Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, March 23, 2010

Complete DHS Daily Report for March 23, 2010

Daily Report

Top Stories

 According to internal Department of Energy documents obtained by Dow Jones Newswires through a Freedom of Information Act request, the Energy Information Agency faces shortcomings in producing its oil-inventory data. The documents expose several errors in the EIA’s weekly oil report and a weak security system that leaves the data open to being hacked or leaked. (See item 6)

6. March 18, Dow Jones Newswires – (National) Shortcomings exposed in oil data. The U.S. government faces shortcomings in producing its oil-inventory data, according to internal Department of Energy documents, obtained by Dow Jones Newswires through a Freedom of Information Act request. The documents expose several errors in the Energy Information Agency’s (EIA) weekly oil report, including one in September that was large enough to cause a jump in oil prices, and a litany of problems with its data collection, including the use of ancient technology and out-of-date methodology, that make it nearly impossible for staff to detect errors. A weak security system also leaves the data open to being hacked or leaked. Moreover, problems with EIA data underscore the hazards of depending on companies or other firms to self-report data. Many of its systems have not been updated for 30 years, and much of the data input is done manually, according to one report commissioned for the EIA, prepared by consultants SAIC Inc. The internal documents cataloged several instances in the past three years in which companies misreported the amount of oil they had in storage, sometimes by over two million barrels in each weekly survey over the course of a year. The agency faces an uphill battle just to maintain its current level of accuracy, SAIC said. The security of the weekly report also has become a bigger issue as the oil market has begun to treat the data’s release as a major event. SAIC consultants also said security surrounding the data was too lax. EIA staff should be put on “lock down” prior to release, the SAIC said, to prevent information from leaking. The EIA is implementing several security changes, and moved the weekly report to a dedicated server, said the director of the EIA’s office of oil and gas. Source:

 Reuters reports that Corning Inc. was resuming production at its Wilmington, North Carolina optical fiber plant on Monday after it was disrupted by a fire Sunday. The fire, the result of a malfunction with a piece of glass-making equipment, forced the evacuation of 150 employees. (See item 13)

13. March 22, Reuters – (North Carolina) Corning restarting production at Wilmington plant. Specialty glass maker Corning Inc. was resuming production at its Wilmington optical fiber plant on Monday after it was disrupted by a fire Sunday, a company spokesman said. Corning, the largest maker of optical fiber and glass for liquid crystal displays, said it does not expect any disruption in its ability to meet customer demand as a result of the incident. The blaze was brought under control more than an hour after it started and work to resume operations began Sunday evening, the spokesman said, adding that the plant was expected to be fully operational by late Monday. The plant has the largest optical fiber manufacturing capacity in the industry, according to Corning’s website. Telecommunications companies such as Verizon Communications typically use optical fiber for their fiber-to-the-home cable and wireless networks. There were about 150 employees at the factory when the fire broke out, the plant manager told the Wilmington StarNews, adding the employees were evacuated and no one was injured. He said the fire was the result of a malfunction with a piece of glass-making equipment, which produces intense heat. The company spokesman said Corning would move quickly to repair ductwork damaged by the “relatively minor” fire in the newest part of the plant located on the north side of Wilmington. The company declined to discuss how much production was lost. Source:


Banking and Finance Sector

17. March 22, The Register – (International) Russian FSB quizzes 3 over $9m RBS WorldPay scam. Three men suspected of orchestrating a massive $9m cyber-raid on RBS WorldPay involving cloned payroll cards and hacking have been arrested by Russian’s FSB internal security service. The alleged ringleader, and two accomplices, were arrested on suspicion of masterminding the $9m hacking and subsequent looting of payment systems run by RBS WorldPay in November 2008, the Financial Times reports. The high profile cyberblag involved the use of cloned payroll cards to take out money from an estimated 2,100 cash machines in 280 cities worldwide during an audacious 12 hour overnight cash-out operation. It involved breaking into RBS WorldPay systems and extracting data needed to create forged cards after “reverse engineered personal identification numbers (PINs) from the encrypted data”, according to a November 2009 indictment on the case, as previously reported. Authorities allege one of the suspects identified a flaw in RBS WorldPay systems that allowed him to carry out the hack in conjunction with the two other suspects and another as-yet-unidentified hacker. Source:

18. March 22, KGW 8 Portland – (Oregon) Police warn of text msg bank scam. Salem, Oregon, Police sent out a warning on March 20 after several officers received a bogus text on their department cell phones. The message was from a con artist pretending to act on behalf of the Bank of the Cascades. It read:BOTC Alert: Your CARD starting with 42665* has been DEACTIVATED. Please contact us at 800-780-1851 to REACTIVATE your CARD. The presumption was that people call that number and then are asked to provide account access information. The Bank of the Cascades told police they have no such text messaging plan in place. The Salem officers received messages on their cell phones as they sat together in a room. They acted quickly to determine that the message was a hoax. People who receive such texts should not call the number back, which often hook up to phony phone centers. Source:

19. March 22, Courthouse News Service – (Missouri) 8 million Ponzi alleged in Missouri. A suspect and his Quintero Business entities took $8 million in a real-estate Ponzi scheme, investors say in Jackson County Circuit Court. A family who is pressing charges claims that the suspect took loans in exchange for promises of reduced prices on real estate. For example, one of the family members claims she loaned the suspect one million dollars in November 2000 in exchange for a $300,000 reduction off of any selected Quintero real estate. In reality, the family says, the suspect was looting his Quintero entities to pay off previous investors and other obligations. They say he lied to investors about Quintero’s financial health from 2005 to 2009, while continuing to borrow. The scheme started to unravel in October 2007, when Hillcrest Bank canceled letters of credit on the suspect’s real estate projects in Arizona, the plaintiffs say. They say the FDIC eventually sanctioned Hillcrest Bank for unsound lending practices. Source:

20. March 21, Peninsula Daily News – (Washington) Phone scam hits Jefferson County; still targeting credit union. A phone scam in which customers are asked to give their personal banking information seems to have moved from Clallam County to Jefferson County in Washington. Hundreds of Jefferson County residents have received automated phone calls since March 18 to both land lines and cell phones in which an automated recording states that their Quimper Community Federal Credit Union ATM cards were compromised. The message urges customers to call a number and provide their account information. The calls are not from Quimper Credit Union, said the Port Townsend branch manager of Quimper Credit Union. She said that customers and non-customers alike have reported these calls to the credit union. Source:

21. March 20, Bank Info Security – (National) 7 banks closed March 19. State and Federal regulators closed seven banks on March 19, and one federal credit union was placed into conservatorship. These latest failures raise to 42 the number of failed institutions so far in 2010. American National Bank, Parma, Ohio was closed by the Office of the Comptroller of the Currency, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $17.1 million. Century Security Bank, Duluth, Georgia was closed by the Georgia Department of Banking and Finance, with FDIC as receiver. The FDIC estimates that the cost to the DIF will be $29.9 million. The FDIC approved the payout of the insured deposits of Advanta Bank Corp., Draper, Utah. The bank was closed by the Utah Department of Financial Institutions, which appointed the FDIC as receiver. The FDIC estimates the cost of the failure to its Deposit Insurance Fund to be approximately $635.6 million. Appalachian Community Bank, Ellijay, Georgia was closed by the Georgia Department of Banking and Finance, which appointed the FDIC as receiver. The FDIC estimates that the cost to the DIF will be $419.3 million. Bank of Hiawassee, Georgia was closed by the Georgia Department of Banking and Finance, which appointed the FDIC as receiver. The FDIC estimates that the cost to the DIF will be $137.7 million. First Lowndes Bank, Fort Deposit, Alabama was closed by the Alabama Banking Department, which appointed the FDIC as receiver. The FDIC estimates that the cost to the DIF will be $38.3 million. State Bank of Aurora, Aurora, Minnesota was closed by the Minnesota Department of Commerce, which appointed the FDIC as receiver. The FDIC estimates that the cost to the DIF will be $4.2 million. The National Credit Union Administration placed into conservatorship Tracy Federal Credit Union of Tracy, California. Source:

22. March 19, Bank Info Security – (National) 20 banking breaches so far in 2010. There have been 171 reported data breaches so far in 2010, and 20 of these involve financial services companies. This means that in less than one quarter of the year, financial institutions already have seen nearly one-third of the 62 banking-related breaches reported in all of 2009. The numbers are slightly skewed, says a spokeswoman of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches, because some of the 20 incidents actually occurred in 2009 but are just now being brought to light — particularly in Maryland, where the state’s attorney general’s office reported a slew of 2009 incidents on March 1 of this year. But the new year’s breaches are enough to convince observers that last year’s trends are continuing. If the breach trends do continue as they did in 2009, then financial service companies will continue to experience malicious hacking and insider theft. The challenge for organizations such as the ITRC is that many organizations fail to report their breaches. Of the breaches reported thus far in 2010, financial services breaches add up to 11.7 percent of the 171 incidents — the second lowest percentage on the list. The remaining incidents break down as: Business/Retail at 44 percent, Medical/healthcare at 23 percent, Government/military at 15 percent, and Education at 7 percent. Source:

Information Technology

47. March 22, The Register – (International) Sophos sorry for blog comment spam campaign. Sophos has apologized after a third-party marketing agency hired by the anti-virus and anti-spam specialist sprayed link spam on the blog of a security expert. Multiple auto-generated comments submitted to the expert’s blog containing hyperlinks to the anti-malware portal on the Sophos website. The posts were made by tools designed to automate spam and SEO attacks. The blog spam tactic was an attempt to boost the search engine ranking of the Sophos site. Although the expert caught the messages before they made it onto his site he was understandably unimpressed by the ruse. Sophos distanced itself from the blog spamming tactics. The approach was the idea of a marketing agency hired by Sophos, which the security firm promised will be taken to task over its tactics. Source:

48. March 22, SC Magazine – (International) Phishing attack seen on Twitter over the weekend, as new messages claiming to be password resets for Facebook hit users on a large scale. A fresh phishing attack has appeared on social networking site Twitter that again used direct messages. F-Secure ‘s CTO said that the messages are similar to those seen last month. In the latest detected, the recipient receives a message asking ‘did I tell you that ur here’ or ‘you should change ur photo u took here’ with a link given. Following this link takes the user to a fake Twitter page. The CTO said: “If you mistakenly give out your credentials, the attackers will start sending similar direct messages to your contacts, posing as you. The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these account to post tweets with URLs pointing to malicious websites which will take over users; computers when clicked.” He claimed that Twitter is already filtering these messages from being posted, although it was unclear if they are also removing already-delivered direct messages. Also, the Twitter built-in link shorteners ( and are detecting the URLs as malicious. Source:

49. March 22, IDG News Service – (International) Bad BitDefender update clobbers Windows PCs. Users of the BitDefender anti-virus software started flooding the company’s support forums on March 20, apparently after a faulty anti-virus update caused 64-bit Windows machines to stop working. The company acknowledged the issue in a note explaining the problem, posted on March 20. “Due to a recent update it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5,” the company said. The acknowledgment came after BitDefender users had logged hundreds of posts on the topic. Some complained of being unable to reboot their systems. In its note on the issue, posted around 4 pm Pacific Time, the company said it had issued a fix for the problem and offered instructions on how to repair the damage, saying that customers should remove files from quarantine and reboot. Source:

50. March 20, The H Security – (International) Exploit’s new technology trick dodges memory protection. A hacker who goes by the name “JDuck” has discovered the first malicious PDF files which use the relatively new Return Oriented Programming (ROP) technology to bypass Data Execution Prevention (DEP). This means that the days for providing reliable protection via DEP are numbered even before this technology has become a mainstream feature. Initially, JDuck only intended to integrate the PDF exploit into his metasploit vulnerability testing platform. When doing so, he noticed that the exploit worked flawlessly against Adobe Reader 9.3 although DEP is enabled by default in this version. Further examination revealed that the exploit contained a list of memory addresses that each pointed at the tail end of a function — that is, at a few machine code instructions followed by a return command. This characterises a rather cunning new exploit technology which has so far not been observed in the wild. Source:

51. March 19, IDG News Service – (International) To fight scammers, Russia cracks down on .ru domain. In a bid to cut down on fraud and inappropriate content, the organization responsible for administering Russia’s .ru top-level domain names is tightening its procedures. Starting April 1, anyone who registers a .ru domain will need to provide a copy of their passport or, for businesses, legal registration papers. Right now, domains can be set up with no verification — a practice that has allowed scammers to quickly set up .ru domains under bogus names. The changes will help Russia align its rules with international best practices, said the informational projects manager with the Coordination Center for the .ru top-level domain, in an e-mail interview. Source:

52. March 19, ComputerWorld – (International) Mozilla confirms critical Firefox bug. Mozilla on March 18 confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month. Although the patch will not be added to Firefox before next week’s Pwn2Own browser hacking challenge, researchers will not be allowed to use the flaw, according to the contest’s organizer. “The vulnerability was determined to be critical and could result in remote code execution by an attacker,” Mozilla acknowledged in a post to its security blog late on March 18. “The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.” Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30. Source:

Communications Sector

53. March 19, Search Cloud Computing – (Florida) Terremark vCloud Express outage raises red flag. In what looks like a knock against claims that VMware and vCloud Express services are enterprise-ready, VMware partner and global hosting provider Terremark suffered an inexplicable outage on March 17. It lasted for almost seven hours and left affected users wondering what was going on. Software vendor Apparent Networks, which runs a global monitoring service for public clouds, was caught in the outage and issued an advisory that stated, “Terremark experienced connectivity loss, which caused an outage in Terremark’s vCloud Express services in their Miami data center. This impacted eight customers,” said a Terremark spokesman. One of those affected was probably Apparent Networks, which runs virtual machines in different clouds and measures communication between them for its benchmarks, he said. The trouble was restricted to a single network device that either failed, became unreliable or overloaded, and it affected about 2 percent of Terremark’s vCloud user base, the spokesman said. Source:,289142,sid201_gci1506446,00.html

54. March 19, Iceland Review Online – (International) Bombs placed in ReykjavÃk telecommunications masts. An attempt was made to paralyze an important part of the telecommunications system in Iceland’s capital on the evening of March 17. It appears that three gas bombs were placed in telecommunications masts in Oskjuhlid near the Icelandic Meteorological Office and that two went off. The third bomb was found intact. Police were notified of fire in cables of two telecommunications masts in Oskjuhlid at 4:42 am, one of which is owned by telecom Fjarski and the other by Mila, reports. The fire was easily distinguished, yet it caused considerable damage. For example, the signal for television channel Stod 2 and for the telecom Og Fjarskipti went dead. The damage could be repaired quickly, according to the information officer of Vodafone. The microwave broadcast of Og Fjarskipti in southwest Iceland through the Digital Island system was interrupted from 4:30 am to 7:15 am yesterday morning but there were no disturbances to the GSM network. The Capital Region forensics department investigated the scene of the fire and its source is under continued investigation. The attempt to damage the capital’s telecommunications system is considered serious. Source:

For another story, see item 51 above in the Information Technology Sector