Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, March 3, 2010

Complete DHS Daily Report for March 3, 2010

Daily Report

Top Stories

 According to the Associated Press, General Motors said Monday that it will recall 1.3 million Chevrolet and Pontiac compact cars sold in the United States, Canada, and Mexico to fix power steering motors that can fail. (See item 11)

11. March 1, Associated Press – (National) GM to recall 1.3 million cars. General Motors said Monday that it will recall 1.3 million Chevrolet and Pontiac compact cars sold in the United States, Canada, and Mexico to fix power steering motors that can fail. The recall affects 2005 to 2010 Chevrolet Cobalts, 2007 to 2010 Pontiac G5s, 2005 and 2006 Pontiac Pursuits sold in Canada and 2005 and 2006 Pontiac G4s sold in Mexico. The automaker said the vehicles are still safe to drive and never lose their steering, but it may be harder to steer them when traveling under 15 mph. A GM spokesman said it will notify car owners when the parts are available. He said the failures are rare, and the cars can still be driven until motors can be replaced by dealers. The National Highway Traffic Safety Administration began an investigation into 905,000 of the models January 27 after getting 1,100 complaints. Source:

 WSPA 7 Spartanburg reports that sheriff’s deputies caught and arrested two men on February 28 for stealing over 500 railroad spikes from railroad tracks belonging to Norfolk Southern Railroad in Henderson County, North Carolina. According to the sheriff, “This act of theft could have easily had catastrophic consequences had a train derailed in this area.” (See item 18)

18. March 1, WSPA 7 Spartanburg – (North Carolina) Men arrested for stealing railroad spikes. Sheriff’s deputies caught and arrested two men February 28th for stealing railroad spikes from railroad tracks belonging to the Norfolk Southern Railroad. The local sheriff praised the work of the two deputies who apprehended the suspects while investigating suspicious activities on the tracks near West Blue Ridge Road in the Flatrock area of Henderson County. During the course of their investigation, deputies found the suspects in possession of over 500 spikes that had been taken from a stretch of active rail road track. According to the sheriff , “This act of theft could have easily had catastrophic consequences had a train derailed in this area. A spillage of chemicals or other hazardous materials as a result of a derailment certainly puts our citizens at risk, as well as the emergency services personnel that would be required in such an incident. Of course rail transport is a safe and effective method of transporting these products as long as the rails aren’t tampered with.” The men, both of whom appear to be illegal aliens, gave no address of residence. They were each placed under a $25,000 dollar bond and ordered held on ICE detainers pending deportation proceedings. Source:


Banking and Finance Sector

14. March 1, – (National) FDIC selling $610M in seized loans. The FDIC is preparing to auction off a portfolio of loans it acquired from 19 failed bank takeovers. According to a preliminary announcement regarding the sale, the portfolio consists primarily of residential real estate acquisition, development, and construction loans with unpaid principal balances totaling approximately $610 million. About 80 percent of the loans are past due and classified as nonperforming – 78 percent are at least 90 days overdue, and 2 percent are between 30 and 90 days delinquent. The majority of the loans were originated in 2007. All are from Colorado, California, Utah, Idaho, Nevada, Georgia, and Washington. The bulk of the package comes from Greeley, Colorado’s New Frontier Bank, which was shut down last April – 187 loans totaling just over $220 million, of which 91 percent are at least 90 days past due. Source:

15. March 1, KRCG 13 Columbia-Jefferson City – (Missouri) Phone scam targets bank customers. A telephone scam is making its way across mid-Missouri. Police say the scam preys on customers of local banks. The pre-recorded messages target cell phones with a 573 area code. The scam tells listeners there’s a problem with their debit or credit card. It’s unclear if they are targeting customers of a specific bank but many who got the calls say it mentions Montgomery Bank. The message asks for credit and debit card and PIN numbers. The calls originate from an 866 number, which is traced to a debt collection company in Boca Raton, Florida. Their office says the scammers are fooling caller IDs to display their phone number and that they are victims as well. Montgomery Banks says they have been inundated with calls about the scam on March 1. Source:

Information Technology

44. March 2, The Register – (International) WoW authenticators bypassed by middlemen hackers. Crooks have developed a man-in-the-middle-attack designed to circumvent authentication kit used by dedicated World of Warcraft gamers. The ruse relies on tricking gamers into installing Trojans disguised as gaming ad-ons. Once applied the malware allows hackers to capture and relay authentication commands next time a victim logs on to Blizzard’s servers. The hackers divert and then relay authentication commands before looting gaming accounts for virtual gold, presumably for resale. Meanwhile the results of a failed login are played back to victims, effectively locking them out of their compromised accounts for at least the time needed to pull off the scam. Trojans targeting online gaming accounts are commonplace, especially in east Asia, but attempts to circumvent two-factor logins to online gaming accounts represent a new twist of added sophistication. Source:

45. March 2, IDG News Service – (International) Sony blames leap year glitch for PlayStation troubles. Sony has restored service to the PlayStation Network by resolving a glitch in the internal clock of some PlayStation 3 consoles that recognized 2010 as a leap year and wrongly added a February 29 to the clock. The glitch, which hearkens back to the Y2K bug, affected millions of users around the world, preventing PlayStation Network. People with the new, slim PS3 consoles were not affected by the problem. The PlayStation Network boasts over 40 million registered users, according to the site. Source:

46. March 2, SC Magazine – (International) Spam continues to surge as URL filtering fails to spot malicious sites. Spam has continued to surge in the early months of 2010, as pornography remains the most prevalent threat vector. In Symantec’s February 2010 MessageLabs Intelligence Report, analysis revealed a surge in spam levels in February to 89.4 percent, an increase of 5.5 percent from January. It put this down to an increase in spam emanating from the Grum and Rustock botnets, with the former’s output increasing by 51 percent to make it responsible for 26 percent of all spam, up from its usual 17 percent. Fortinet’s threatscape report for February revealed that pornography was the highest message tactic used in spam campaigns, with 63.6 percent of messages using this vector. It also detected that of threat traffic detected, 84 percent was malware, 15 percent spyware and only one per cent was phishing. As to who was behind these attack campaigns, it said that it knew that the engine driving the record-breaking spam runs was Cutwail, as some of the more prevalent spam campaigns driven by Cutwail distribute scareware/ransomware and it is popular because of the high amounts of profits available to cyber criminals. Source:

47. March 2, SC Magazine – (International) More than half of applications are vulnerable to security breaches, as Microsoft confirms it is looking into an issue regarding malicious content hosting. More than half of the internally developed, open source, outsourced and commercial applications are vulnerable to security breaches. A report by Veracode claims that of the 1,600 applications analyzed when first submitted, 58 percent contained vulnerabilities similar to those exploited in the recent cyber attacks on Google and others. Despite the claim about vulnerabilities in open source software, the report did find that it ‘has comparable security, faster remediation times and fewer potential backdoors than commercial or outsourced software’. However it found that 40 percent of all applications submitted at the request of large enterprises were from third-parties, and more than 30 percent of all internally developed applications also included identifiable commercial, open source and outsource code. Source:

48. March 2, CNET News – (International) Report: Aurora attack was tested last summer. The attacks on Google and others late last year weren’t as sophisticated as initially believed and appears to have cropped up last summer, according to a report to be released Tuesday by security firm Damballa. Damballa is just the latest company to analyze the attacks and offer an opinion. McAfee dubbed the attacks “Operation Aurora” and said they were highly complex and advanced. “While ‘Aurora’ was a very damaging attack that breached some of the most sophisticated networks in the world, it is a ‘garden variety’ botnet and can be traced back to July 2009 when the criminal operators first began testing,” Damballa said in a release. Damballa analyzed the command-and-control activity used in the attacks, whereby compromised PCs receive instructions from outside servers, allowing them to be remotely controlled. While the techniques used in the attack are “old school,” according to Damballa, the scope of the attack—targeting so many high-profile companies simultaneously—is significant. The report also concluded that the attack can be traced back to last July with what appears to be the first testing of the botnet by its operators. In addition, the botnet appears to have made use of e-mail services to extract stolen data from breached organizations and there is evidence that there were multiple operators involved, Damballa found. Source:

49. March 1, IDG News Service – (International) Microsoft warns of new bug affecting IE users. Steer clear of the F1 key while surfing the Web, at least for a little while. Microsoft warned on March 1 of a new vulnerability that affects Internet Explorer users, saying that it could be exploited by hackers to install malicious software on a victim’s computer. The flaw lies in the way Microsoft’s VBScript works with Windows Help Files in Internet Explorer. But for an attack to work, the victim must press the computer’s F1 key, Microsoft said. “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.” This type of attack is considered harder to pull off because of this F1 key requirement, but Web-based attacks have emerged as a major source of malicious software over the past few years. Source:

50. March 1, International Business Times – (International) Resembling ‘cartels,’ hackers become more industrialized. Hackers are more “industrialized” than ever before and hacking communities now resemble an organized “drug cartel”, according to a report released on March 1. Imperva, a data security company, found that today’s cybercrime industry has transformed and automated itself to mimic the 19th century industrial revolution, which accelerated assembly from single to mass production. “The roles and responsibilities within the hacking community have developed to form a supply chain that resembles a drug cartel,” the report noted. There are three major roles within the industrialized hacking model. Firstly, the researcher searches for vulnerabilities in applications, frameworks, and products and then gives this information to malicious organizations for the sake of profit. Secondly, a farmer maintains and increases the presence of botnets in cyberspace through mass infection. Lastly, the dealer distributes the malicious content. Source:

51. March 1, TechCrunch – (International) Gmail security enhancements expected Tuesday. Google will roll out a number of security enhancements to Gmail the week of March 1, and perhaps as early as March 2, says a source with knowledge of the new features. The changes are specifically designed to cut down on phishing and hacking attacks on Gmail accounts. There are two specific changes that Google is implementing. The first is a secondary line of defense when a user has lost his or her password. If a Gmail account is accessed from a new computer, the user will have the option of receiving a text message with a new one time use pass key. They then enter that pass key into Gmail to authenticate themselves and lock out any bad users with access to the account. Google is also possibly implementing a different version of OAuth for its contacts exporter (something often used by other services to import Gmail contacts). It’s likely to be OAuth Wrap, an easier to implement version of OAuth. If developers can be convinced to use it instead of harvesting and storing user credentials, there’s less of a security hole. Source:

Communications Sector

52. March 2, Provincetown Banner – (Massachusetts) Storm knocks out phone service on Outer Cape. An electric wire tangled in trees apparently broke after a early morning storm and came in contact with a main Verizon line to the Outer Cape along Route 6 in Wellfleet near the Truro line late on March 1 afternoon causing the line to burn up. The result was a nearly town-wide power outage in Wellfleet and parts of Truro and phone and DSL service in Provincetown, Truro and parts of Wellfleet were knocked out. Many landlines and cell phones along with DSL and even 911 service were affected. Emergency 911 calls were automatically rerouted. The line also feeds the Truro cell site, meaning cell calls could not be relayed back to the central station. Local police and fire were using backup radios as the 800 trunking system at the Truro site was also apparently being affected because the phone line feeding it to the main state control point went down. Verizon repair crews were working late into the evening to replaced the damaged section of cable. Source:

53. March 2, White Hat News – (International) Xynthia: more than 120,000 customers affected in SFR. The storm has devastated Xynthia Western France, SFR as France Telecom took stock on March 1 of the damage to its infrastructure. By late afternoon, the operator indicated that about 125,000 mobile subscribers and 13,000 fixed subscribers (telephone or DSL) were still likely to experience disruptions caused by the storm due to power failures that occurred in Center, Champagne-Ardenne, Lorraine, Pays de la Loire and Poitou-Charentes. On the morning of March 1, a spokesperson of France Telecom explained that there were disturbances on a thousand relay antennas, and the cutoff of 100,000 lines in fixed telephony and ADSL. Source: