of the first times ever. The January 12 Adobe update, the company’s third since it announced it would patch Reader and Acrobat quarterly, fixed one flaw that hackers had already exploited. The bug, which was publicly disclosed in mid-December but has been used by attackers since November, had gone unpatched until January 12. In December 2009, Adobe said it would not patch the bug until January 12 because an emergency fix would upset the schedule of quarterly security updates. In the interim, hackers continued to launch limited attacks that targeted specific individuals and companies, and conducted large-scale campaigns that touched thousands of users. Adobe tagged six of the eight vulnerabilities with the phrases “could allow arbitrary code execution” or “could lead to code execution,” security-speak for bugs that could be used to hijack a system. Source:

44. January 12, ZDNet – (International) Adobe confirms ‘sophisticated, coordinated’ breach. In an attack described as “sophisticated” and “coordinated,” Adobe said its corporate network systems were breached by hackers. The company said the attack also affected other unnamed companies. Adobe did not provide any other details except to say it was aware of the breach on January 2, 2010. Adobe said in a brief statement that it became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. They are currently in contact with other companies and are investigating the incident. At this time, they have no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised. They anticipate the full investigation will take quite some time to complete. It is not yet clear if this incident is related to the Google breach that is being blamed on China. Source:

45. January 12, DarkReading – (International) Report: Mal-Bredo A virus spreads via social media. Commtouch on January 12 released its Internet Threats Trend Report for Q4 2009. Spammers continue to be cutting-edge marketers, this time taking advantage of the reputations of global brands, such as UPS, DHL, and Facebook, to prompt opening of emails. During this past quarter, cybercriminals focused on distributing the Mal-Bredo A virus. While the number of variants decreased from 10,000 to 1,000 as compared to last quarter, it was spread with much more virulence. Commtouch’s quarterly trend report is based on the analysis of more than two billion email messages and Internet transactions seen daily within the company’s cloud-based global detection centers. Blended threats, including fake Swine Flu alerts and Halloween tricks, continued to circulate, while spammers introduced a few new ploys including MP3 spam and personal enhancement spam targeting women. Source:

46. January 12, The Register – (International) South Korea sets up cyberwarfare unit to repel NORK hackers. South Korea has launched a cyberwarfare command center designed to fight against possible hacking attacks blamed on North Korea and China. The division boasts a reported 200 techies, who will be tasked with tackling a reported 95,000 hacking attacks the country’s military networks face every day. North Korea was blamed for a wave of attacks against U.S. and South Korean websites last July. However since botnets were used in the attack the true orchestrator of the assault remains unclear. More recently North Korean hackers were blamed for lifting a secret US-South Korean war plan from South Korean systems last month. Some reports suggest the hack may have relied on the use of an insecure (malware infected?) memory stick. Source:

Communications Sector

47. January 13, The Register – (International) ‘Sandwich attack’ busts new cellphone crypto. A new encryption scheme for protecting 3G phone networks has not even gone into commercial use and already cryptographers have cracked it — at least theoretically. In a paper published on January 12, the cryptographers showed that the Kasumi cipher, which is also referred to as A5/3, can be broken using what is known as a related-key attack, in which a message encrypted with one key is later changed to one or more different keys. The team dubbed the technique a sandwich attack because it was broken into three parts: two thick slices at the top and bottom and a thin slice in the middle. The results come two weeks after a separate team released a practical method for cracking A5/1, the cipher currently used to prevent snooping on GSM networks. The technique relies on about $4,000 worth of equipment and requires the capture of only a few minutes worth of an encrypted conversation in order to break it. The attack exploits weaknesses in the decades-old cipher. The GSM Association, which represents about 800 cellular carriers in 219 countries, has vowed to switch to the much more modern A5/3 cipher, but so far, it has provided no time line for doing so. Source: