Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, January 27, 2010

Complete DHS Daily Report for January 27, 2010

Daily Report

Top Stories

 According to the Christian Science Monitor, at least three U.S. oil companies were the target of a series of previously undisclosed cyberattacks, which occurred in 2008. The breaches were focused on valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide. (See item 3)

3. January 25, Christian Science Monitor – (National) U.S. oil industry hit by cyberattacks: Was China involved? At least three U.S. oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in Internet espionage. The oil and gas industry breaches were focused on valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show. The companies — Marathon Oil, ExxonMobil, and ConocoPhillips — did not realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show. The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says. While China’s involvement in the attacks is far from certain, at least some data was detected flowing from one oil company computer to a computer in China, a document indicates. Neither Marathon Oil, ExxonMobil, nor ConocoPhillips would comment on the attacks or confirm that they had happened. But the breaches, which left dozens of computers and their data vulnerable in those companies’ global networks, were confirmed over a five-month Monitor investigation in interviews with dozens of oil industry insiders, cybersecurity experts, former government officials, and by documents describing the attacks. The attacks penetrated the companies’ electronic defenses using a combination of fake e-mails and customized spyware programs to target specific data, according to multiple sources and documents. Source:

 The Associated Press reports that authorities in Branchburg, New Jersey on Monday seized a cache of weapons and ammunition from the motel room of a Navy veteran from Reston, Virginia, who also had maps of a U.S. military facility and a town in another state. (See item 28)

28. January 26, Associated Press – (New Jersey; National) Grenade launcher, weapons cache, military map found in NJ motel room after man’s arrest. Authorities in central New Jersey have seized a cache of weapons and ammunition including rifles, a grenade launcher, and a night vision scope from the motel room of a Virginia man. The Somerset County prosecutor says the suspect, a 43-year-old Navy veteran from Reston, Virginia, also had maps of a U.S. military facility and a town in another state. He was arrested in Branchburg, New Jersey early Monday by officers responding to a report of a suspicious person. The FBI says the suspect has no known terrorism links. The Somerset County prosecutor says the suspect was wearing a bulletproof vest and carrying a semiautomatic Bushmaster rifle under his jacket when he was arrested. The suspect was being held at the Somerset County Jail on charges including unlawful possession of weapons. The suspect had been staying at the Red Mill Inn in Branchburg. Source:,0,1633106.story


Banking and Finance Sector

12. January 25, QMI Agency – (Florida; International) Ponzi scam alleged in billions. The Ponzi scheme allegedly orchestrated by two Calgary businessmen, initially suspected of involving up to $400 million, could be as high as $5 billion, a Florida court has been told. In a draft order presented by a bankruptcy trustee lawyer, it is suggested the scheme is much larger than initially thought. The lawyer, based on evidence from a forensic auditor, said a southern district of Florida judge should rule the two Calgarians collected massive investments. The lawyer, in his 40-page draft obtained Friday by the Sun, said three-quarters of those who poured money into the two defendants interests were Canadian investors. The lawyer said the defendant collected investments in a variety of Miami-based Merendon subsidiaries and co-mingled the funds. Source:

13. January 25, International Falls Daily Journal – (Minnesota) Officals warn about phone scam regarding credit cards. A number of International Falls area residents have received fraudulent calls since January 21 as a part of a nationwide scam apparently based on compromised cell phone information. An International Falls Police Investigator said on January 22 that a block of telephone numbers with the 240 prefix and the 218 area code have been targeted by a someone who is “vishing.” In this case, the automated voice calling indicates there may be a problem with a credit or check card and says that the only way to deactivate the card is by entering into the telephone their account numbers. The scam artists are attempting to make the calls sound local, the investigator said. According to TruStar Federal Credit Union, members are being directed to ignore computer-voiced messages asking them to enter personal identification to “activate” or “confirm” their debit card or ATM cards. The computer voice has referred to the local financial institution variously as “TriStar,” or “Trust-star,” in addition to the actual name of the credit union. Source:

Information Technology

36. January 26, The Register – (International) ‘Aurora’ code circulated for years on English sites. An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speaking websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People’s Republic of China. The smoking gun said to tie Chinese-speaking programmers to the Hydraq trojan that penetrated Google’s defenses was a cyclic redundancy check routine that used a table of only 16 constants. A security researcher said the algorithm “seems to be virtually unknown outside of China,” a finding he used to conclude that the code behind the attacks dubbed Aurora “originated with someone who is comfortable reading simplified Chinese.” “In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase,” the researcher wrote. Two weeks ago, Google said it was the victim of highly sophisticated attacks originating from China that targeted intellectual property and the Gmail accounts of human rights advocates. The company said similar attacks hit 20 other companies in the internet, finance, technology, media and chemical industries. Independent security researchers quickly raised the number of compromised companies to 34. But Google provided no evidence that China was even indirectly involved in the attacks targeting its source code. During a conference call last week with Wall Street analysts, Google’s CEO said only that the world’s most populous nation was “probably” behind the attacks. Source:

37. January 26, SC Magazine – (International) TechCrunch blog hit by hackers on the day before the Apple launch. The TechCrunch website is back online after being hacked early on January 26. At approximately 6:20am GMT, the website was replaced with a message that stated: ‘What a f***ing useless hack isn’t it? Bleh’. A link was also given that connected to a site that contained links to adult material. The hack did not last long however. The senior technology consultant at Sophos reported at 9.15am GMT that the message on the TechCrunch site now reads ‘earlier tonight was compromised by a security exploit. We’re working to identify the exploit and will bring the site back online shortly’. At 10.05am GMT it was back up-and-running again. An update by site engineer said: “As some people noticed, at approximately 10:30pm PST on on January 25 the main site in the TechCrunch Network – – was hacked and redirected. The site was back up briefly at 11:30pm but shortly went down again. As of 2:00am, the site is back up and appears to be stable.” Source:

38. January 25, Computerworld – (International) Google patches 13 Chrome bugs, adds extensions to Windows. Google on January 25 added support for extensions and bookmark synchronization to the production version of Chrome for Windows. The new release also patched 13 security vulnerabilities in the browser, six of which Google ranked as “high” in its threat scoring system. Although a beta of Chrome in December 2009 included support for both extensions and bookmark sync, this is the first time that the features have appeared in the “stable” build channel, a term Google uses in place of “final.” Google also touted the growth of its extension gallery, which now has more than 1,500 add-ons, a five-fold increase over the 300 available at its debut in December 2009. Only Windows’ stable edition supports extensions and sync; Linux users must use the beta channel build for the same features, while Mac owners have to drop all the way down into the least reliable version, dubbed the “developer” build by Google, to access extensions. Source:

39. January 25, IDG News Service – (International) Researcher to reveal more Internet Explorer problems. Microsoft’s Internet Explorer (IE) could inadvertently allow a hacker to read files on a person’s computer, another problem for the company just days after a serious vulnerability received an emergency patch. The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington, D.C., on February 3. The issue could allow a hacker to read files on a person’s computer but not install other code. Nonetheless, the problem represents a serious security issue, the consultant said. It affects all of Microsoft’s operating systems from Windows NT through Windows 7 and every version of IE, including the latest one, IE8. The hack works when an attacker lures a victim into clicking on a malicious URL (Uniform Resource Locator). Then, by manipulating four or five features in Internet Explorer, the hacker forces the browser to process files that are not pure HTML on the PC, the consultant said. Source:

40. January 25, DarkReading – (International) Flaws in the ‘Aurora’ attacks. The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and other companies made off with valuable intellectual property and source code and shocked the private sector into the reality of the potential threat of state-sponsored cyber-espionage — but they also made a few missteps along the way that may have prevented far worse damage. Security experts say while the attacks indeed were potent in their outcome, they were discovered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-yet unnamed companies was not especially sophisticated nor unique other than the fact that it was a zero-day exploit. The attacks — which Google says came out of China — had been underway for on average for nearly a month, and Google found them out in mid-December. Chinese officials on January 24 told the state-run Xinhua news agency that the government was not involved in the attacks. What impressed security researchers who’ve studied the code was the outcome of the attacks, not the malware. “The sophistication of the Aurora attacks is less about the malware and zero-day used, and more about the coordinated effort to target and pilfer from an estimated 33 companies in a short period of time,” said the chief security architect for FireEye. Source:

Communications Sector

41. January 25, Orange County Register – (California) AT and T phone service down in parts of Laguna Woods. An AT&T cable damaged by water from last week’s storms has left customers in Laguna Woods, Lake Forest and Laguna Hills without service, a spokeswoman said. The company has crews working on the problem at El Toro Road and Muirlands Boulevard in Lake Forest, and phone service is expected to be restored by January 26, said a AT&T spokeswoman. The spokeswoman said she did not know how many customers were affected, but she said the cable serves up to 1,200 phone lines. Repair crews were working on January 25 to dry out the cable and replace a connector piece that was damaged by water, the spokeswoman said. Separately, flooding of an underground telephone vault near Moulton Parkway and Via Campo Verde in Laguna Woods damaged circuits serving Laguna Woods Village, according to an individual who handles public relations for PCM, the community’s property management company. Source:

42. January 25, Sand Springs Leader – (Oklahoma) Phone service cut and restored to Case Center, surrounding area. A construction accident on January 25 has cut phone service to the Case Community Center, as well as to surrounding businesses and residences, a city spokesman said. Phones were down at the Case Center until 4 p.m., the spokesman added. A contractor doing work for the Wekiwa Road widening project severed a major telephone line there. Source: