Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, March 11, 2010

Complete DHS Daily Report for March 11, 2010

Daily Report

Top Stories

 The Associated Press reports that Las Vegas-based Basic Food Flavors Inc., responsible for a ballooning recall of processed foods, continued to manufacture and distribute a flavor-enhancing ingredient for a month after tests on January 21 confirmed it was made with salmonella-contaminated equipment, according to an FDA report. They said the company continued to distribute hydrolyzed vegetable protein until February 15. (See item 24)

24. March 10, Associated Press – (Nevada; National) Company continued to sell tainted ingredient after finding salmonella, FDA inspectors say. The company responsible for a ballooning recall of processed foods continued to manufacture and distribute a flavor-enhancing ingredient for a month after tests confirmed it was made with contaminated equipment, according to a Food and Drug Administration report. FDA inspectors said the company, Las Vegas-based Basic Food Flavors Inc., knew of salmonella contamination on its equipment after it received the results of a private inspection on January 21. They said the company continued to distribute the ingredient, called hydrolyzed vegetable protein (HVP), until February 15. The FDA began an investigation of the company in response to a report from one of Basic Food Flavors’ customers about salmonella contamination. After a February visit to the plant, agency inspectors reported finding “light brown residue” and “dark brown liquid” in and around the paste mixers and inside pipes used to manufacture the ingredient. The agency said the company began notifying customers of the recall on February 26 after discussions with the government. It was publicly announced by the FDA a week later. No illnesses have been associated with the recall, according to the FDA and the Centers for Disease Control. Source:,0,4873103.story

 According to the Associated Press, the Minneapolis School District locked down all of its schools Wednesday after police informed officials of vague threats posted on the Web. (See item 37)

37. March 10, Associated Press – (Minnesota) Web threats prompt lockdown of Minneapolis schools. The Minneapolis School District has locked down all of its schools after police informed officials of vague threats posted on the Web. A district spokeswoman says the threats were posted on two social networking sites. The threats did not specify a school, so they were all put on alert. She says the 34,000 students in the district continue to go to class on Wednesday, but access to the buildings is restricted. The lockdown started Wednesday morning, and she says it is not clear how long it will last. She says the district has notified parents with its automated telephone system. Another announcement will go out when the district knows more. She says the Minneapolis Police Department is investigating. Source:,2933,588728,00.html


Banking and Finance Sector

13. March 10, Bank Info Security – (National) Phishing update: ‘No brand is safe’. Online fraud schemes and malware are casting an even wider net, far beyond the large national banks and well-known retailers, as phishers seek new victims. This is the word from the Anti-Phishing Working Group (APWG), which has just issued its latest quarterly report on phishing trends. According to the APWG’s fourth quarter 2009 report, the number of hijacked brands hit a record 356 in October, compared to the previous record month of 341 in August 2009. No brand, no matter how small or obscure, is safe from online fraud says the APWG’s secretary general. “Once, only the largest banks were targeted,” he says. “Now every kind of enterprise from banks and credit unions of all sizes to charities to, in a recent case, a hardware manufacturer, are seeing their brands exploited in all manner of fraud schemes.” This report backs up reports of businesses receiving phishing emails asking for recipients to take action or update their banking online passwords, as in the case of the Comerica Bank phishing lawsuit. Source:

14. March 10, Wall Street Journal – (International) Apparent web-site scam targets victims of Madoff’s Ponzi scheme. A Web site claiming to help victims of a Ponzi artist’s fraud is apparently attempting to defraud them, a securities-industry group warned. The Securities Investor Protection Corp, an agency set up by Congress to help customers of failed brokerages, said that a Web site called is mimicking SIPC’s own Web site,, in an attempt to obtain sensitive information or money from the Ponzi artist’s victims. SIPC has been providing funds of as much as $500,000 to certain investors who lost money with the disgraced former broker. To qualify, the victims provided the agency with financial and other personal data. The apparent scammers, using the name “I-SIPC,” or International Security Investor Protection Corp., are soliciting victims to submit claims, which SIPC says could result in “phishing” or other identify-theft problems. The apparently phony group claims to be based in Geneva and says it has ties to the United Nations. Source:

15. March 9, Thrivent Financial for Lutherans – (Pennsylvania) Thrivent Financial for Lutherans notifies members and clients of breach of unsecured personal information. Thrivent Financial for Lutherans recently experienced a break-in at one of its offices in Pennsylvania and a laptop computer was among the items stolen. The laptop had a variety of safeguards to protect sensitive information, including strong password protection and encryption. However, Thrivent Financial believes that the information stored on the laptop may be at risk. This includes personal information, including name, address, social security number and health information. Thrivent Financial does not have any evidence at this time suggesting that any information has been accessed or misused, and local police are continuing their investigation. Notification has been made to affected members and clients of Thrivent Financial informing them that sensitive information such as their name, address, social security number and health information may have been exposed. All affected individuals are being offered a one year free credit monitoring and identity theft assistance services and Thrivent Financial will work with them to rectify any issues that arise from this unfortunate incident. Source:

16. March 9, The Register – (National) Fraud-prevention service ponies up $12m for ‘false’ ads. An Arizona company that sells services designed to prevent identity theft has agreed to pay $12m to settle charges it oversold their effectiveness and didn’t adequately protect sensitive customer data. LifeLock, which since 2006 has run TV and print ads displaying the social security number of its CEO, agreed to stop misrepresenting its service as a foolproof way to prevent identity theft, according to the US Federal Trade Commission. The consumer watchdog agency and attorneys general from 35 states claimed the company’s $10-per-month service failed to stop the most prevalent forms of the crimes. A complaint filed in federal court in Arizona alleged that alerts LifeLock placed on customer credit files protected against only so-called new account fraud, in which scammers open new credit accounts using the name and social security number of the victim. New account fraud accounted for just 17 per cent of identity theft incidents, according to an FTC survey released in 2007. The agreement also took aim at claims LifeLock made that it routinely encrypted customers’ social security and credit card numbers and granted its employees access to such data strictly on a need-to-know basis. FTC attorneys charged that such claims were false. The settlement requires LifeLock to establish a comprehensive data security program and obtain independent third-party assessments for 20 years. Source:

For more stories, see item 51 below in the Information Technology Sector

Information Technology

47. March 10, Help Net Security – (International) Human exploit attacks surpass the software flaw approach. Barracuda Labs released its annual report for 2009, in which they highlight the shifts in Internet user behavior and the resulting attacker trends. Throughout 2009, Twitter experienced a number of attacks involving phishing, spam, worms, DDoS, compromised DNS records and site defacement. As millions of users flocked to Twitter, criminals followed. Accounts were used for poisoning trending topics with shortened malicious URLS. In 2009, one in eight accounts was considered to be malicious, suspicious or otherwise misused and was subsequently suspended. The shift towards human exploits was obvious - 69 percent of attacks were perpetrated using social engineering (FakeAV and phishing) and search result poisoning, compared to 39 percent carried out using software exploits. Web exploit kits were increasingly used by attackers to host exploits on compromised sites. Source:

48. March 10, Infosecurity – (International) Brocade: Half of network solutions only stop one in four network attacks. Almost one in five participants at the RSA conference last week believe that their companies’ security policies are being effectively enforced, according to figures released by data center fabric company Brocade. That said, at least half of them seem to be unhappy with their companies’ security technology solutions. Brocade, which interviewed 144 RSA Conference attendees from a wide variety of different sectors, found that 18 percent of respondents believed company security policies were being totally enforced. One in 10 respondents felt that not enough policies were being enforced effectively at the network security level, however. The remainder fell somewhere in between. Brocade also found that almost half of all respondents believe their network security solutions are less than 25 percent effective in stopping security threats. Forty-eight percent of them said that their network security stopped one in four or fewer network attacks against their organizations. Source:

49. March 9, The Register – (International) New Internet Explorer code-execution attacks go wild. Online miscreants are exploiting a security bug in earlier versions of Internet Explorer that allows them to remotely execute malicious code, Microsoft warned on March 9. The vulnerability in IE versions 6 and 7 allows remote attackers to gain the same access to the affected PC as the local user. The bug, which stems from an invalid pointer reference, either doesn’t exist in IE 8 or can’t be exploited in that version, providing users with yet another strong reason to upgrade to Microsoft’s latest browser. “At this time, we are aware of targeted attacks attempting to use this vulnerability,” a member of Microsoft’s security team wrote in an advisory. “In a web-based attack scenario, an attacker could host a web site that contains a web page that is used to exploit this vulnerability. In addition, compromised web sites and web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.” Microsoft didn’t provide additional details about the targeted attacks. The IE vulnerability is separate from one disclosed recently that allows attackers to remotely execute malware by tricking users into pressing the F1 button, which is typically used to present a help screen. Source:

50. March 9, IDG News Service – (International) Twitter to begin screening some links for phishing. Twitter launched a new link-screening service on March 8 aimed at preventing phishing and other malicious attacks against users of the popular microblogging service. Part of the new service is a new Twitter tool to shorten URLs, so users will see some links in e-mail notifications and direct messages from other users written as, Twitter said in a blog post. “By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links,” the blog post said. “Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe,” it said without elaborating. Source:

51. March 9, The Register – (International) It’s official: Adobe Reader is world’s most-exploited app. Adobe’s ubiquitous Reader application has replaced Microsoft Word as the program that’s most often targeted in malware campaigns, according to figures compiled by F-Secure. Files based on Reader were exploited in almost 49 percent of the targeted attacks of 2009, compared with about 39 percent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 percent of attacks and Word was exploited by almost 35 percent. Underscoring the surge of Reader attacks, online miscreants recently unleashed a new malware campaign that exploits vulnerabilities patched three weeks ago in the widely-used program. The attacks target financial institutions with a PDF file with a name that refers to the so-called Group of 20 most influential economic powers. When victims click on the file with unpatched versions of Reader, the file installs a backdoor that causes their system to connect to a server at Source:

Communications Sector

52. March 9, IDG News Service – (National) Data issue hits BlackBerry devices for second day. Some BlackBerry users are complaining of an inability to use data services for the second day in a row. It appears that the issue could be related to two separate problems. While some users seemed to be back in business late on March 9, others were still having problems. Research In Motion does not appear to have commented on the problem and had not replied to a request for comment by the time this story posted. Via Twitter, T-Mobile has acknowledged that there is an issue. “We are working with Research In Motion to resolve the outage as quickly as possible,” it said in a recent Twitter message. One of the problems seems to be affecting some users of BlackBerry phones that have Wi-Fi capability, although the problem does not affect those users when they are connected to Wi-Fi networks. Instead, those users have trouble using data services when they are on mobile networks. That’s according to a user report on the Data Outages forum. Source:

53. March 8, IDG News Service – (National) Navajo Nation may get cutting-edge LTE network. If a pending federal grant is approved, one of the first LTE (Long-Term Evolution) wireless broadband networks in the U.S. will be built across 15,120 square miles of desert. The network, backed up by a 550-mile fiber backbone and microwave links, could make the Internet bloom for about 30,000 households in the Navajo Nation, which stretches across a vast region encompassing parts of Arizona, New Mexico and Utah. Fewer than 10 percent of the homes and businesses in the Nation have broadband currently, according to the IT manager for Navajo Tribal Utility Authority (NTUA), a multiservice utility that will operate the network. Mobile service is limited to 2G (second-generation) technology. NTUA hopes to hear this week or next that the National Telecommunications and Information Administration (NTIA) has approved its application for a grant of about US$46 million to link this area to the Internet. The utility already has one LTE base station operating in a test, and if all goes as planned, service would be commercially available to some residents in the fourth quarter. Source: